Banking fraud malware trick helps criminals evade detection

By | February 01, 2012

Posted in: Network Security Trends

Perpetrators of online banking fraud are using new techniques to misdirect bank verification and make discovery of fraudulent activity more difficult. Criminals are attempting to divert calls from banks to attacker numbers, using stolen information, to allow them to cover and possibly even continue to pillage accounts.

The techniques have been discovered in Ice IX, a variant of the widespread and highly dangerous Zeus banking Trojan, according to research by security company Trusteer. The malware tricks the victims into providing their phone numbers and their telephone account number. The latter is private information known only to the victim and their phone service provider. Trusteer says the Ice IX malware tricks victims into divulging this information by saying it part of a verification process required because of a "a malfunction of the bank’s anti-fraud system with its landline phone service provider." This type of request for information should instantly raise a banking customer’s antennae.

If a bank flags anomalous activity, such as unusually large and or frequent money transfers, it will contact the customer for verification. But in this case, Trusteer reports, the attackers are likely redirecting the calls to caller services they control to approve the transactions.

This is a potentially nasty new wrinkle on wheat has become a highly lucrative banking fraud industry. Zeus, its many variants and other banking malware have bilked many small businesses, municipalities, government agencies, school systems etc. out of tens and hundreds of thousands of dollars each in recent years. The malware captures login credentials, secret questions (favorite film, name of your pet, etc.), and account balance information. Then malware uses a variety of techniques, including key logging, even capturing playback video of user activity.

Attackers can learn, for example, the maximum amount permitted for any one transfer without bank verification. Attackers will often limit transfers to just under the verification threshold to avoid or at least delay detection. So, if you tell your bank to cap transfers at $20,000 and have $500,000 in the business account, the attackers will simply make a series of $19,000 transfers until the account is cleaned out or the activity is discovered and halted.

Criminals typically recruit individuals as “money mules” to transfer the money from their own accounts to the attackers’ accounts, usually in Russia and other east European countries. The mules are typically lured by what appear to be legitimate albeit too-good-to be-true email solicitations to earn money at home. It’s apparently not all that hard to find folks, especially in difficult economic times, who are either gullible enough to think the  transfers are legit or willing to turn a blind eye to suspicious activity.

The latest techniques reported by Trusteer makes fraud detection tougher. There are a number of suits filed by victims against banks, claiming the banks were negligent not so much for allowing the initial fraud using stolen credentials, but for failing to identify and halt the pattern of fraud with continued transfers. Now, when banks observe an attempt to transfer over the customer limit, or, perhaps, have fraud detection technology that observes a pattern of unusually high numbers of transfers, they may diligently call what they believe to be their customers but are in fact agents of the criminals who will approve the transfers.

You May Also Be Interested In: