Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

U.K. bank hit by massive fraud from ZeuS-based botnet
Network World ^ | August 10, 2010 09:31 AM ET | By Ellen Messmer, Network World

Posted on 08/11/2010 12:01:11 PM PDT by Swordmaker

Security firm M86 says attack has cost the bank almost $900,000

Security vendor M86 Security says it's discovered that a U.K.-based bank has suffered almost $900,000 (675,000 Euros) in fraudulent bank-funds transfers due to the ZeuS Trojan malware that has been targeting the institution.

Bradley Anstis, vice president of technology strategy at M86 Security, said the security firm uncovered the situation in late July while tracking how one ZeuS botnet had been specifically going after the U.K.-based bank and its customers. The botnet included a few hundred thousand PCs and even about 3,000 Apple Macs, and managed to steal funds from about 3,000 customer accounts through unauthorized transfers equivalent to roughly $892,755.

Anstis declined to name the bank. He said the botnet used in the attack is based on version 3.0 of the ZeuS malware and appears to be controlled from Eastern Europe, with a server hosted in Moldava.

From the investigation into the botnet's server operations, M86 Security has found the criminals controlling the botnet waited until accounts reached at least 800 Euros before initiating a fraudulent funds transfer from the victim's compromised machine to a number of other accounts used by money mules who would forward the funds on to Eastern Europe.

Anstis says the victimized bank was offering "free security software" to customers but it wasn't clear if this software, which M86 declined to name, was in use when the fraudulent transfers were made. Anstis says the process of notifying the bank to let it know what M86 Security has discovered about the botnet was a somewhat frustrating experience.

"It took us a week and a half of running around," says Anstis, trying to get the attention of the security department there when M86 Security was not a known entity to them. M86 Security says it is publishing a report today about its findings.

It has been known for over a month that Trojan writers, by means of a ZeuS-based botnet, have been targeting U.K.-based banks and the Trusteer security software Rapport, which is used by U.K.-based HSBC, among others. Anstis declined to confirm or deny that HSBC was the bank in question.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: microsofttax
Navigation: use the links below to view more comments.
first 1-2021-24 next last
Upon investigation, I learn that ~3000 Macs that were part of the Zeus BotNet were running WINDOWS in either BootCamp or VMWare or Parallels instances... not OSX of any flavor.

The BotNet is spreading a very hard to detect Trojan plug-in for Internet Explorer... that empties UK bank accounts at a specific bank. It leaves approximately $50 equivalent in the account but when a victim checks his account online, it puts up a FAKE page showing all the money is still in the account.

New ‘Sophisticated’ Trojan, Which Is Undetectable, Has Emptied Bank Accounts Worldwide

by Nicholas Deleon on August 11, 2010

Hold onto your hats. A new version of the Zeus trojan, called Zeus3, has wreaked havoc on thousands of bank accounts worldwide, stealing just over $1 million. The best part? There’s pretty much no way to detect the trojan if it’s on your system. Hooray for humanity, right?

The trojan first popped up last month, and has drained more than 3,000 bank accounts.

M86 Security, the first group to discover the trojan, says:

We’ve never seen such a sophisticated and dangerous threat. Always check your balance and have a good idea of what it is.

The last thing you want to do is hear a bank account-draining sophisticated trojan.

Oh, it only affects Windows systems. But you knew that already.

The scariest part is that the trojan, after clear out your bank account, serves up a fake bank statement page. It looks like you have all of your money, but you actually have $50 left in your entire account.

Again, no current anti-malware software can detect the trojan, so for the time being you’re on your on.

I suggest we all stop using the Internet to be safe. An overreaction? Yes, obviously, but this actually sounds like a nasty bit of malware.

Beware!


1 posted on 08/11/2010 12:01:13 PM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: ~Kim4VRWC's~; 1234; 50mm; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; ...
Large Zeus3 BotNet that includes ~3000 Macs running virtualized Windows and over 100,000 PCs is spreading a Trojan that has stolen almost $1 million from a UK bank -PING!

Please!
No Flame Wars allowed!
Discuss hardware.
Don't attack people!


Apple and Windows Security Ping!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 08/11/2010 12:07:12 PM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

BTTT!


3 posted on 08/11/2010 12:16:58 PM PDT by LibWhacker (America awake!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: LibWhacker

http://antivirus.about.com/od/virusdescriptions/a/botnet.htm

Are you in a botnet read above.


4 posted on 08/11/2010 12:28:26 PM PDT by Wooly
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker

There is little in the analysis by M86 that leads me to believe that this attack would not work on OS X:

http://www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf

A big piece of this attack is social engineering. Apparently, the British are a very gullible people.

But then again, we knew that already.


5 posted on 08/11/2010 12:32:39 PM PDT by NVDave
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

A good reminder to people that a virtual machine is still a machine that can get infected like any other Windows installation. The host doesn’t automatically put up some magic protection for the VM, and being on Mac hardware doesn’t magically protect Windows running in Boot Camp.

Plus with the host/client integration these days, and that OS X can now natively read Boot Camp partitions, VMs could become an unexpected vector for stuff the can harm your Mac.


6 posted on 08/11/2010 12:34:34 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat
Plus with the host/client integration these days, and that OS X can now natively read Boot Camp partitions, VMs could become an unexpected vector for stuff the can harm your Mac.

I think the key thing here is NOT to use your virtual Windows installation on your Mac for ANYTHING that interfaces with the Internet... do that from the Mac OSX side. Keep the Windows sand boxed, protected from harmful malware.

7 posted on 08/11/2010 12:46:41 PM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker
It's not clear from the article how the trojan got on a user's computer. Was the trojan embedded in the "free security software" that the bank offered to its customers? Or was it part of some other installation?
8 posted on 08/11/2010 12:49:04 PM PDT by stripes1776
[ Post Reply | Private Reply | To 1 | View Replies]

To: NVDave
There is little in the analysis by M86 that leads me to believe that this attack would not work on OS X:

"In this case, the cybercriminals used the Eleonore Exploit Kit 1.4.1, which M86 Security Labs experts researched a year ago and continue to update regularly."
Eleonore Exploit Kit takes advantage of several vulnerabilities that have remained unpatched in Internet Explorer, Adobe Reader, and Java. But it starts with the vulnerability in IE. It DOES require the user to download and execute the file to be infected, though, so it is a TROJAN.
9 posted on 08/11/2010 12:54:08 PM PDT by Swordmaker (This tag line is a Microsoft product "insult" free zone!)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker
Keep the Windows sand boxed, protected from harmful malware.

That's an excellent idea. How do you do that? I want it to work like my 2nd internal hard drive which is used for storage only. I suppose a virus could hop over if I save something infected off the web to it, but I NEVER load ANY apps on my 2nd internal hd.

I'm waiting to be able to afford Win 7 because the lady at apple thought it would be better than running all the XP updates since I got my pc in 2003. I hope it is compatible with my current Win only apps.

If I can button up the Win side of the Mac, I won't have to worry about AV, a bonus.

10 posted on 08/11/2010 1:00:28 PM PDT by Aliska
[ Post Reply | Private Reply | To 7 | View Replies]

To: Swordmaker

Exactly why I think this attack would work on OS X. It requires a browser vuln and social engineering.

Both Safari and Mozilla have vulnerabilities that could be exploited. The exploit depends more on Javascript than anything else, and that’s why (once again) I tell people that Javascript is a huge security issue, only slightly less than ActiveX.


11 posted on 08/11/2010 1:01:59 PM PDT by NVDave
[ Post Reply | Private Reply | To 9 | View Replies]

To: Swordmaker

For many financial applications, this is not an option.

The problem herein for Mac users is that too much financial s/w is not being ported to the Mac, which is why they’re running goddamned Windows in a VM in the first place.


12 posted on 08/11/2010 1:03:20 PM PDT by NVDave
[ Post Reply | Private Reply | To 7 | View Replies]

To: Swordmaker

This sounds like an inside job, at least in part.

- Only one bank affected
- This wasn’t a simple username & password stealing Trojan. The C&C server supplied the bots with valid, appropriate Java transactions to be posted against the bank’s site in real-time. There was no guesswork in what was necessary to be sent for the desired result.
- The bank recently sacked two senior programmers - “Michael Bolton” and “Zamir Naga, Nag-, Naga-, NaGonnaWorkHereAnymore”


13 posted on 08/11/2010 1:04:35 PM PDT by ConservativeWarrior (In last year's nests, there are no birds this year.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: NVDave
Apparently, the British are a very gullible people.

A while back some lady in the US not only got suckered by a 419 scam, but since she was a city employee she used city funds to pay the scammer, expecting to get it all back and more so nobody would be the wiser. Gullibility knows no borders.

14 posted on 08/11/2010 1:26:20 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker
I think the key thing here is NOT to use your virtual Windows installation on your Mac for ANYTHING that interfaces with the Internet...

Sometimes you need it to do that, especially for updates. But there are things you can do to cut your exposure. I definitely don't do any regular surfing through the VMs.

15 posted on 08/11/2010 1:35:42 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 7 | View Replies]

To: ConservativeWarrior
The bank recently sacked two senior programmers - “Michael Bolton” and “Zamir Naga, Nag-, Naga-, NaGonnaWorkHereAnymore”

Is the bank missing a printer?

16 posted on 08/11/2010 1:37:06 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 13 | View Replies]

To: antiRepublicrat

Someone took my stapler.


17 posted on 08/11/2010 1:47:56 PM PDT by domeika
[ Post Reply | Private Reply | To 16 | View Replies]

To: Swordmaker

Time to unplug the cat5. ;’)


18 posted on 08/11/2010 3:20:47 PM PDT by SunkenCiv ("Fools learn from experience. I prefer to learn from the experience of others." -- Otto von Bismarck)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Aliska; Swordmaker
>> Keep the Windows sand boxed, protected from harmful malware.

> That's an excellent idea. How do you do that?

The way I do it is by setting the Win guest VM's "network" settings to "Private network with host". That is, the VM sees a network, but the only other machine on it is the Mac. That way I can transfer files and whatnot, but without exposing the VM to the internet.

When I need to run Windows updates, I switch the setting to "NAT" so that the VM can see the internet during the update process. Then I switch it back to "Private".

Piece of cake. I'm using VMware Fusion on the Mac, BTW.

19 posted on 08/11/2010 4:18:34 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Swordmaker

Notice the common thread... “running Windows”.


20 posted on 08/11/2010 4:30:09 PM PDT by TheBattman (They exchanged the truth about God for a lie and worshiped and served the creature...)
[ Post Reply | Private Reply | To 2 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-24 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson