Double-Protected Bank Clients Tricked by $78M Crimeware Scam

A scene from the bank heist movie 30 Minutes or Less. Photo: Wilson Webb

It used to be that a password was enough to keep your online bank account relatively safe. Then you needed a second factor — a text message or a one-time PIN, say — to be sure thieves weren’t breaking into your account. Now, even this so-called “two-factor” authentication has been thwarted, thanks to new crimeware variants that crooks have been using to automate their bank heists in an attempt to steal more than $78 million.

That’s according to security firms McAfee and Guardian Analytics, who released a report on the new banking trojans (.pdf). About a dozen groups have been using variants of Zeus and SpyEye that automate the process of transferring money from bank accounts. The stolen funds are transferred to pre-paid debit cards or into accounts controlled by money mules, allowing the mules to withdraw the money and wire it to the attackers.

Older versions of Zeus and SpyEye, which often get onto the machines of victims via phishing attacks or drive-by downloads, made the complicated process of bank robbery practically plug-and-play. Using “web injection” attacks, they tricked bank users into entering account details that were passed to the attackers.

But monetizing that information could be labor-intensive, since the attacker had to manually initiate a money transfer. The attacker might also be thwarted by two-factor authentication schemes that required a bank user to enter a one-time password or PIN sent to his phone. In order to grab the one-time number and use it, a hacker had to be online when the user entered it, to initiate a transfer while the number was still valid.

New variants of the malware, however, automate the process to dumb it down even further so the attacker doesn’t need to be directly involved in each transaction, eliminating the need for any pesky manual typing or other actions.

“With no human participation required, each attack moves quickly and scales neatly. This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term ‘organized crime,’” the researchers write in their report.

The malware also bypasses two-factor authentication that some banks in Europe require. With such systems, a user swipes his card and enters a PIN in a reader, which then generates a one-time code that the account holder has to submit to the banking site to access his account or authenticate a transaction.

But in the automated attacks, the malware simply presents the user with a screen asking for the PIN and one-time code. The researchers say it’s “the first known case of fraud being able to bypass this form of two-factor authentication.”

The attacks have targeted victims primarily in Europe, but have also struck victims in Latin America and the U.S. and have used varied techniques that are tailored to the transaction process of each financial institution.

For example, in one attack against a victim in Italy, the malware injected a hidden iframe tag to hijack the victim’s account and initiate a money transfer without the attacker actively participating.

The malware examined balances in the victim’s various accounts and transferred either a fixed percentage that was pre-determined by the attacker or a small currency amount such as $600 to avoid suspicion.

The malware also collected information on the fly from a mule database in order to select an active account for depositing the stolen cash, ensuring that mule accounts that had been closed or flagged as fraudulent by banks were no longer used.

“No human interventions, no delays, no data entry errors,” were involved, the researchers write.

In Germany, the attackers compromised 176 accounts and attempted to transfer more than $1 million to mule accounts in Portugal, Greece, and the UK. On attacks in the Netherlands, conducted this last March, the attackers targeted 5,000 accounts and attempted to siphon more than $35 million.

In one case targeting a victim in the U.S., the attackers transferred funds from the victim’s corporate savings account to a corporate checking account before initiating an external transfer of money to a mule’s account outside the U.S. Victims in the U.S. were all commercial accounts that had several million dollars in balances.

In at least one case, the attackers actually hijacked legitimate money transfers instead of initiating their own. Funds intended to go from a North American account to a recipient in the UK to fund an escrow account for auctioned vehicles, got diverted to a mule account instead.

The processing of the fraudulent transactions is sometimes performed from servers in the U.S. and elsewhere, that are moved frequently to avoid discovery. Researchers found at least 60 servers being used for the malicious activity.

Logs collected from some of the servers showed the attackers issued commands to transfer $78 million from accounts at more than 60 financial institutions in several countries. Researchers believe there are other unknown servers used in the attacks, and that the fraudsters may have tried to siphon as much as $2 billion. It’s unclear how many of the initiated transactions were successful or how many were thwarted by banks that detected the fraudulent activity.

The malware variants take several steps to hide their activity from victims such as killing links for printable statements that appear on a web page so the user can’t easily view his balance. They also search for and erase confirmation emails sent by the bank and alter data on statements the user does see, to eliminate any evidence of the fraudulent transaction.