- Specialized trojan malware infecting PCs used for internet banking are becoming prevalent.
- For example the ZeuS Trojan or SpyEye Trojan are both designed to infect a Windows-based PC and enlist it into a botnet of controlled PCs, from which can be harvested online banking usernames, passwords and credit card credentials.
What Happens During An Attack
- The trojan malware only becomes active when a user on the infected computer connects to a bank website, during which the trojan starts to record account details, passwords and other confidential information.
- The trojan malware will typically add one or more new employees or payee accounts in the name of "money mules".
- A transfer between $1,000 and $10,000 will be made to a "money mule" account - a legitimate bank account held by a real customer.
- Owners of these "money mule" accounts have agreed to transfer sums they receive to someone else, after taking a cut. They are often unaware of being involved in a crime, and are typically targeted by "work at home" type scams offering easy money, or given some other legitimate reason why they are required to transfer the money.
- By the time the police have investigated the attack, the recipient of the money will usually have collected the transferred money, and is usually residing outside of the country of both the victim, and the money mule.
The Source of the Problem
- The source code for the ZeuS Trojan was originally offered for sale for approx $10000 to enable criminal gangs to control their own botnet or customise it for their particular market's needs.
- The source code of the ZeuS trojan has now been leaked and is available for free (or at a nominal cost) on hacker forums.
- The leak of the ZeuS source on May 7, 2011 is described here.
- The SpyEye 'builder' crack was leaked on August 11, 2011, as described here.
- French security researcher Xyliton, part of the Reverse Engineers Dream (RED) Crew reverse engineered the 'builder' (the tool that generates the SpyEye malware) and was able to crack its hardware identification (HWID) layer which locked the SpyEye builder to a particular physical device.
- The cracked SpyEye builder enables new trojan developers to avoid the attribution that was previously associated with the high-priced toolkit and launch their own, untraceable versions of SpyEye. Where previous trojans built using the kit could be traced back to the original buyer of the toolkit, this will make it more difficult to track SpyEye botnets back to the source, since they have no attribution.
The ZeuS malware package has been around long enough to earn the title "crimeware toolkit" from Symantec. The relatively newer SpyEye, first seen in 2010, includes a component called KillZeus that destroys its "competitor", ZeuS, on any machine they share. In addition to eliminating a competing botnet operator on an infected machine, being able to delete the older ZeuS Trojan gives the newer SpyEye operator a pre-configured bot which has already proven that its owner isn't going to discover the infection immediately. In both ZeuS and SpyEye, the malware developers have tried to build anti-kill functions into their own malware, so ZeuS can now defend itself against SpyEye's KillZeus module. It seems that in the world of botnet development, as with legitimate product sales, existing victims (read customers) are a lot more stable and valuable than new, unproven ones.
Attack Prevention and Mitigation Methods
- Ensure an up to date browser and operating system.
- Avoid Microsoft Internet Explorer if possible; Mozilla Firefox and Google Chrome are generally safer.
- Ensure an up to date and effective commercial anti-virus software is installed.
- If possible use a dedicated PC specifically for commercial internet banking only. This means it will see no general-purpose internet usage, and is therefore less likely to get infected.
- Change online banking passwords regularly, at least once per month for commercial internet banking.
- Implement two-factor authentication for banking/payroll transfers.
- Ask your bank to remove or restrict the capability to add new employees and/or new payee accounts from your online account. Replace this operation with a secure method, requiring at least two factor authentication and/or phone support.
July, 2011 Total scammed: $217,000
Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center in Omaha, Nebraska was targeted by unspecified malware infecting one computer via an email attachment. Details here.
July, 2011 Total scammed: $28,000
The Town of Eliot, Maine - the PC belonging to the town controller was infected with unspecified banking trojan malware. Details here.
February, 2011 Total scammed: $150,000
Port Austin, Michigan based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller had been infected with the ZeuS trojan. Details here.
January, 2011 Total scammed: $378,000
The town of Poughkeepsie, New York was hit by unspecified cyber criminals from Ukraine who took over control of their online bank account. Details here.
November, 2010 Total scammed: $63,000
Green Ford Sales of Abilene, Kansas was infected with the ZeuS trojan malware. Details here.
October, 2010 Total scammed: $600,000
The city of Brigantine, New Jersey had their online banking credentials compromised by unspecified malware. Details here.
March, 2010 Total scammed: $465,000
California-based real estate escrow company, Village View Escrow infected by the ZeuS trojan. Details here.
November, 2009 Total scammed: $200,000
Plano, Texas based Hillary Machinery Inc. was hit by cyber criminals from Romania and Italy who transferred $801,495 out of their account in 48 hours. In this case the bank, PlainsCapital, managed to retrieve roughly $600,000 of the money. Details here.