Advertisement
Promo

Security threats Toolkit

Trojan swipes money from your banking site

Elinor Mills CNET News

Published: 30 Sep 2009 09:03 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that as well as stealing your bank login credentials, also steals money from your account while you are logged in and displays a fake balance.

The bank Trojan, dubbed URLzone, has features designed to thwart fraud-detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview on Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.

The specific Trojan Finjan researchers analysed targets customers of unnamed German banks. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting in infected PCs. Finjan has notified German law-enforcement authorities, Ben-Itzhak said.

"It's a next-generation bank Trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade anti-fraud systems."

Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySploit administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.

About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers had the Trojan installed, a few hundred had money stolen from their bank accounts, he added.

During the span of 22 days in mid-August, the criminals behind the Trojan stole around €300,000, according to the security company.

How the Trojan works
Potential victims get their computers infected either by opening an email and clicking on a link to a website created to distribute malware or by visiting a site that has been compromised and has malware hidden on it.

In this case the malware, a toolkit called LuckySploit, exploits a known security hole in the browser, affecting the major browsers, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.

While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers anti-fraud systems and to leave a certain percentage in the account, Ben-Itzhak said.

After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.

"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."

The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as 'independent contractors' or 'financial managers' whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realise the ruse immediately, Ben-Itzhak said.

Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance — what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.

The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other web accounts, such as PayPal, Facebook and Gmail, according to the Finjan report.

This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.

Credit: Banking Trojan steals money from under your nose from CNET News

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
18 out of 18 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

3 comments

  1. sounds like a joke mike@stotko.de
  2. Trojan swipes money from your banking site. ator1940
  3. These types of... CA

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:









Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Campaigners criticise '£10bn NHS IT ov...

The National Health Service's flagship IT project has been criticised by a tax campaign group for running billions of pounds over budget. The NHS National Programme for IT (NPfIT)... More

2 comments

Climate research centre compromised

One of the UK's leading climate change research centres has had a security breach. The Climate Research Unit at the University of East Anglia (UEA) suffered a compromise of information,... More

1 comment

Government web-monitoring plans on hol...

Government plans to compel ISPs to process and store details of all web communications have been put on hold until after the next election. The Home Office told ZDNet UK on Wednesday... More

1 comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters