Trojan attack steals over $1 million from online banking accounts
August 10, 2010
According to various security researchers, a piece of malware that resulted in a Trojan attack has led to the fraudulent withdrawal of more than $1 million from online banking accounts maintained with a U.K. bank since the beginning of July.
Internet-based scripts that contain malicious code based on the new infamous Zeus cybercrime toolkit are being used to withdraw money via the bank's online banking system. Researchers at the M86's Security Labs came across the attack after discovering the botnet's command & control centre, which is hosted in Moldova. The bank's name will remain undisclosed, however.
Victims were infected by a Zeus banking Trojan variant while browsing the Internet. The Trojan swiped the customer's online banking ID number and hijacked their banking sessions, reportedly only targeting victims who had substantial balances left in their account.
"The malware checks the account balance and, if the account balance is bigger than a GBP 800 value, it automatically issues a money transfer transaction," M86 reports.
Such attacks include the use of phishing middlemen to obtain funds from compromised accounts and transfer them by untraceable wire transfers to the Eastern European masterminds behind the crimes.
Early explanations of the attack still leaves a number of questions unanswered as of today, such as the name of the bank targeted, the apparent use of a technique that dispenses with the use of phishing middlemen, and what steps have been taken to shut down the attack.
From July 5th, the cyber criminals have successfully stolen £675,000 (US $1,077,000) and the attack is still progressing, according to M86 Security, a global provider of security solutions.
Lat month, a former IT insider and system admin for the Bank of New York has admitted to stealing personal information of about 2,000 bank employees and using that information to steal more than $1 million from charity bank accounts, New York City prosecutors have said late Friday.
The twenty-seven year old individual's name is Adeniyi Adeyemi and he used his position as a contract computer technician at the bank's headquarters to steal the personal identifying information of 2,000 employees, most of whom worked in the IT department.
Over an 8-year span, he used the information to set up dummy bank accounts in the employees' names and then transfer stolen funds from at least 11 charities throughout the world.
Adeyemi used publicly available routing numbers for the charities to initiate wire transfers through financial sites such as E-Trade and Fidelity and deposit them into the dummy accounts. To better cover his tracks, he then transferred the funds to a second layer of dummy accounts, according to a press release issued by the New York City District Attorney.
He also used the stolen employee data to steal directly from his co-workers by changing the contact information with their banks and taking control of their online accounts. In all, his scheme netted him about $1.1 million, U.S. federal prosecutors said.
To prevent his scheme from being detected, he structured transfers to be just below the $10,000 threshold that requires financial institutions to report the transactions to authorities.
Adeyemi pleaded guilty to grand larceny, money laundering and serious computer tampering.
Sentencing is scheduled for July 21, and Adeyemi could face from 20 to 25 years in federal prison, plus restitution of the stolen funds along with a $250,000 fine.
Source: M86 Security.
You can link to the Internet Security web site as much as you like.