A sophisticated man-in-the-browser (MiTB) scheme has resulted in the siphoning of a half-million Euros from a large European bank. The fraud campaign, dubbed Luuuk, was a targeted attack that leveraged an unusual money mule approach.
Kaspersky Lab’s Global Research and Analysis Team (GReAT) discovered evidence of a targeted attack in January, with the emergence of a new command and control (C&C) server on the net. The server’s control panel indicated evidence of a trojan program used to steal money from clients’ bank accounts.
How Luuuk was carried out is of interest. The researchers believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as the victim logged onto their online bank accounts. All in all, more than 190 victims could be identified, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between €1,700 to €39,000.
“On the C&C server we detected there was no information as to which specific malware program was used in this campaign,” said Kaspersky Lab’s Vicente Diaz, in a posting on the effort. “However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims.”
Then, the stolen money was passed on to the perpetrators’ accounts using “drops” (or money-mules), where participants in the scam receive some of the stolen money in specially created bank accounts and cash out via ATMs, thus laundering it. There were apparently several different ‘drop’ groups, each assigned with differentsums of money. One group was responsible for transferring sums of €40,000 to €50,000, another with €15,000 to €20,000, and the third with no more than €2,000.
“These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each ‘drop’ type,” Diaz said. “We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a ‘drop’ is asked to handle, the more he is trusted.”
The campaign was highly successful in a relatively short time. It was at least one week old when the C&C was discovered, having started no later than Jan. 13.
“In that time the cybercriminals successfully stole more than 500,000 Euros,” GReAT noted in the analysis. “Two days after GReAT discovered the C&C server, the criminals removed every shred of evidence that might be used to trace them. However, experts think this was probably linked to changes in the technical infrastructure used in the malicious campaign rather spelling the end of the Luuuk campaign.”
In other words, it will likely be back.
“The C&C server related to the Luuuk was shut down shortly after the investigation started. However, the complexity level of the MITB operation suggests that the attackers will continue to look for new victims of this campaign,” GReAT added.