The temptation to use electronic banking is really high. You sit at your computer and check your balances, tell the bank who to pay – and when – and where to move your funds around: if you are fortunate enough, these days, to actually have some excess cash to make such decisions necessary.
But
electronic and
secure don’t, for me, fit well together in a sentence. Even electronic ATMs kind of scare me because they are made by the same folks that build fraud-capable voting machines!
Finjan Software, which sounds like it should be of Nordic origin but is actually in the same building in San José where I had an office when working for
Electronic Design Magazine, uncovered a real monster this summer in Germany. A
Trojan going by the name URLZone (not one of EN-Genius’ ZONEs!) managed to lift from bank accounts €300 k (US$440 k) over a period of twenty-two days through September 1, 2009.
This clever piece of malware is only executable on Windows systems and uses a hole that is available in IE6, IE7, IE8, Opera, and Firefox. It arrives via a malicious JavaScript and, it is believed, also through the opening of a PDF. Finjan traced about 90,000 computers that visited locations where the malware was hiding and the Trojan had about an 8% success rate in infecting those computers. Of those infected, a couple of hundred users had funds purloined.
What is so different about this Trojan is that it is smart enough to talk to its command server (identified as being in the Ukraine – is that country becoming the head office of Internet fraud of one kind or another? Nigeria, move over…) to ask how much money to go for based on the balance in the account, and so that it would be unnoticed by the various bank computers. Banks have different thresholds for monitoring large money transfers and have unique account monitoring limits. Once the command server tells the Trojan how much to lift, the money is transferred through a computer "mule" that has been infected separately. Each mule is only used a few times.
While the user was online with the bank, the Trojan would be at work at the same time. It even produces false statements for the user which cover up the theft, so that there is no indication that anything is awry...until you get your next statement.
The Trojan uses the
LuckySploit criminal toolkit to get the Trojan into the infected computers. Finjan notified German authorities about the heist, and Ukrainian police closed down the servers involved in the theft spree. But all the bad guys, the software tools, and the toolkit that enabled it to happen, are still out there. So maybe you might want to think about the next country these nice people might target after this successful trial run…
How did Finjan trace the servers and all the software they were using? The thieves were so smart, they left all their equipment totally unprotected!
Maybe Finjan should make a sales call?
