Stealthy Trojan Swipes Bank Log-ins, Financial Data from Thousands

Security researchers have uncovered a treasure trove of financial data stolen by a stealthy Trojan since 2006.

All totaled, the minds behind the Sinowal Trojan are believed to have stolen roughly 300,000 bank log-in credentials, as well as a similar amount of credit and debit card numbers and related personal information. The findings were detailed Oct. 31 by RSA FraudAction Research Lab. The Sinowal Trojan, also known as Torpig and Mebroot, dates back to 2006 and has been used to target more than 2,700 financial service domains worldwide.

In the past six months alone, the Trojan has compromised and stolen log-in credentials and other information from more than 100,000 online bank accounts, according to RSA, EMC’s security division.

The Trojan horse contains rootkit elements that infect a PC's MBR (master boot record), allowing it to slip past malware defenses. Once downloaded, Sinowal uses an HTML injection feature to inject new Web pages or information fields into the victim’s Web browser. When a user tries to visit one of the 2,700 domains, the fake site pops up instead and prompts the user for log-in or financial information.

RSA described it this way in a blog post: “Even though a prompt like this is not a novel approach to stealing credentials and other information—what struck us the most was the amount of URL 'triggers' that cause Sinowal to actually launch this prompt and other functions: Sinowal is triggered by more than 2,700 specific URLs, which means that this Trojan quickly moves into action when users access the Web sites of what are now hundreds of financial institutions worldwide.”

The compromised data belongs to customers of hundreds of financial institutions from around the world, including the United States, Canada, France, the United Kingdom, China and elsewhere.

The RSA Anti-Fraud Command Center has notified law enforcement as well as affected financial institutions.