Experts at Kaspersky Lab’s Global Research and Analysis Team have discovered evidence of a targeted attack against clients of a large European bank. According to logs found in the server used by the attackers, cybercriminals stole more than half a million Euros from individual accounts in the space of just one week.
The first sign of this campaign, dubbed the Luuuk, was discovered on 20th January this year when experts detected a C&C server and an accompanying control panel which indicated evidence of a Trojan program being used to steal money from clients’ bank accounts.
“Soon after we detected this C&C server, we contacted the bank’s security service and law enforcement agencies, and submitted all our evidence to them,” Vicente Diaz, Principal Security Researcher at Kaspersky Lab, said.
Overall, more than 190 victims were identified, most of them located in Italy and Turkey. According to transaction logs detected on the server, the sums stolen from each bank account ranged from between 1,700 to 39,000 Euros.
The campaign was at least one week old when the C&C was discovered, having started no later than January 13, 2014. Two days following Kaspersky Lab’s discovery, the criminals removed all traceable evidence that might be used to locate them. However, experts suggest this was probably linked to changes in the technical infrastructure used in the malicious campaign, rather than spelling the end of The Luuuk campaign.
Malicious tools used
In the Luuuk case, experts have grounds to believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as the victim logged onto their online bank accounts.
“On the C&C server we detected, there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations, including Citadel, SpyEye, and IceIX, have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims,” Diaz added.
Money divestment schemes
Kaspersky Lab’s experts noticed a distinctive approach in the organisation of the so-called ‘drops’ – or money-mules – where participants in the scam receive some of the stolen money in specially created bank accounts. There was evidence of several different ‘drop’ groups, each assigned with different sums of money. One group was responsible for transferring sums of 40-50,000 Euros; another with 15-20,000; and the third with no more than 2,000 Euros.
“These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each ‘drop’ type. We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust; the more money a ‘drop’ is asked to handle, the more he is trusted,” Diaz explains.
The C&C server related to the Luuuk was shut down shortly after the investigation started. However, the complexity level of the Man-in-the-Browser operation suggests that the attackers will continue to look for new victims.
Kaspersky Lab’s experts are engaged in an on-going investigation into the Luuuk’s activities.