A gang of cybercriminals pulled off a 500,000 euro bank heist over the course of a week, according to researchers at Kaspersky Lab.
The caper targeted customers of a specific bank in Europe using a man-in-the-browser attack. On January 20, Kaspersky Lab identified a suspicious server with log files that included events from bots reporting to a command-and-control web panel. The information being sent indicated financial fraud, and included details of victims and the amount of money stolen.
What the firm uncovered was an operation that victimized around 190 people, mostly in Turkey and Italy, as well as international bank account numbers belonging to both victims and mules. They also found logs detailing fraudulent transactions that totaled more than 500,000 euros. The researchers named the command-and-control server 'Luuuk', after the path the administration panel used in the server: /server/adm/luuuk.
"The control panel was hosted in the domain uvvya-jqwph.eu, resolving to the IP address 22.214.171.124 during the analysis," the researchers explained. "The fraudulent campaign targeted users of a single bank. Even though we were not able to get the malicious code used on the victims, we believe the criminals used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and OTP codes in real time."
Those kinds of injections, the researchers noted, are common in all the variants of ZeuS. The attackers used the stolen credentials to check the account balance of the victim and perform fraudulent transactions. The attackers also used predefined money mules to transfer the stolen money.
According to the transaction logs, four different money mule groups were used:
"This could be an indicator of a well-organized mule infrastructure," according to Kaspersky Lab. "Different groups have different limits on the money that can be transferred to its mules, an indicator of the levels of trust between them."
The cybercriminals operating the control panel removed all sensitive components on Jan. 22 - just two days after the firm's investigation started.
"Based on the transaction activity we believe that this could be an infrastructure change rather than a complete shutdown of the operation," the researchers explained. "In addition, based on the fraudulent transaction activity detected in the server and several additional indicators, we believe that the criminals behind the operation are very active."