‘Robin Hood’ code robs cashed-up UK bank accounts

Cybercriminals have used a new, targeted version of banking trojan Zeus to pilfer £675,000 (A$1.17 million) from online customers of one UK bank.

The attack was traced to servers in the Eastern European Republic of Moldova, where Zeus v3 had been transferring money from 3,000 compromised personal and corporate banking accounts since July 5.

Zeus v3 was installed on victims' PCs using the Eleonore and Phoenix exploit kits, which take advantage of vulnerabilities in Internet Explorer, Java and Adobe Reader.

The kits were distributed by local news and events pages via compromised third party sites, including Yahoo's advertisement management platform, yieldmanager.com.

Once installed, Zeus v3 intercepted and analysed victims' online banking transactions, using a "Robin Hood" system to identify accounts with more than £800 (A$1,387), and initiating fraudulent money transfers from those accounts.

M86 Security's VP of Technical Strategy Bradley Anstis, who was involved in discovering the breach, described it as a sophisticated "man in the browser" attack.

M86 researchers in Israel and New Zealand detected the Moldova servers when analysing data collected by its free SecureBrowsing plugin, which had more than 35,000 users worldwide, including 5,000 in the UK.

The researchers exploited "bugs" in the malware to uncover its purpose, and "shied away pretty quickly" upon discovering details of illicit bank transactions, Anstis said.

Two weeks ago, the attack was referred to the UK police and bank, which cannot yet be named.

Anstis noted that the malware was not identified by commonly used anti-virus software including products from Kaspersky, McAfee, Fortinet and Symantec.

It may have thus bypassed free antivirus software provided to customers of UK banks such as Barclays (Kaspersky) and HSBC (McAfee). Additionally, the malware had not directly infected any banking websites.

"That's really scary when you think about what we don't know about these attacks," Anstis told iTnews. "We hadn't seen Zeus so targeted at a single financial institution so far."

Anstis said banking customers could protect themselves from such attacks by blocking third-party online banking transfers and using telephone banking and ATMs to check on their account balances.

Using lesser-known browsers and document readers may also reduce users' chances of infection, he said.