A new banking trojan called URLZone enabled cybercriminals to steal roughly US$439,000 ($A496,000) from German bank accounts during a recent 22-day crime spree, according to researchers at web security firm Finjan.
“So far, this is the most sophisticated bank trojan that we have seen,” Yuval Ben-Itzhak, CTO of Finjan, told SCMagazineUS.com.
Details of the URLZone trojan, which not only retrieves banking credentials but also steals money from compromised accounts, were revealed in the third issue of Finjan's 2009 Cybercrime Intelligence Report, released this week.
Other notorious banking trojans, such as Zbot, only aim to steal credentials, which later are used by attackers to log into a victim's account to steal money.
But with URLZone, the transaction takes place from an infected user's machine, Ben-Itzhak said. In addition, the trojan was crafted to include several sophisticated features that help attackers avoid detection from anti-fraud systems and victims.
The trojan began propagating in mid-August, according to Finjan. The malware writers used a software tool known as LuckySploit, available on hacking forums for US$100 to US$300, to inject vulnerable legitimate websites with malicious code that aims to install the trojan onto users' computers.
The malware exploited vulnerabilities in Internet Explorer (IE) 6, IE7, IE8, Firefox and Opera, Ben-Itzhak said. Out of 90,000 individuals who visited one of the compromised sites, 6,400 were infected with the trojan -- or one out of every 14 to 15 visitors.
Once a user was infected, the trojan received instructions from the attackers command-and-control server, hosted in Ukraine, to steal a certain amount of money from the victim's bank account and transfer it to the account of a so-called “money mule.”
Money mules are individuals who have been unwittingly hired by cybercriminals under the guise of work-at-home schemes. They are tasked with transferring the stolen money, after a deduction of their own commission, into a bank account provided by the attacker.
Attackers also sent instructions to the trojan to ensure that the amount of money stolen did not deplete the victim's account and that a random amount is stolen each transaction, indicating attackers had an understanding of banking anti-fraud systems, which are designed to detect unusual transactions.
In an even more sophisticated ploy, the trojan altered the victim's online banking page to change the amount of the transfer to a smaller number. In one transaction, the cybercriminals stole more than US$8,000, but to the victim it appeared as a US$53 transaction.
Finjan discovered the hub used in the attack on August 24, and it is no longer running, Ben-Itzhak said. German law enforcement was notified.
See original article on scmagazineus.com
URLZone touted as most sophisticated banking trojan yet
By
Angela Moscaritolo
on
Oct 1, 2009 10:48AM
Able to steal money and banking credentials.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
.png&h=183&w=300&c=1&s=0)
Promoted Content
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content
Why Genworth Australia embraced low-code software development
Partner Content
"We're seeing some good policy put in place, but that's the exception"
Promoted Content
Security: Understanding the fundamentals of governance, risk & compliance
Sponsored Whitepapers
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
.jpg&h=146&w=240&c=1&s=0)
