A gang of cybercriminals pulled off a 500,000 euro bank heist over the course of a week, according to researchers at Kaspersky Lab.
The caper targeted customers of a specific bank in Europe using a man-in-the-browser attack. On January 20, Kaspersky Lab identified a suspicious server with log files that included events from bots reporting to a command-and-control web panel. The information being sent indicated financial fraud, and included details of victims and the amount of money stolen.
“After further analysis we found additional files in the server containing logs with different content and showing potentially fraudulent banking transactions, as well as source code in JavaScript related to the [command and control] C2 infrastructure,” according to Kaspersky Lab researchers. “This information provided valuable data about the bank that had been targeted and other details such as the money-mule system and operational details used in this scheme.”
What the firm uncovered was an operation that victimized around 190 people, mostly in Turkey and Italy, as well as international bank account numbers belonging to both victims and mules. They also found logs detailing fraudulent transactions that totaled more than 500,000 euros. The researchers named the command-and-control server ‘Luuuk’, after the path the administration panel used in the server: /server/adm/luuuk.
“The control panel was hosted in the domain uvvya-jqwph.eu, resolving to the IP address 109.169.23.134 during the analysis,” the researchers explained. “The fraudulent campaign targeted users of a single bank. Even though we were not able to get the malicious code used on the victims, we believe the criminals used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and OTP codes in real time.”
Those kinds of injections, the researchers noted, are common in all the variants of ZeuS. The attackers used the stolen credentials to check the account balance of the victim and perform fraudulent transactions. The attackers also used predefined money mules to transfer the stolen money.
According to the transaction logs, four different money mule groups were used:
- 13test: The limit that the drops in this group accept is between 40,000 and 50,000 euros, though there are some drops that have different limits such as between 20,000 and 30,000.
- 14test: The limit that the drops in this group can accept is between 15,000 and 20,000 euros, but some drops in this group have limits between 45,000 and 50,000.
- 14smallings: The limit that the drops in this group can accept is between 2,500 and 3,000 euros.
- 16smallings: The limit that the drops in this group can accept is between 1,750 and 2,000 euros, though some accept a quantity between 2,500 and 3,000 euros as well.
“This could be an indicator of a well-organized mule infrastructure,” according to Kaspersky Lab. “Different groups have different limits on the money that can be transferred to its mules, an indicator of the levels of trust between them.”
The cybercriminals operating the control panel removed all sensitive components on Jan. 22 – just two days after the firm’s investigation started.
“Based on the transaction activity we believe that this could be an infrastructure change rather than a complete shutdown of the operation,” the researchers explained. “In addition, based on the fraudulent transaction activity detected in the server and several additional indicators, we believe that the criminals behind the operation are very active.”