The experts at Kaspersky Lab’s Global Research and Analysis Team have discovered evidence of a targeted attack against the clients of a large European bank. Apparently, according to the logs found in the server used by the attackers, in the space of just one week cybercriminals stole more than half a million Euros from accounts within the bank. The first indications of this campaign being carried out were discovered on 20th January this year when Kaspersky Lab’s experts detected a C&C server on the net. The server’s control panel indicated evidence of a Trojan program being used to steal money from clients’ bank accounts.
The experts also detected transaction logs on the server, containing information about what sums of money were taken from which accounts. All in all, more than 190 victims were identified, most of them located in Italy and Turkey. According to the logs, the sums stolen from each bank account ranged between 1,700 to 39,000 Euros.
The campaign was at least one week old when the C&C was discovered, having started no later than 13th January 2014. In that time the cybercriminals successfully stole more than 500,000 Euros. Two days after GReAT discovered the C&C server, the criminals removed every shred of evidence that might be used to trace them. However, experts think this was probably linked to changes in the technical infrastructure used in the malicious campaign rather than spelling the end of the Luuuk campaign.
“Soon after we detected this C&C server, we contacted the bank’s security service and the law enforcement agencies and submitted all our evidence to them,” said Vicente Diaz, Principal Security Researcher at Kaspersky Lab.
Malicious tools used
In the Luuuk case, experts have grounds to believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as the victim logged onto their online bank accounts.
“On the C&C server we detected there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims,” added Vicente Diaz.
Money divestment schemes
The stolen money was passed on to the crooks’ accounts in an interesting and unusual way. Our experts noticed a distinctive quirk in the organisation of the so-called ‘drops’ (or money-mules), where participants in the scam receive some of the stolen money in specially created bank accounts and cash out via ATMs. There were evidences of several different ‘drop’ groups, each assigned with different sums of money. One group was responsible for transferring sums of 40-50,000 Euros, another with 15-20,000 and the third with no more than 2,000 Euros.
“These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each ‘drop’ type. We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a ‘drop’ is asked to handle, the more he is trusted,” added Vicente Diaz.
The C&C server related to The Luuuk was shut down shortly after the investigation started. However, the complexity level of the MITB operation suggests that the attackers will continue to look for new victims of this campaign. Kaspersky Lab’s experts are engaged in an on-going investigation in The Luuuk’s activities.
Kaspersky Fraud Prevention vs. the Luuuk
The evidence uncovered by Kaspersky Lab’s experts indicates that the campaign was most probably organised by professional criminals. However, the malicious tools they used to steal money can be countered effectively by security technologies. For instance, Kaspersky Lab has developed Kaspersky Fraud Prevention – a multi-tier platform to help financial organisations protect their clients from online financial fraud. The platform includes components that safeguard client devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block fraudulent transactions.
For more information on The Luuuk campaign, read our blog at Securelist.com.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report “Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.