I have dealt with cyber crime in a number of previous posts, such as the 21st Century heists series. This post chronicles a recent event about some of the themes tackled in that series. Finjan has recently released a report about yet another case of high tech bank robbery.
This theft consisted of a number of steps as well as social engineering to accomplish its task.
The first step involved infecting victims’ computers with a Trojan. This was accomplished using the LuckySpoilt toolkit which exploits browsers and allows hidden installation of payloads; in this case a sophisticated Trojan called “URL Zone Bank Trojan” was installed on the victim’s computer.
Once installed the Trojan would contact a command and control system. As stated previously, this Trojan was quite sophisticated in that its use was not to simply steal money but to do so intelligently and cover the perpetrator’s tracks as best possible. The command and control system instructed the Trojan on how to operate. The Trojan would receive instructions such as the minimum amount to transfer, the maximum, which accounts to transfer the money to and the minimum account balance. The Trojan would then piggy back on an actual transaction done by the victim. When the transaction is complete, the Trojan would then intercept the response by the bank, modify the values to show the actual amount the victim wanted to transfer and thus hiding the real amount the Trojan transferred to an unintended account. The Trojan would also fake the available balance reported by the bank to hide the fraudulent transaction. As long as the victim checks his banking statements online from his infected computer he will never be aware of the stolen money. This ensures that the theft is likely to remain hidden until the next bank statement, or until the victim access his account from an ATM thus counteracting the best practice of checking your balance online periodically to detect fraudulent activity.
The final step of this scheme involves social engineering. The perpetrators “hire” another set of victims to act as unknowing money mules. This is done by posting fake online jobs, most likely of mystery shoppers. Mystery shopping is a technique used by businesses that employ a person to pretend to be a normal shopper who goes to buy items and record their experience as a way to measure various matrices such as employee efficiency, customer service and overall shopping experience. The Trojan would transfer the money to the money mules bank account not to the perpetrators directly thus further covering the tracks. The mules would then be asked to perform tasks which include keeping a cut of the transferred money as a commission for their services and transfer the rest to the perpetrator in some other untraceable fashion such as money transfer services that require simply a password to retrieve the funds.
This scheme netted the perpetrators a whopping average of €16,500 daily which would mean more than €5 million per year if the scheme is successful and runs unchecked.
What we learn from this lesson is to not fully trust your computer. Trojans and root kits are sometimes designed to make your computer lie to you and as such it is not enough to check your accounts periodically using just your computer. While it is a very good practice, in this case it is not enough in terms of protection. I would recommend checking balances once a month by either requesting that the bank sends you periodic statements on your activity or maybe via a short visit to an ATM. Some banks also offer services where they notify you by SMS regarding transactions and the amount spent. When available this can be a very good tool to monitor your accounts activity.