Posts Tagged ‘Money Mules’

View All Reports

Customers of Global Financial Institution Hit by Cybercrime

By Bradley Anstis  •  August 10th, 2010  •   Reports

Today, we released a report of an attack targeting the UK customers of a global financial institution. This attack has been on-going since early July, and our research has discovered that approximately 3000 customers of this financial institution have fallen victim to it. We’ve estimated that close to £675,000 GBP (over $1 Million USD) has been stolen from customer accounts.

The M86 Security Labs team detected this illegal operation after discovering a malicious code attack used to infect users’ PCs with a Trojan. The team then followed the trail to a Command & Control center. The research reveals that the cybercriminals used a combination of exploit kits, the new Zeus v3 Trojan, and money mule accounts to compromise user systems, successfully avoid anti-fraud systems, and rob bank accounts. The whole operation shows a high degree of technical sophistication and complexity, and highlights the continuing and escalating battle we have with cybercrime.

Our report exposes the architecture, business model, tools and methods used by the cybercriminal operation behind this attack. You can download a copy of the report here.

The image below illustrates one of the cybercriminal’s admin panels,showing financial transactions from compromised accounts sent to money mule accounts.

Admin panel showing financial transactions from compromised accounts sent to Money Mule accounts

M86 Security representatives have informed relevant law enforcement agencies of all criminal activities and methods used by the perpetrators of this attack.

Tags:    |    |    |  

View All Malware

Malware Analysis – Trojan Banker URLZone/Bebloh

By Daniel Chechik  •  September 30th, 2009  •   Malware

In our recent Cybercrime Intelligence report, we described a cybercriminal process of robbing money from bank accounts, using money mules and Trojans.

In this blog post, we will provide you with more technical aspects about the Trojan Banker URLZone/Bebloh that they used.

URLZone is a Trojan Kit that allows the attacker to use the “URLZone Builder” for creating a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants (We described in the Cybercrime Intelligence report how the bot is activating account). The URLZone successfully managed to bypass the German banks’ protection using “One Time Password”. This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the user to approve a fraudulent money transaction from his account.

Let’s now take a step-by-step look at how the Trojan operates.

Once the malware is executed, it copies itself to c:\uninstall02.exe. It then creates an ID and sends it with the version ID of the malware to the Command & Control (C&C) in order to confirm that the infected machine now contains the latest version of the malware.

The C&C logs the information and write it to REQ[x].txt
10:57:38 2009-09-24 GMT *****User ID**** ****IP****** 200908291825

Once the new executable is downloaded, it is copied to SYSTEM32 with a random name and hidden mask with the date of the operation system files.

Following is a screenshot of Virus Total scan results (2/41) for the latest generated malware:

It is important to mention URLZone (just like Zeus/Zbot and others) cannot operate on its own, since it is just a bot that is hooked into system processes and hides itself. The logic part of the malware is found in the configuration file – in our case INJECT file. The next step of the malware is downloading the configuration file.

Snippet code of the obfuscated configuration file:

The new generated configuration file is stored locally and is encrypted.

The malware itself doesn’t change any system files. In order to keep working after the victimized machine’s restart, it adds itself to the startup registry.

The malware sets itself with a “Debugger” value to the file “userinit.exe”. This ensures that every time the file “userinit.exe” runs, the malware will run instead.
The malware hooks itself to the “svchost.exe” process and checks the C&C server every 3 hours for new commands and updates. Behind the scenes, the malware checks every second whether a new instance of the following application was executed:

  • myie.exe
  • iexplore.exe
  • firefox.exe
  • mozilla.exe
  • avant.exe
  • maxthon.exe
  • thebat.exe
  • explorer.exe

Once the malware recognizes that one of the above is created, it hooks on it. The basic target of the malware (even without the configuration file) is to collect any credentials delivered by the user with HTTPS communication.

In case you wonder why the malware doesn’t collect the credentials from all the websites (even though it uses HTTPS) the answer is simple: the malware uses evasive techniques from security appliances. It limits itself to collect data that is sent by the user using POST method with less than 2,000 bytes, as shown below:

So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user. Once the user opens his browser, the malware decrypts the configuration file:

The decrypting algorithm is pretty simple:
res=”"
for i in configuration_file:
res+=chr(255^ord(i));

Snippet code of the de-obfuscated configuration file:

The configuration file contains several sections – postbank.de (we are able to follow the malware steps using the screenshots it takes from the victim’s machine and transmit it to the C&C server):

The malware manages to hook at the exact moment when the victim confirms his transaction. Once the user approves the transaction the malware changes details and sends it to the server.

According to the configuration file we are capable to see the following:

In order not to raise any suspicion, the malware verifies that the user will only see what he expects.

As can be seen in the screenshot above, the malware manipulates the statistic page of the user account, maiking it look like the transaction was completed successfully. However, if we take a look at the server side reports, we see exactly how much money was actually delivered.

As can be seen from the server log above, the malware identifies that user is limited to a maximum transfer of 2000 Euro (INET_LIMIT=2000), so he transferred 1900 Euro (AMOUNT=1900.00) to the money mule account located under DROPNAME variable.

The following screen shot shows the latest version VirusTotal 5/41 detection rate of URLZone/Bebloh malware (29.9.09)
MD5: 27E8351A5B0BEA5EF15C6681007FDEE5

Posted By Daniel Chechik

Tags:    |    |    |    |    |    |    |    |  

View All CybercrimeView All Phishing

Phishing for Jobs

By Anonymous  •  August 23rd, 2006  •   Cybercrime Phishing

Ever noticed random job offers spammed to your inbox? They seem to offer easy money, and minimal work. These ‘offers’ usually have the following characteristics:

• They want you to use a bank account.
• They involve transfers of money in and out of the account
• You are paid a commission on the amount transferred.

Here is an excerpt from a recent job offer:

Job Offer

Sound suspicious? You would be right to think so. The offers are from criminals seeking to use your account to launder their ill-gotten gains. The scam aims to convert stolen personal and financial data into cash, and is often quite elaborate with real looking companies and websites. While the email phishers grab the limelight for stealing your personal data, these guys are in the background putting the stolen IDs to use.

There seems to be distinct commonalities between certain phishing and ‘job offer’ spam suggesting that the same people are behind both. The Marshal TRACE team has analyzed job offer spam and discovered several unique traits of the message content and style that are shared with phishing spam.

If you sign up to one of these schemes, you’ll become an unwitting collaborator in handling stolen money and goods – a “mule”. Mules help to keep goods flowing through a distribution system, and they insulate the real criminals from the police by making it harder to track financial transactions.

Users should ignore and delete suspicious email job offers. If you get involved in such schemes you may find yourself in trouble with the police.

Tags: