[Dataloss] Botnet-controlled Trojan robbing online bank customers

Rodney Wise rwise at seostrich.com
Fri Dec 14 12:48:54 UTC 2007


NetworkWorld.com > Security >
Botnet-controlled Trojan robbing online bank customers 
Security firm says malware targeting commercial customers believed to
have come from Russia
By Ellen Messmer, Network World, 12/13/07 

A new variant on the "Prg Banking Trojan" malware discovered in June is
stealing funds from commercial accounts in the United States, United
Kingdom, Spain and Italy with a botnet called Zbot, says Atlanta-based
SecureWorks. 



"It's been very successful since we've first seen this at the end of
November," says Don Jackson, senior security researcher at SecureWorks,
which believes the Prg Trojan variant is designed by the Russian hackers
group known as Russian UpLevel working with some German affiliates.  


________________________________________________________________________
Read the latest WhitePaper - A Good Mobile Experience: Balancing IT
Requirements While Giving End-Users the Mobile Experience They Want
________________________________________________________________________

"The Trojan has the ability to use a man-in-the-middle attack, a kind of
shoulder-surfing when someone logs into a bank account. It can inject a
request for a Social Security number or other information, and it's very
dynamic. It’s targeted for each specific bank." 

SecureWorks says about a dozen banks -- which it wouldn't identify
because it says the U.S. Secret Service is investigating the incidents
-- have had their commercial customers affected by the Trojan-based
money fraud operation. According to SecureWorks, the bank Trojan malware
can be distributed using iFrame exploits on Web sites or through very
targeted attacks against bank customers via phishing. Oftentimes, the
phishing e-mail attempts to lure the victim into clicking on a site to
offer software disguised as a real certificate, security code or soft
token, the company says, adding that it has uncovered caches of stolen
data in its research. 

If the attacker succeeds in getting the Trojan malware onto the victim's
computer, he can piggyback on a session of online banking without even
having to use the victim's name and password. The infected computer
communicates back to the Trojan's command-and-controller exactly which
bank the victim has an account with. It then automatically feeds code
that tells the Trojan how to mimic actual online transactions with a
particular bank to do wire transfers or bill payments 

SecureWorks says the Trojan performs keystrokes that imitate the
victim's keystrokes to avoid any online fraud-monitoring. Although the
Secret Service is investigating the Trojan's impact on banks and their
customers, Jackson says Russian law authorities are lax in reining in
online criminal groups widely believed to be operating from Russia,
including Russian UpLevel and the Russian Business Network. 



Rodney Wise

Rodney Wise

South East Ostrich Supply
http://www.seostrich.com
(803) 741-5636



More information about the Dataloss mailing list