Botnet-controlled Trojan robbing online bank customers

Security firm says malware targeting commercial customers believed to have come from Russia

A new variant on the Prg Trojan, designed in Russia, is hitting victims to steal money from their banking accounts in the United States, United Kingdom, Spain and Italy, says Atlanta-based security firm SecureWorks.

A new variant on the "Prg Banking Trojan" malware discovered in June is stealing funds from commercial accounts in the United States, United Kingdom, Spain and Italy with a botnet called Zbot, says Atlanta-based SecureWorks.

"It's been very successful since we've first seen this at the end of November," says Don Jackson, senior security researcher at SecureWorks, which believes the Prg Trojan variant is designed by the Russian hackers group known as Russian UpLevel working with some German affiliates. 

"The Trojan has the ability to use a man-in-the-middle attack, a kind of shoulder-surfing when someone logs into a bank account. It can inject a request for a Social Security number or other information, and it's very dynamic. It’s targeted for each specific bank."

SecureWorks says about a dozen banks -- which it wouldn't identify because it says the U.S. Secret Service is investigating the incidents -- have had their commercial customers affected by the Trojan-based money fraud operation. According to SecureWorks, the bank Trojan malware can be distributed using iFrame exploits on Web sites or through very targeted attacks against bank customers via phishing. Oftentimes, the phishing e-mail attempts to lure the victim into clicking on a site to offer software disguised as a real certificate, security code or soft token, the company says, adding that it has uncovered caches of stolen data in its research.

If the attacker succeeds in getting the Trojan malware onto the victim's computer, he can piggyback on a session of online banking without even having to use the victim's name and password. The infected computer communicates back to the Trojan's command-and-controller exactly which bank the victim has an account with. It then automatically feeds code that tells the Trojan how to mimic actual online transactions with a particular bank to do wire transfers or bill payments

SecureWorks says the Trojan performs keystrokes that imitate the victim's keystrokes to avoid any online fraud-monitoring. Although the Secret Service is investigating the Trojan's impact on banks and their customers, Jackson says Russian law authorities are lax in reining in online criminal groups widely believed to be operating from Russia, including Russian UpLevel and the Russian Business Network.

Learn more about this topic

Gozi Trojan leads to Russian data hoard

03/20/07

Major Russian online crime group suddenly offline

11/08/07

Phishing education for bank customers useless

02/07/07

Cybercriminals steal half a million dollars from city coffers

05/31/07

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies