Last month, a British bank and its customers were hit by a coordinated and targeted attack by criminals that launched their efforts from Eastern Europe.
In an impressive display of a blended threat, the crooks created advertising with malicious code that they then posted on legitimate websites (run by Yahoo for example) and their own websites. Once the advertisement was clicked on or the malicious website was visited, the user would unknowingly have an exploit kit (the Eleonore and Phoenix kits in this example) drill into the browser to embed the new and improved Zeus v3 Trojan onto their PCs.
Once installed the Trojan would announce to its Command and Control server (C&C) that it was ready and then wait for the user to log into their bank account.
When the unsuspecting user finally logged into their bank account, the Trojan would notify the C&C while the bank session was open. The C&C would then step in between the bank page and the user and provide a script that performed its own intelligence to determine how much money the user had in the account. If the user had over a certain amount, the script would transfer money into a money mule’s account which would eventually make its way to the criminals. The malefactors were aware of each process along the way receiving detailed information about the accounts and their values, the success or failure of any transactions – all via encrypted traffic to avoid detection.
An observation that everyone should take from this story is just how difficult it was(is) to detect the attack. Of all the anti-malware software that is on the market, only Sophos and Trend Micro would have caught the Zeus v3 Trojan which would have stopped the attack before it could have started. Most other anti-malware players have since updated their software to include Zeus v3.
The bank and the banking victims have been notified of the illegal activities and authorities are investigating. No responsible parties have been apprehended at this time.
Read more of the attack and the excellent research by M86 Security here.
Recent Comments