It took only a month to compromise some 3,000 private and business accounts with one of the largest financial institutions in the U.K., warns M86 Security in its latest white paper.
The criminals were able to leverage vulnerabilities found in the users’ browsers and compromised websites in order to install Eleonore and Phoenix exploit kits into the machines, which only lead to a further installation of the latest variant (v3) of the well-known ZeuS Trojan.
ZeuS springs into action the moment the users access their online banking accounts, manipulating their bank transactions to send the money to accounts from which money mules are instructed to withdraw it.
When the Trojan contacts the botnet C&C center for instructions, it is provided with a configuration file that orders it to report back to the C&C center when the user visits specific online banking sites. In a flurry of information sets being sent back and forth between the Trojan and the C&C center, the login credentials of the victim are compromised and their transaction redirected to an appropriate bank account held by money mules, who can be witting or unwitting accomplices. To avoid fast detection, every account is used only a handful of times, and the amount moved is rarely over $5,000.
In this particular case, only this one bank was targeted. According to DarkReading, M86 Security doesn’t name the bank since an investigation by law enforcement agencies is currently under way. The defrauded customers all reside in the U.K., but the bank has also a large customer base in the U.S.
All in all, it seems that so far this criminal group has managed to steal over $1 million from the victims. But Bradley Antsis of M86 says that this is just a drop in the sea. This wide-net and automated approach is a successful modus operandi for the criminals, and unpatched systems and un-updated applications make users vulnerable.
Mickey Boodaei, CEO of Trusteer, says that the fact that AVG, M86 and Trusteer have uncovered three distinct ZeuS botnets in the same period of time doesn’t bode well for users. Gunter Ollmann of Damballa says that at the moment, his firm is tracking “about 300 different botnet groups that specialize and rely heavily on Zeus malware.”