24 replies to this topic

[AplusWebMaster]

FYI...

Online bank fraud automation increases
Bank malware-server-hosted scripts automate the process
- https://www.computer...tion_techniques
June 26, 2012 - "Cybercriminals attempted to steal at least $75 million from high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication... The new fraud automation techniques are an advancement over the so-called man-in-the-browser (MitB) attacks performed through online banking malware like Zeus or SpyEye. Banking malware has long had the ability to inject rogue content such as forms or pop-ups into online banking websites when they are accessed from infected computers. This feature has traditionally been used to collect financial details and log-in credentials from victims that could be abused at a later time. However, attackers are increasingly combining malware-based Web injection with server-hosted scripts in order to piggyback on active online banking sessions and initiate fraudulent transfers in real time... The externally hosted scripts called by the malware are designed to work with specific online banking websites and automate the entire fraud process. They can read account balances and transfer predefined sums to money mules... The fraud automation scripts also allow cybercriminals to bypass two-factor authorization systems implemented by banks for security purposes. The malware -intercepts- the authentication process and captures the one-time password generated by the victim's bank-issued hardware token and uses it to perform the fraud in the background. Meanwhile, the user is shown a "please wait" message on the screen..."
___

Criminal malware webinjects priced 'per feature' ...
- https://www.trusteer...stom-webinjects
June 26, 2012 - "... criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by Trend Micro researchers last week*... In this model, webinjects were developed for specific malware platforms such as Zeus and SpyEye, and priced per platform. Certain platforms commanded a higher price for webinjects. This pricing system was followed with bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinjects costs were determined by the geographic location of the target they were designed to attack. That was followed by production cost pricing, where sellers offered cheaper pre-made Webinjects and charged a premium for custom-based webinjects... This latest development in webinject marketing (?) illustrates how the underground marketplace is following traditional software industry pricing schemes by offering a la carte and complete “suite” pricing options. Unfortunately, buying high quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud... Criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is for fraudsters find those that succeed."
* http://blog.trendmic...ansfer-systems/
___

Customized Webinjects for Zeus and SpyEye Trojans on sale
- http://atlas.arbor.n...ndex#-708662453
June 28, 2012
The underground market for financial fraud malware continues to innovate and offer solutions to criminals.
Analysis: Banking trojans have been around for years and show no signs of disappearing. Described here are various plugins to extend the functionality of the fraud operation. Plugins such as Balance grabber for $50-100, Balance replacer for $200-300, TAN grabber $150-200, Additional passwords (steals other passwords on the infected system) for $100-200, alerting (keeps the botmaster informed of malware interactions) $100-200 and AZ (to provide for fully automated financial fraud) for $1500-2000.
Source: https://www.net-secu...ews.php?id=2163

- http://news.cnet.com...s-to-the-cloud/
June 30, 2012

Edited by AplusWebMaster, 02 July 2012 - 06:45 AM.

[AplusWebMaster]

FYI...

Realtime Credential Theft - risk engines won’t catch ...
- https://www.trusteer...-catch-this-one
July 18, 2012 - "... malware was identified using Trusteer Pinpoint, which is a server-based malware detection tool that identifies the presence of malware on all devices initiating an online banking session. The bank discovered that the user in question had not logged into their online bank account around the time the malware was identified, and therefore did not understand how malware could have been detected on the user’s device... malware on the user’s device captured the user’s credentials at login and immediately communicated the credentials to the fraudster’s command and control center... the malware requested the user’s one time password (OTP) at login even though the user logged in from their regular device. At the same time, the malware -blocked- the user’s credentials from being submitted to the bank and instead injected a page notifying the user that the bank web site was temporarily down...
Injected Malware Message to the Online Banking Web Site:

Banks use these risk-based analytic tools to detect a variety of anomalous conditions that could be indicative of fraud. These risk engines are often used to identify credential theft by looking for multiple devices simultaneously logged into a single account, as well as successive user logins from locations that are geographically too far apart for an account owner to possibly travel within the given timeframe. When either of these conditions is met, the bank can quickly identify that fraud is being attempted and take appropriate actions. However, because fraudsters tend to be a persistent and innovative bunch, they have developed new approaches to circumvent these detection techniques... Based on the log file, we see that 6 days after accessing the account, the user logged in on an unrecognized device from a new location. Users commonly change devices and frequently travel, so this situation was flagged by the bank’s real-time risk engine for secondary authentication. The user successfully entered a one-time-password (OTP) and was allowed to log in. However, things are not always as they appear... Because the credential transmission was blocked, the bank’s risk engine only saw one new login attempt – the fraudulent one... By doing so, the criminals greatly increase the likelihood of avoiding detection and successfully committing fraud. Criminals often use session blocking MitB to access commercial accounts that require a one-time-password (OTP) for login. Using available malware, such as Zeus or SpyEye, cyber-criminals can capture the complete set of login credentials, including OTPs, immediately log into a compromised account before the OTP expires, and block the legitimate user login attempt from reaching the bank..."

Edited by AplusWebMaster, 22 July 2012 - 06:15 AM.

[AplusWebMaster]

FYI...

Major Banks infected with Conficker, Zeus, Fake AV ...
- http://atlas.arbor.n...ndex#-250023084
Severity: Elevated Severity
July 27, 2012 16:27
Some recent stats show large organizations continue to struggle with malware problems, including re-infection.
Analysis: One of the problems with re-infection is that compromised machines are sometimes not dealt with well, as people seek to save time and "clean" infections from a machine and then put the system back into service... it is always risky to "clean" a system as there could be other malware present and the malware that makes the noise and is easily found could just be the tip of the iceberg. An epidemic of re-infection indicates that security practices need review and additional resources may be needed in this difficult fight against cyber criminals and cyber-espionage.
Source: http://www.darkreadi...le/id/240004457
"... 18 of the 24 largest banks around the world suffer from infamous malware, such as Conficker, DNS Changer, Gameover Zeus, BlackHole Exploit Kit, and fake antivirus, according to new data... Lookingglass Cyber Solutions yesterday released the new data on banks, which it says demonstrates a trend in reinfections, many of which are caused by supply-chain partners. Sourcefire... found that more than 65 percent of users infected with malware were reinfected two or more times. Around 1.6 percent of users are polluted with more than 100 different infections..."

[AplusWebMaster]

FYI...

Bank trojan silently hacks into Enterprises
- http://www.trusteer....nto-enterprises
July 31, 2012 - "... engineering and mathematical software firm Maplesoft reported that its administrative database was breached. While specific details are not yet available, the breach may have been the result of an employee with access rights to the database becoming infected with the well-known Zeus Trojan or other malware with key logging capability such as Dark Comet and Poison Ivy remote access tools (RATs). This attack demonstrates the ease with which a corporate network can be compromised. The breach was apparently only discovered because Maplesoft customers reported receiving phishing emails. Otherwise the attack could have gone undetected for an extended period of time. In this incident, the attackers seemed primarily interested in conducting banking fraud since reports indicate they only compromised an email database and were then trying to distribute Zeus, which is often used for online banking fraud, to the stolen addresses... they could have easily conducted corporate espionage once inside the network. The criminals may even be planning to steal secrets from companies that fall victim to the subsequent Phishing attack they have launched against Maplesoft's customers. Using information looted from the database, they sent e-mails that advised customers to install a Maplesoft patch, which was in fact the Zeus Trojan. This attack illustrates how financial malware is now "crossing over" to silently target enterprises. Using social engineering techniques like the software update ploy described above, it is easy to see how criminals can get a toe hold inside corporate networks. From there, it is trivial for the malware to steal user credentials that provide unrestricted access to sensitive databases, applications and files. This is a worrisome trend since an attacker with valid user credentials can silently pillage a company’s intellectual assets and be long gone before the compromise is ever discovered – if at all. Endpoint cybercrime prevention tools, like those being used to protect online banking sessions, are the most effective way to secure employee machines against sophisticated malware like Zeus, SpyEye, and others, that now target enterprises directly."

> http://www.maplesoft.com/security/
"... perpetrators appear to be using email addresses they have taken from the database to spread viruses or malware. The perpetrators are posing as Maplesoft in an attempt to have individuals they email click on a link or download a malicious piece of software. Recipients should not respond to these emails and they should not open any attachments or click on any download links These emails should be deleted immediately..."

Edited by AplusWebMaster, 31 July 2012 - 09:09 AM.

[AplusWebMaster]

FYI...

Online banking trojan has designs on chipTAN users
- http://h-online.com/-1701688
6 Sep 2012 - "The Tatanga trojan has come up with a new way of ripping off online banking users in Germany by deceiving users of the chipTAN system. TANs, transaction authentication numbers, are one-time authentication numbers generated in various ways and used to validate banking transactions. Tatanga already had a reputation for attacking mobile TAN systems (mTAN) that use SMS to send through a TAN number. ChipTAN is a different system which requires that a bank card is inserted into a device which is then held against the screen. The bank then flashes the display to transfer information about the current transaction to the device which in turn generates a TAN for the current transaction. According to a report by virus experts Trusteer*, Tatanga can get the TAN number from a chipTAN user by tricking them into thinking that the bank is testing the chipTAN system. When a user logs into their bank account, the trojan checks the user's account details in the background and selects an account from which it can take the most money. It then begins a transfer, but to complete that transfer it needs a TAN. Tatanga injects code into the user's bank web browsing explaining that the bank is performing a chipTAN test... If the user follows these instructions, they end up entering a TAN number into the system which Tatanga uses to complete its transaction. Even though the device will show details of the bogus transaction, the fraudsters ensure that the victim compares it with matching details displayed on the screen as part of the -fake- test process. When the transaction is complete, Tatanga then takes steps to obscure the transaction in the victim's transaction history so they won't be alerted to the fraudulent transaction."
* http://www.trusteer....ptan-weaknesses

[AplusWebMaster]

FYI...

Attacks targeting Bank Employees
- http://www.trusteer....-bank-employees
Sep 20, 2012 - "This week the FBI warned* financial institutions against malware attacks that are targeting their employees to steal login credentials. Although financial malware such as Zeus and SpyEye have been used to attack online banking customers for years, using these tools to perpetrate fraud directly against financial institutions by compromising bank employee accounts is relatively new... With their livelihood at stake, criminal gangs are now looking to get a foothold deep inside financial institutions to bypass controls that are standing in the way of their financial fraud schemes. They are now attacking bank employees with the same advanced malware and extensive mule and money laundering processes used to commit fraud against online banking users... Most financial institutions implement controls like anti-virus protection on endpoint devices and Intrusion Prevention Systems (IPS) on the network – both of which are evaded by malware kits that are readily available in the underground market. Trusteer Intelligence has found that the infection rate of enterprise endpoints can reach up to 4% (calculated on annual basis)...
(See chart below):
> http://www.trusteer....reenShot129.png
... They all used garden variety financial malware Trojans like Zeus (or one of its many derivatives) and SpyEye. This FBI report specifically mentions two types of malware attacks: Keylogging and Remote Access Tools (RAT). While Keylogging has existed for many years, RATs are a relatively new addition to financial malware (e.g. Zeus) toolkits. They have been specifically added to enable pre attack reconnaissance and attacks on non-browser based applications on employee endpoints... Organizations should implement security controls that prevent and remove malware infections, and stop Keylogging, Screen Capturing and Remote Access Trojans activity..."
* http://www.ic3.gov/m...alsTargeted.pdf
___

> http://www.reuters.c...E88P1F520120927
Sep 26, 2012

- http://arstechnica.c...inated-in-iran/
Sep 21, 2012

- https://www.computer...st_cyberattacks
Sep 20, 2012

- http://www.reuters.c...E8KJAZS20120920
Sep 20, 2012

Automated Toolkits Named in Massive DDoS Attacks Against U.S. Banks
- https://threatpost.c...us-banks-100212
Oct 2, 2012
___

Botmasters recruited for attack on Banks ...
- http://forums.whatth...=...st&p=800538
Oct 4, 2012

Edited by AplusWebMaster, 05 October 2012 - 03:40 PM.

[AplusWebMaster]

FYI...

Universal Man in the Browser attack targets all websites
- http://www.trusteer....ts-all-websites
Oct 03, 2012 - "... discovered a new Man in the Browser (MitB) scam that does not target specific websites, but instead collects data submitted to -all- websites without the need for post-processing... Traditional MitB attacks typically collect data (login credentials, credit card numbers, etc.) entered by the victim in a specific web site. Additionally, MitB malware may collect all data entered by the victim into websites, but it requires post-processing by the fraudster to parse the logs and extract the valuable data. Parsers are easily available for purchase in underground markets, while some criminals simply sell off the logs in bulk. In comparison, uMitB does not target a specific web site. Instead, it collects data entered in the browser at all websites and uses “generic” real time logic on the form submissions to perform the equivalent of post-processing. This attack can target victims of new infections as well as machines that were previously infected by updating the existing malware with a new configuration. The data stolen by uMitB malware is stored in a portal where it is organized and sold... The impact of uMitB could be significant since information stolen in real-time is typically much more valuable than “stale” information, plus it eliminates the complexities associated with current post-processing approaches. As always, the best protection against financial fraud attacks that use uMitB, MitB, Man-in-the-Middle, etc. is to secure the endpoint against the root cause of these problems – malware."

- http://www.h-online....iew=zoom;zoom=1
___

Botmasters recruited for attack on Banks ...
- http://forums.whatth...=...st&p=800538
Oct 4, 2012

Edited by AplusWebMaster, 05 October 2012 - 03:44 PM.

[AplusWebMaster]

FYI...

Citadel Trojan Variant - new features (October 18 & 19, 2012)
- https://www.sans.org...issue=85#sID307
"A new variant of the Citadel Trojan horse program targets organizations in the financial industry. Citadel first appeared in January 2011; this version, known as the Rain Edition, marks the sixth release of the malware. It includes new features that make it more dangerous, including a dynamic configuration mechanism, which makes the malware more difficult to detect and helps it spread more rapidly."

[AplusWebMaster]

FYI...

Berlin Police: Beware Android Banking Trojans
- http://www.f-secure....s/00002457.html
Nov 15, 2012 - "The Berlin Police Department issued a press release this past Tuesday about criminal complaints of fraudulent cash withdrawals. All of the cases involved SMS mTans* and Android smartphones... An important thing to realize about Zitmo is that it isn't "mobile" malware as such. Rather, Zitmo is a companion/complement component to a Windows based ZeuS bot. Zitmo works with its Windows based ZeuS when the bank customer has SMS mTans as an additonal layer of authentication. To counter the mTan layer of security, ZeuS bots will inject a "security notice" form during a banking session asking the customer for their phone model and number. The bad guys will then send an SMS link to a so called "security update", which is actually the Man in the Mobile component needed to circumvent the mTan. There are plenty of ZeuS bots in the wild... The Berlin Police Department recommends that citizens be skeptical of "security updates" claiming to come from ones bank and to defend your home computer. Which includes, by the way, having an up to date antivirus service installed."
* https://en.wikipedia..._TAN_.28mTAN.29

[AplusWebMaster]

FYI...

MoneyGram fined $100 Million for Wire Fraud
- https://krebsonsecur...for-wire-fraud/
Nov 19, 2012 - "A week ago Friday, the U.S. Justice Department announced* that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be -unrelated- to these cyber heists. According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’ In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system”... The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing... The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems... The DOJ further said that to oversee implementation and maintenance of these terms, and to evaluate the overall effectiveness of its anti-fraud and anti-money laundering programs, MoneyGram has agreed to retain an independent corporate monitor who will report regularly to the Justice Department..."
* http://www.justice.g...2-crm-1336.html

[AplusWebMaster]

FYI...

"High Roller" trojan targets SEPA transactions - Single Euro Payments Area
- http://h-online.com/-1754446
21 Nov 2012 - "Cyber-criminals are targeting the European SEPA payments network, according to a report* from security specialist McAfee. Within the EU, SEPA transactions are uncomplicated because they make no distinction between domestic and cross-border transactions. In this case, that also benefits the online crooks who usually transfer money from the victim's account to foreign bank accounts. The report says the malware involved is part of "Operation High Roller"** where criminals extracted large sums from business accounts. Unlike traditional online banking fraud, which uses trojans such as ZeuS and SpyEye, the crooks infect only a small number of specific specialist computers with malware in order to get at money. This reduces the risks of detection considerably. In the current case, the scam only infected about a dozen customers. The malware acts in a remarkably similar manner to how ZeuS and others work: after infection it inserts itself into the system's browser and waits for a user to access their bank's web site. Once there, the pest adds its own JavaScript code, called Web Injects, to perform the fraudulent withdrawals. The malware takes its instructions from a command and control server which is, McAfee says, located in Moscow. The software is hard-coded to withdraw amounts ranging between €1,000 and €100,000 depending on the balance of the account. Examination of log entries from the control panels of the command server showed that at least one of the banks being targeted would have seen an estimated €61,000 of attempted SEPA transactions to mule accounts..."
* http://blogs.mcafee....om-german-banks
"... Conclusion: Although many of the basic threat techniques haven’t changed much, new ways of targeting a financial institution’s online channel continue to grow. The fraudsters are looking for different angles to exploit: these can be anything from the processing times in ACH payments that allow them to get funds to mules quickly, to the lack of two-factor authentication associated with outgoing wires. In this case, the fraudsters have evolved from automated wire transactions to different types of payment channels. We don’t expect Operation High Roller activity to disappear anytime soon, so it’s important that we stay vigilant for these attacks."

** http://h-online.com/-1626663
27 June 2012

[AplusWebMaster]

FYI...

Bank Robbers for Hire - Online Service...
- https://krebsonsecur...bbers-for-hire/
Nov 29, 2012 - "An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise. The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York... as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity... The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees)... The service also can be hired to drain bank accounts using counterfeit debit cards obtained through ATM skimmers or hacked point-of-sale devices. The complicit mules will even help cash out refunds from phony state and federal income tax filings — a lucrative form of fraud that, according to the Internal Revenue Service, cost taxpayers $5.2 billion last year*... It’s worth noting that the stereotypical complicit mule traditionally has been a student from Russia or Eastern Europe who is here in the United States on what’s known as a J1 visa, meaning they have the legal right to work for a few months and travel the country for a short time before heading back home. In 2010, the U.S. Justice Department targeted one such network in New York City, charging more than three dozen J1s with knowingly assisting in the theft of funds from organizations that had been victimized by cyber fraud. Most of those charged in that case were either incarcerated or deported, but federal investigators familiar with the crime say there are J1 money mule recruitment networks in nearly every major city in the United States today."
* http://money.cnn.com...theft/index.htm

[AplusWebMaster]

FYI...

mTAN fraud - Millions stolen ...
- http://h-online.com/-1763923
6 Dec 2012 - "The Zeus-in-the-Mobile (ZitMO) Trojan has apparently been used to steal as much as 36 million euros, 13 million in Germany alone, from more than 30,000 bank customers... A malicious program installed on an infected Windows computer began the process by monitoring and manipulating the victim's online banking sessions. In this seemingly trustworthy context, it would then ask for the user's mobile phone number and operating system in order to install 'an important security update'. Users who installed the apparent update that was sent to their mobile phone were really installing a Trojan that then proceeded to steal mobile TANs (mTAN) and forward them to the crooks...
> http://www.h-online....iew=zoom;zoom=2
... withdrawals were made from victims' accounts amounting to anything from 500 to 250,000 euros. In many cases, the attackers apparently continued to withdraw money to the full extent of authorised overdraft limits. The total of 36 million euros has not yet been confirmed by any other parties..."

[AplusWebMaster]

FYI...

Liability shifts to the Bank ...
- http://www.trusteer....fts-to-the-bank
Dec 10, 2012 - "In May 2009, an unknown hacker gained access to Patco Construction’s online banking account at Peoples United Bank (d/b/a Ocean Bank). Patco claimed that the hacker somehow installed malware on a company PC to fraudulently obtain online banking credentials. The fraudster was then able to use the stolen credentials, including user ID, password, and answers to -three- challenge questions, to access a Patco employee’s online banking account. Over a five-day period, the hacker initiated fraudulent ACH and wire transfers totaling over $588,000... The appellate court’s final advice: 'On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement'... with two landmark cases ruling in favor of the commercial customer, legal precedent has also shifted away from financial institutions regarding online fraud incidents. With regulators and courts stepping in to protect SMBs, the days of banks using UCC 4A to deflect fraud liability to the customer are over... many banks are more concerned with peer bank comparisons and legal positioning than actually preventing fraud. We know malware-based fraud can be prevented in a cost effective, customer friendly, manageable and regulatory compliant fashion..."
___

DDoS attacks - U.S. financial services...
- http://ddos.arbornet...s-ddos-attacks/
Dec 13, 2012

Edited by AplusWebMaster, 14 December 2012 - 09:09 AM.

[AplusWebMaster]

FYI...

Trojan steals data from US banks, customers...
Nearly half of detected infections are on financial institutions' servers.
- http://arstechnica.c...anks-customers/
Dec 21, 2012 - "Symantec has discovered a new piece of malware that appears to be targeting financial institutions and their customers in the US. Dubbed Trojan.Stabuniq by Symantec, the malware has been collecting information from infected systems—potentially for the preparation of a more damaging attack... Trojan.Stabuniq* appears to be aimed at a very specific set of victims. While the number of reported systems compromised by the Trojan are relatively low, nearly 40 percent of the systems are financial institutions' mail servers, firewalls, proxies, and gateways. Half of the systems infected are consumer PCs, and the remainder of the detected infections are on systems belonging to network security companies — likely because they are evaluating the threat posed by the Trojan... The malware appears to be spread by a "phishing" attack through spam e-mail containing a link to the address of a server hosting a Web exploit toolkit. Once installed, it changes the Windows registry to disguise itself—usually as a Microsoft Office or Java component, or in the guise of an Internet Explorer "helper" module, InstallShield update scheduler, or sound driver agent—and makes sure it is activated at reboot. Then it collects information about the computer it has infected (including its computer name, IP address, the operating system version and which service packs are installed, and the names of running processes on the computer), and dumps that data to a command and control server at one of eight domain names**... it could be just a proof-of-concept for another attack in preparation for deployment of a much more malignant set of code."
* http://www.symantec....itution-servers

** https://www.symantec.../...-99&tabid=2