Luuuk crime gang likely hit by Gameover takedown

Online bank thieves who stole £400,000 earlier this year are believed to have been hit by police action against the Gameover Trojan gang.

Luuuk crime gang likely hit by Gameover takedown
Luuuk crime gang likely hit by Gameover takedown

Thieves who stole more than €500,000 (£400,000) from 190 customers of a large unnamed European bank in just one week earlier this year have probably been hit by the recent police crackdown on cyber criminals using the Gameover virus.

In a blog posted earlier this week, Kaspersky researchers revealed that the gang behind a campaign it calls ‘Luuuk' used a banking Trojan to steal the £400,000 from the victims, mainly based in Italy and Turkey, in a single week in January.

Kaspersky said the thieves then went to ground on 22 January, two days after it began its investigation, but warned “we believe that the criminals behind the operation are very active” and said the disappearing act “could be an infrastructure change rather than a complete shutdown of the operation”.

But in a positive twist to the tale on Thursday, Kaspersky Lab principal security researcher, Vicente Diaz, told SCMagazineUK.com: “We are still confirming this but there is a high probability that the group behind this attack has been affected by the Gameover takedown.”

This was a combined operation between the UK's NCA, Europol, the FBI and US Department of Justice that earlier this month targeted a Russian cyber crime gang using the Gameover Zeus malware variant and Cryptolocker ransomware.

But Diaz's optimism was short-lived as he told SC via email: “Although this is a positive breakthrough, the real problem is the gang behind the attacks. Losing control of hundreds of thousands of machines to law enforcement agencies is undoubtedly a difficult problem for them but they can simply jump to a new malware family and start over again.”

In its blog, Kaspersky describe the gang's attack methods, saying they “used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, the malware stole user names, passwords and OTP codes in real time”.

Underlining the gang's sophisticated nature, Kaspersky said it ran a “well-organised mule infrastructure”, with four different groups of mules being used to transfer money, each with different limits on the amount they could handle, indicating the level of faith the gang had in them.

Diaz told SC: “We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk's bosses may be trying to hedge against these losses by setting up different groups with different levels of trust; the more money a 'drop' is asked to handle, the more he is trusted.”

Analysing the Luuuk case, industry expert Keith Bird, UK MD for Check Point, said that despite any police successes, banks and their customers cannot afford to relax.

He told SC via email: “The people behind these attacks are using very sophisticated techniques and obviously have in-depth knowledge of how banking systems work, so I'm sure we will see new attack methods emerging.”

Diaz agreed, advising: “Both banks and customers should protect their assets with the best available technology. Banks should adopt reliable anti-fraud protection and check for any suspicious transactions in their systems, enabling them to implement alerts related to specific cyber crime campaigns like the Luuuk. Of course, users should be vigilant of any suspicious movements or transfers in their accounts and react quickly, informing both the bank and police.”

Bird was optimistic that the Luuuk attackers will be caught, drawing a parallel with last year's international police operation, which Check Point helped in and which led to the arrest of the gang behind 2012's ‘Eurograbber' attack who netted more than €36 million (£30 million) from 30,000 customers of 30 banks in Europe.

Also commenting on the Luuuk campaign, ACI Worldwide solutions lead Andy Morris told journalists: “With nearly half a million Euros lost in a single attack, alongside the recent losses estimated for the GoZeus and Cryptolocker malware, it's a timely reminder for banks to remain vigilant in detecting and preventing similar criminal activity.”

But he added: “It isn't just the bank's responsibility to keep customer's funds secure. It is essential that customers keep an eye on their account and flag any activity that appears abnormal.

“We are seeing is a rise in card not present fraud, where criminals can bypass chip and pin online by using card details, expiry dates and the security codes to defraud victims.”