Security researchers at Finjan track a cyber-gang that pilfered German bank accounts in summer 2009. The gang uses a Trojan dubbed URLZone that represents the next generation of banking malware.
Researchers at Finjan
are shining a light on a sneaky banking Trojan
behind the theft of roughly $439,000 (300,000 euros) from German bank accounts
over a 22-day period.
Dubbed URLZone, the Trojan served as a digital lock pick for a sophisticated
cyber-gang Finjan tracked from Aug. 11 to Sept. 1. Unlike many typical banking
, URLZone goes beyond tricking victims into coughing up their banking
credentials by inserting text boxes into online banking applications. It calls
back to its C&C (command and control) server for instructions on how much money
to steal without causing suspicion at the bank, and to which money mule account
to send the money.
here to read about the stealthy Clampi Trojan unmasked at Black Hat.
The URLZone Trojan also alters the victim's on-screen bank account
statements in an effort to cover its tracks.
"In this case, the specific criteria that the Trojan received from its command
and control center mark a whole new level of cyber-crime
in the techniques used by cyber-criminals," Yuval
Ben-Itzhak, CTO of Finjan, said in a
statement Sept. 30. "Using these methods they successfully evade
anti-fraud systems that banks deploy-we dubbed it the 'anti-anti-fraud.'"
The cyber-gang used the well-known LuckySpoilt crimeware tool kit to exploit
victims' browsers and install the Trojan on their PCs. The gang did this via
both malicious and compromised Websites, ultimately attracting roughly 96,000
visitors. Of those, researchers found that 6,400 were infected. Once URLZone is
on a system, it logs credentials and activities of bank accounts, steals money
from the compromised accounts and hides its activity in the report screen of the
compromised account in real time.
"To avoid warning signs by anti-fraud systems at the bank, the money
mule accounts are only used ... a limited number of times within a certain time
frame," said the Finjan statement. "Since banks monitor large bank
transfers, the amount of money deposited in a money mule account is predefined
in order to stay under the radar."
Communication between the Trojan and the C&C server was conducted over
HTTP, with the data being XOR-encrypted. Law enforcement took down the servers
after being notified of the scam by Finjan, but the Trojan tool kits remain in
circulation in the cyber-underground.
"To avoid detection, cyber-criminals continue to improve their
methodologies for stealing money and going under the radar from the victims and
banks alike," Ben-Itzhak said. "With the combination of using
sophisticated Trojans for the theft and money mules to transfer stolen money to
their accounts, they minimize their chances of being detected."