Trusteer

Last September we blogged about a new polymorphic financial malware variant we had discovered. We codenamed it Shylock because every new build bundles random excerpts from Shakespeare's The Merchant of Venice in its binary. These are designed to change the malware’s file signature to avoid detection by anti-virus programs.

Trusteer Research has discovered two cybercrime rings that are advertising what we refer to as a “Factory Outlet” of login credentials for different web sites including Facebook, Twitter and a leading website administration software called cPanel.

Financial malware, like Zeus, SpyEye and others, once it infects a machine, is configured to attack specific online banking web sites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other web sites and web applications.

We have discovered a concerning development in some new Ice IX configurations that are targeting online banking customers in the UK and US. Ice IX is a modified variant of the ZeuS financial malware platform. In addition to stealing bank account data, these Ice IX configurations are capturing information on telephone accounts belonging to the victims. This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers.

Last year, Carberp emerged on the online banking fraud scene as a competitor to the dominant financial malware platforms Zeus and SpyEye. We recently discovered a configuration of Carberp that targets Free, a French broadband Internet service provider (ISP). The attack is designed to steal debit card and bank information using a Man in the Browser (MitB) attack.

Recently, we came across a new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud. Unlike previous Facebook attacks designed to steal user credentials from the log-in page, this version attempts to steal money by duping the user into divulging an e-cash voucher.

A recent FBI warning on the Zeus variant called Gameover reveals that high detection accuracy of fraudulent transactions is not enough to prevent cybercrime. This new attack is specifically designed to circumvent post transaction fraud prevention measures. Here’s an excerpt from the FBI statement:

Post Transaction Fraud Schemes Erased Evidence of Account Theft from Online Statements!

Many of us tend to spend a little more than we intend during the holiday season and, with all the transactions hitting our accounts, it can be hard to keep track. During the final few weeks of 2011, we saw fraudsters take advantage of this trend with their latest fraud scheme.

Anti Virus (AV) Checkers, Malware Encryption and infection services feel the heat

Services for fraudsters utilizing malware are not new – Anti Virus (AV) Checkers, Malware Encryption and Malware Infection services have existed in the criminal underground market for several years. However, recent Trusteer Research has indicated changes in service scope and price due to service convergence and demanding buyers.

 So What’s New?

As part of this week’s ‘Get Safe Online’ campaign in the United Kingdom, Trusteer have issued a warning that fraudulent phone calls are increasing in popularity amongst the criminal community to commit ID theft and that everyone needs to be on their guard to avoid falling victim – on or offline. One possible use for these bogus ‘bank’ calls is to utilise personal identification information stolen using malware to give fraudsters credibility as they collect the missing information required to ‘pull off’ their scams.

I thought you should know that cybercriminals have been busy developing webinjects for Zeus and Spyeye to orchestrate and develop malevolent attacks against certain brands. Webinjects are malware configuration directives that are used to inject rogue content in the web pages of bank websites to steal confidential information from the institution’s customers. And it’s not a contained problem as Tanya Shafir from Trusteer’s research team has discovered that these webinjects are actually being offered for sale on many open internet forums!