Bank Account Logins for Sale, Courtesy of Citadel Botnet

Financial theft is one of the most lucrative forms of cybercrime. Malware authors continue to deliver sophisticated tools and techniques to unlock online bank accounts. Attackers design and develop botnets to perform financial fraud, targeting banks and other institutions for profit. These botnets traditionally have monitored victims’ Internet activities and intercepted banking transactions to extract account credentials and send them to their control servers. Recent botnets are armed with more advanced capabilities, yet traditional methods continue to be the most effective way to steal money.

Recently I came across an underground Russian forum in which an author was actively selling botnet logs with account-login details from one targeted bank.

















These botnet logs were from the Citadel botnet Version (Extreme Edition). Citadel is a variant of the popular Zeus botnet and has been widely seen since late 2012. This botnet has already been covered in blogs and by McAfee Labs.

Here is an image of server code for extracting bank account information.














Our research has revealed that Citadel is one of the most active botnets in the world, spanning several locations across Europe. One of the major reasons for its common use is that the botnet setup services are fairly cheap via the underground community. Here is an advertisement for the Citadel setup service.

















The same user offers the setup services on another forum:
























Many cybercriminals avoid transferring money to their own accounts due to the risk of prosecution, but selling the account information and making the money from the sale is an effective way of preserving  anonymity. Thus the attacker can’t be held accountable for the transfers made from a stolen account.

As the precautionary measure, we should look out for accounts being accessed or transactions made to/from different geographical locations. Banks place limits on the amount of money that can be transferred in one day or in a single transaction. Spotting small, unauthorized transactions made from an account should be noticeable and prevent major financial losses.


Android Banking Trojans Target Italy and Thailand

See March 20 update at end of page.

A very profitable line for mobile malware developers is Android banking Trojans, which infect phones and steal passwords and other data when victims log onto their online bank accounts. One recent trend is Android malware that attacks users in specific countries, such as South Korea and India. We have already seen this type of malware posing as mobile applications from banks in Spain and Portugal. Now a new threat distributed via phishing links targets users of banks in Italy and Thailand using the following icons:


When the malware runs, it asks the user to input a password and confirm it. If the passwords do not match, the app will show an error message:


However, unlike Android/FakeToken, this malware does not send the password to the attacker via the Internet or SMS. Instead, it sends an SMS to a specific number in Russia with the text “Ya TuT :) ” (“I am here,” in Russian) or “init” the first time that the application is executed. If the passwords match, the application shows the traditional fake security token seen in other families of Android banking Trojans:


After the user closes the application, in the background the malware intercepts all incoming SMS using a receiver and the API call “abortBroadcast.” However, not all the SMS messages are sent to the remote attacker in Russia because they can be filtered used two mechanisms:

  • Sending an SMS with the keyword “@DELETE” disables the forwarding of SMS
  • Checking if a potential mTAN is still valid. Checking if the difference between the Start Time (when the SMS is processed) and the current time exceeds the Work Time (the time during which the mTAN is valid), in which case that specific SMS is not forwarded to the attacker

In addition to the versions that directly target banks and financial institutions, there is also a variant of this family that tries to impersonate the security application Trusteer Rapport (just as the first Zitmo variant for Android did in July 2011):


Despite the fact that the user interface of this variant is different, the behavior is the same as the one already described. If you have been a target of this malware, contact your respective banks for instructions to secure your account. McAfee Mobile Security detects this threat as Android/FkSite.A and alerts mobile users if it is present on their devices, while protecting them from any data loss. For more information about McAfee Mobile Security, visit


A researcher at F-Secure, Sean Sullivan, has just helped to find another variant of this threat targeting Commonwealth Bank — NetBank in Australia:

20130320 Castillo NetBank

The only difference from the variants we have described is that the stolen SMS are sent to a phone number in the United Kingdom. McAfee Mobile Security also detects this variant as Android/FkSite.A.

Operation High Roller Raises Financial Fraud Stakes

Earlier today Guardian Analytics and McAfee released the joint report “Dissecting Operation High Roller,” which describes a new breed of sophisticated fraud attacks. The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multifaceted automation in a global fraud campaign.

Building on established Zeus and SpyEye malware tactics, this ring adds many breakthroughs: bypasses for physical “chip and pin” authentication, automated “mule” account databases, server-based fraudulent transactions, and attempted transfers to mule business accounts as high as €100,000 (US$130,000). Although Europe has been the primary target for this and other financial fraud rings in the past, our research found the thefts spreading outside Europe, including to the United States and Colombia.

What are the key points in the attacks?

  • A shift from traditional man-in-the-browser attacks on the victim’s PC to server-side automated attacks. Criminals have moved from multipurpose botnet servers to using servers purpose-built and dedicated to processing fraudulent transactions.
  • Global: Started in Europe, moved to Latin America, and recently to the United States
  • Impacts commercial accounts and high-net-worth individuals
  • Impacts financial institutions of all sizes

What is the impact of this new fraud methodology?

  • Criminals can move faster
  • A wide variety and level of dollar transactions can be attempted
  • Purpose-built, multiple-strategy approach helps avoid detection
  • By avoiding detection, the servers can stay live longer

Download the report in its entirety here. A detailed knowledgebase article and other documents will be released later today.