More than 190 victims identified, most of them located in Italy and Turkey
Complexity level of operation suggests attackers will continue to look for new victims
EXPERTS at Kaspersky Lab’s Global Research and Analysis Team (GReAT) said they have discovered evidence of a targeted attack against the clients of a large European bank.
According to the logs found in the server used by the attackers, apparently in the space of just one week cybercriminals stole more than €500,000 from accounts in the bank, Kaspersky Lab said in a statement.
The first signs of this campaign were discovered on Jan 20 this year when Kaspersky Lab’s experts detected a C&C (command and control) server on the Internet. The server’s control panel indicated evidence of a trojan program used to steal money from clients’ bank accounts.
The experts also detected transaction logs on the server, containing information about which sums of money were taken from which accounts.
All in all, more than 190 victims could be identified, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between €1,700 and €39,000.
The campaign was at least one week old when the C&C was discovered, having started no later than Jan 13. In that time the cybercriminals successfully stole more than €500,000.
Two days after GReAT discovered the C&C server, the criminals removed every shred of evidence that might be used to trace them.
However, experts think this was probably linked to changes in the technical infrastructure used in the malicious campaign rather spelling the end of the Luuuk campaign.
“Soon after we detected this C&C server, we contacted the bank’s security service and the law enforcement agencies, and submitted all our evidence to them,” said Vicente Diaz (pic), principal security researcher at Kaspersky Lab.
Malicious tools used
In the Luuuk case, experts have grounds to believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as victims logged onto their online bank accounts.
“On the C&C server we detected there was no information as to which specific malware program was used in this campaign,” said Diaz.
“However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims,” he added.
Money divestment schemes
The stolen money was passed on to the crooks’ accounts in an interesting and unusual way, said Kaspersky Lab.
Its experts noticed a distinctive quirk in the organisation of the so-called ‘drops’ (or money-mules), where participants in the scam receive some of the stolen money in specially created bank accounts and cash out via ATMs (automated teller machines).
There was evidence of several different ‘drop’ groups, each assigned with different sums of money. One group was responsible for transferring sums of €40,000-50,000, another with €15,000-20,000 and the third with no more than €2,000.
“These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each ‘drop’ type,” said Diaz.
“We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: The more money a ‘drop’ is asked to handle, the more he is trusted,” he added.
The C&C server related to Luuuk was shut down shortly after the investigation started. However, the complexity level of the operation suggests that the attackers will continue to look for new victims of this campaign.
Kaspersky Lab’s experts are engaged in an on-going investigation into Luuuk activities.
Trojans out for your credit card data and money, warns Kaspersky
Online scams: You can never be too careful
Malaysia among countries most hit by e-banking malware: Trend Micro
Online banking accounts in Middle East targeted by ‘Gauss’
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.