Kaspersky Lab has recently reported on an attack against a European bank, resulting in the loss of €500,000 (£400, 000) in the course of a week. The investigation of the financial fraud has revealed that there are over 190 victims, most of who are located in Italy and Turkey. The sums stolen from unsuspecting bank client vary from 1,000 to 39,000 Euros.
According to the report, the first signs of the vicious campaign were discovered on 20th January this year when the expert team detected a C&C server, which was shut down two days later. The analysis of the server showed logs with different content indicating potential money transactions, which also helped to reveal the targeted bank. The researchers immediately informed the bank and launched an investigation.
It was revealed that a Trojan horse, now known as Luuuk, was used to steal money from bank accounts. It is now believed that money was stolen using Man-in-the-Browser techniques; unfortunately, the researchers did not manage to retrieve the malicious code used to make money transactions. As the analysis of the log files suggests, the Luuuk Trojan stole usernames, passwords and OTP codes, which is a typical characteristic of Zeus, which, according to Assistant Attorney General David O’Neil, ‘is one of the most damaging pieces of financial malware that has ever been used’.
The malicious code was called Luuk because of the path /server/admin/luuk/used in the administration panel.
It is not specified what malicious program was used to steal money; however, researchers suspect that it might have been a variant of Zeus, including Citadel, SpyEye, and some other existing variations.
The stolen money was sent to special pre-set accounts called ‘money-mules’ and withdrawn via ATMs. The investigation revealed that different sums of money had been sent to special accounts, which made 4 groups. Each group was assigned with a particular amount of money, which is regarded as an indicator of a well-organized mule infrastructure. For example, one group dealt with no more than €2,000, whereas the other ones we dealing with much bigger sums.
According Vicente Diaz, Principal Security Researcher at Kaspersky Lab, the different amounts of money transferred to distinct groups indicate distrust among the partners of the fraud. Even though the C&C server was shut down, the Luuuk case is still under investigation because it is believed that cyber criminals will attempt to compromise more bank accounts in the future.