Anthony Scott Harrison, 21, from the Black Forest area near Adelaide, Australia, yesterday pled guilty to computer hacking. He admitted to infecting 3,000 computers with a banking trojan that allowed him to steal online bank account login details and credit card information. He also admitted to infecting a further 74,000 computers with a bot designed for DDoS.
Zeus is a prolific trojan that is designed to allow cyber criminals to break into corporate online banking accounts and allow criminals to transfer large amounts of money from company bank accounts.
A new version of the Zeus trojan has been detected that tries to steal Verified by Visa and Mastercard SecureCode passwords, allowing criminals to use corporate payment credit cards.
When users log into their online banking websites from infected computers, the new Zeus trojan will display a screen telling the user that they need to enroll their corporate credit card into the Verified by Visa security scheme. In reality, the criminals are stealing your data and can then use that to use your corporate credit card online illegally.
Mozilla has disabled a Firefox browser plug-in, Mozilla Sniffer, that steals your usernames and passwords and sends them to a third party website that cyber-criminals presumably use.
I will be speaking at the Atlanta Infragard A-List security training conference on August 25th.
I will talk about the evolving cyber-crime threat landscape that is targeting users of online banking systems. I’ll also review various ways that banks can deploy solutions to help protect their users. I’ll look at various protection types for consumer banking versus corporate banking systems and online trading systems.
If you would like to attend the Infragard meeting, you can find more information here: Atlanta Infragard A-List Conference.
Infragard is a partnership of businesses, the FBI, educational entities and the National Infrastructure Protection Center. This alliance is designed to protect IT systems from hacker attacks and other intrusions by providing a network for sharing information, anonymously, about attacks and how to protect against them.
It seems that it’s not only the customers of US, UK and Brazilian banks that are under attack from crimeware such as the Zeus trojan, that logs into online bank accounts and allows criminals to transfer funds from victims’ accounts.
Now customers of Eastern European banks are also under attack, according to security researcher Joe Stewart of SecureWorks. Joe says that the BlackEnergy2 trojan is now being used to break into online bank accounts of infected users who are accessing online banking sites in Russia and Ukraine.
In addition to allowing cyber criminals to fraudulently transfer funds, the trojan launches a Distributed Denial of Service attack (DDoS) on the bank. This prevents legitimate users from logging in, and distracts bank security and IT employees.
Police in Europe and the United States have arrested 178 people in 14 countries on charges of credit card fraud.
Apparently the investigation has found 120,000 stolen credit card numbers, and 5,000 cloned credit cards. Six card cloning labs have been seized.
Brian Krebs (krebsonsecurity.com) has posted an excellent blog post today. He’s even posted a picture of one of the credit card cloning labs, sourced from the Spanish Ministry of Interior.
Bank Info Security magazine today published an interview with Doug Johnson of the American Bankers Association (ABA) on the topic of corporate banking account takeovers by cyber criminals. Cyber criminals are increasingly using malware to steal online access to the bank accounts of small and medium sized companies and government agencies, and fraudulently transfer hundreds of thousands of dollars out of those accounts.
The interview is worth reading, and it can be found here.
When asked how big of a threat cyber criminal takeovers of Internet corporate banking accounts is, Mr. Johnson replied:
“Well, I think that the threat is very large. I think that the threat is not only a large one from the standpoint of the number of cases — which the FBI continues to observe are increasing for them. But I think the biggest risk that we face here, as it relates to the corporate account takeover, is the damage it does to the reputation of financial institutions and financial institutions’ customers, and the damage it does potentially to the relationship between our customers and our financial institutions. Because I do believe at the end of the day this is all about shared responsibility. Both financial institutions as well as financial institution customers do have a responsibility to have skin in the game to protect accounts, and I think that it is only through that active partnership that they were able really to address the current threat.”
Patco, a Sanford, Maine-based construction company, had its corporate bank account taken over by cyber criminals last May, resulting in unauthorized funds transfers of over $588,000. The funds were sent to dozens of money mules throughout the country, who then forwarded the funds overseas.
Patco has sued their bank, Ocean bank of Portsmouth, NH, for failing to detect and prevent the fraudulent losses.
It’s most likely that Patco computers got infected by the Zeus banking trojan malware, or some other similar crimeware. This allowed the criminals to sniff the usernames and passwords of the employees at Patco who did their corporate online banking. The criminals then logged in to Patco’s accounts and initiated over half a million dollars in fraudulent funds transfers.
Patco is arguing that the bank did not take reasonable precautions. The bank is arguing that their systems were secure, and that the computers of Patco employees were infected with malware, resulting in the losses.
A new report was released by the Anti-Phishing Working Group, rat the Sao Paulo Brazil “Counter Electronic-Crime Operations Summit”.
The report is titled “Global Phishing Survey: Trends and Domain Name Use 2H2009″. It is focused on an analysis of domain name registrar abuse, and how fraudulently registered domain names are used to operate phishing scams as well as malware and crimeware distribution.
In the second half of 2009, the “Avalanche” cyber crime gang appears to have been responsible for two-thirds of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the Internet.
The Avalanche gang appears to be a group, perhaps largely of the same people, that has taken over from the notorious “Rock” phishing gang. The Rock phishers were the most prevalent online crime gang in the 2007-2008 period. They invented technology to automate phishing, spam and malware attacks by coordinating the compromise, operation and cleanup of thousands of servers across the Internet. The Rock phishing gang invented the “Fast Flux” technique of rotating phishing and malware sites across a given domain name, but on hundreds of servers, so that takedown of these sites was extremely difficult, and only having a domain registrar or registry suspend the domain could guarantee a takedown. This made approach effectively defeated blacklisting techniques for protecting users from visiting known phishing and malware distribution sites.
The Avalanche gang appears to have taken the approach to a new level. They continue to use large numbers of domain, and they use subdomain hosting services. But they are now using botnets, running on computers of consumers who do not realize that their computers are infected, and are in fact being used at night time by cyber criminals to perform their evil tasks.
The Avalanche gang is not only using this massive infrastructure for phishing, but they have been also using it to distributed malware and crimeware, notably the Zeus banking trojan.
The US Federal Bureau of Investigation is planning a major prosecution to bust up the operations that cyber criminals use to turn funds stolen online into readily available cash, a top bureau official said Tuesday.
The FBI is targeting the end of the criminal supply chain—the “money mules” who receive transfers of stolen funds in their banks accounts—to raise public awareness and dissuade people from becoming mules, said Patrick Carney, acting chief of the FBI’s Cyber Criminal Section.
Money mules are people who think they have a legitimate work-at-home job, where they receive goods or get money wired into their bank accounts, and their job is to forward the goods or a portion of the funds, to another person. These scams are usually presented as a work-from-home shipping clerk job, or perhaps a business consultant or an accounting administrator.
These jobs are posted on job boards like Monster.com and HotJobs.com They are sent out by spam. They are advertised online and even in newspapers.
But the reality is that these are scams, and are operated by the cyber underground as a way to launder stolen funds or goods purchased online with stolen credit cards.
We do not know how many people are working as “mules”, but it must be ten thousand or more in the USA. The anti-money-laundering website BobBear.co.uk lists hundreds of active fake companies that are fronts for money mules.