Posted on 08/11/2010 12:01:11 PM PDT by Swordmaker
Security firm M86 says attack has cost the bank almost $900,000
Security vendor M86 Security says it's discovered that a U.K.-based bank has suffered almost $900,000 (675,000 Euros) in fraudulent bank-funds transfers due to the ZeuS Trojan malware that has been targeting the institution.
Bradley Anstis, vice president of technology strategy at M86 Security, said the security firm uncovered the situation in late July while tracking how one ZeuS botnet had been specifically going after the U.K.-based bank and its customers. The botnet included a few hundred thousand PCs and even about 3,000 Apple Macs, and managed to steal funds from about 3,000 customer accounts through unauthorized transfers equivalent to roughly $892,755.
Anstis declined to name the bank. He said the botnet used in the attack is based on version 3.0 of the ZeuS malware and appears to be controlled from Eastern Europe, with a server hosted in Moldava.
From the investigation into the botnet's server operations, M86 Security has found the criminals controlling the botnet waited until accounts reached at least 800 Euros before initiating a fraudulent funds transfer from the victim's compromised machine to a number of other accounts used by money mules who would forward the funds on to Eastern Europe.
Anstis says the victimized bank was offering "free security software" to customers but it wasn't clear if this software, which M86 declined to name, was in use when the fraudulent transfers were made. Anstis says the process of notifying the bank to let it know what M86 Security has discovered about the botnet was a somewhat frustrating experience.
"It took us a week and a half of running around," says Anstis, trying to get the attention of the security department there when M86 Security was not a known entity to them. M86 Security says it is publishing a report today about its findings.
It has been known for over a month that Trojan writers, by means of a ZeuS-based botnet, have been targeting U.K.-based banks and the Trusteer security software Rapport, which is used by U.K.-based HSBC, among others. Anstis declined to confirm or deny that HSBC was the bank in question.
The BotNet is spreading a very hard to detect Trojan plug-in for Internet Explorer... that empties UK bank accounts at a specific bank. It leaves approximately $50 equivalent in the account but when a victim checks his account online, it puts up a FAKE page showing all the money is still in the account.
New Sophisticated Trojan, Which Is Undetectable, Has Emptied Bank Accounts Worldwide
by Nicholas Deleon on August 11, 2010
Hold onto your hats. A new version of the Zeus trojan, called Zeus3, has wreaked havoc on thousands of bank accounts worldwide, stealing just over $1 million. The best part? Theres pretty much no way to detect the trojan if its on your system. Hooray for humanity, right?
The trojan first popped up last month, and has drained more than 3,000 bank accounts.
M86 Security, the first group to discover the trojan, says:
Weve never seen such a sophisticated and dangerous threat. Always check your balance and have a good idea of what it is.
The last thing you want to do is hear a bank account-draining sophisticated trojan.
Oh, it only affects Windows systems. But you knew that already.
The scariest part is that the trojan, after clear out your bank account, serves up a fake bank statement page. It looks like you have all of your money, but you actually have $50 left in your entire account.
Again, no current anti-malware software can detect the trojan, so for the time being youre on your on.
I suggest we all stop using the Internet to be safe. An overreaction? Yes, obviously, but this actually sounds like a nasty bit of malware.
Beware!
If you want on or off the Mac Ping List, Freepmail me.
BTTT!
There is little in the analysis by M86 that leads me to believe that this attack would not work on OS X:
http://www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf
A big piece of this attack is social engineering. Apparently, the British are a very gullible people.
But then again, we knew that already.
A good reminder to people that a virtual machine is still a machine that can get infected like any other Windows installation. The host doesn’t automatically put up some magic protection for the VM, and being on Mac hardware doesn’t magically protect Windows running in Boot Camp.
Plus with the host/client integration these days, and that OS X can now natively read Boot Camp partitions, VMs could become an unexpected vector for stuff the can harm your Mac.
I think the key thing here is NOT to use your virtual Windows installation on your Mac for ANYTHING that interfaces with the Internet... do that from the Mac OSX side. Keep the Windows sand boxed, protected from harmful malware.
"In this case, the cybercriminals used the Eleonore Exploit Kit 1.4.1, which M86 Security Labs experts researched a year ago and continue to update regularly."Eleonore Exploit Kit takes advantage of several vulnerabilities that have remained unpatched in Internet Explorer, Adobe Reader, and Java. But it starts with the vulnerability in IE. It DOES require the user to download and execute the file to be infected, though, so it is a TROJAN.
That's an excellent idea. How do you do that? I want it to work like my 2nd internal hard drive which is used for storage only. I suppose a virus could hop over if I save something infected off the web to it, but I NEVER load ANY apps on my 2nd internal hd.
I'm waiting to be able to afford Win 7 because the lady at apple thought it would be better than running all the XP updates since I got my pc in 2003. I hope it is compatible with my current Win only apps.
If I can button up the Win side of the Mac, I won't have to worry about AV, a bonus.
Exactly why I think this attack would work on OS X. It requires a browser vuln and social engineering.
Both Safari and Mozilla have vulnerabilities that could be exploited. The exploit depends more on Javascript than anything else, and that’s why (once again) I tell people that Javascript is a huge security issue, only slightly less than ActiveX.
For many financial applications, this is not an option.
The problem herein for Mac users is that too much financial s/w is not being ported to the Mac, which is why they’re running goddamned Windows in a VM in the first place.
This sounds like an inside job, at least in part.
- Only one bank affected
- This wasn’t a simple username & password stealing Trojan. The C&C server supplied the bots with valid, appropriate Java transactions to be posted against the bank’s site in real-time. There was no guesswork in what was necessary to be sent for the desired result.
- The bank recently sacked two senior programmers - “Michael Bolton” and “Zamir Naga, Nag-, Naga-, NaGonnaWorkHereAnymore”
A while back some lady in the US not only got suckered by a 419 scam, but since she was a city employee she used city funds to pay the scammer, expecting to get it all back and more so nobody would be the wiser. Gullibility knows no borders.
Sometimes you need it to do that, especially for updates. But there are things you can do to cut your exposure. I definitely don't do any regular surfing through the VMs.
Is the bank missing a printer?
Someone took my stapler.
Time to unplug the cat5. ;’)
> That's an excellent idea. How do you do that?
The way I do it is by setting the Win guest VM's "network" settings to "Private network with host". That is, the VM sees a network, but the only other machine on it is the Mac. That way I can transfer files and whatnot, but without exposing the VM to the internet.
When I need to run Windows updates, I switch the setting to "NAT" so that the VM can see the internet during the update process. Then I switch it back to "Private".
Piece of cake. I'm using VMware Fusion on the Mac, BTW.
Notice the common thread... “running Windows”.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.