Bank accounts raided over the summer to allow attackers to take almost £700,000

News by Dan Raywood

Around £700,000 has been stolen from UK banks over the course of a month during this summer.

Around £700,000 has been stolen from UK banks over the course of a month during this summer.

A report by M86 Security found that an organised network of cyber criminals launched a complex, multi-level scheme that targeted online customers of a large UK financial institution. Based on information M86 Security Labs found on the malicious Command & Control (C&C) server, it assumed that close to £675,000 was stolen from approximately 3,000 compromised customer accounts from a ‘global' bank between 5th July and 4th August this year.

Asked who the institution was, M86 Security said that it could not say as the bank and law enforcement had asked it not to reveal the name.

M86 Security said that it was able to detect the crime because a potential victim used its secure web gateway solution, which proactively prevents emerging threats in real-time. Immediately after the discovery, M86 Security representatives informed the relevant law enforcement agencies of all criminal activities and methods used by the perpetrators.

Research found that cyber criminals used a combination of the new Zeus v3 Trojan and exploit toolkits to successfully avoid anti-fraud systems while robbing bank accounts. SC Magazine reported at the end of July that by using the Eleonore exploit toolkit, cyber criminals have been able to take control of ten per cent of the world's computers from compromised web pages. This toolkit was reported to have been used in this instance, along with the Phoenix Exploit Kit.

It said that once the Zeus v3 Trojan successfully installed on victims' PCs and the victims logged into their online bank accounts, the Trojan initiated the money transfer from their accounts, via money mules, to the cyber thieves.

Once the user accessed the transactional section of the site, the Trojan reported to the C&C. It then received new JavaScript code to replace the original bank JavaScript that was used for the transaction form. After the user submitted the transaction form, the relevant data was sent to the C&C system instead of the bank.

The report said: “Because cyber crime is a lucrative business, illegal operations such as the one discussed in this paper are on the rise. These criminals continuously seek new, sophisticated ways to steal information and money without detection. And it's increasingly difficult for security companies to stay ahead of the proliferation of new, dynamic malware.”

Talking to SC Magazine, Bradley Anstis, VP technical strategy at M86 Security, said that it has known about the attack from the 27th July and with the information it collected, it was able to trace the attack back to the 5th.

Anstis said: “So maybe it was working before that, but we were able to understand how it was working and it is still active as law enforcement are still investigating it.”

Asked if this was a typical amount that was stolen, he said: “It is a little higher than we have seen but money was taken multiple times from many accounts. The minimum that was taken was £1,000 and we never saw an amount under that, typically we saw £1,000-5,000 and it was always a random amount taken to evade bank fraud detection.

“We find that man-in-the-browser attacks are getting harder to detect, you need a good knowledge of what is in your bank and when you walk past get a balance, does your bank offer telephone banking? It is a fairly antiquated technology but it works.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews