Friday, October 31, 2008

Cybercrime Group Use Trojan To Steal 500k Bank & Credit Card Logins

Researchers at RSA FraudAction Research Lab have recently discovered that, dating back as early as February 2006, the Sinowal Trojan, also known as Torpig and Mebroot, has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.

A posting today on the RSA FraudAction Research Lab Blog shares details of a three year investigation following the the Sinowal Trojan and its possible ties to a Russion organzied cybercrime group knows as the RBN.

"Sinowal has been the subject of rumor and speculation in the industry, and little is known about its source. Some have alleged that it was owned and operated by a Russian online gang with past ties to the infamous Russian Business Network (RBN). Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN."

RSA's findings on how Sinowal operates

Like other Trojans, Sinowal uses an HTML injection feature that effectively injects new Web pages or information fields into the affected victim’s Internet browser – and these injections seem like legitimate pages to the victim. Just as an example, Sinowal can falsely prompt an unsuspecting victim for personal information such as a social security number and other details which their bank previously pledged to never request be provided online. Even though a prompt like this is not a novel approach to stealing credentials and other information – what struck us the most was the amount of URL "triggers" that cause Sinowal to actually launch this prompt and other functions: Sinowal is triggered by more than 2,700 specific URLs, which means that this Trojan quickly moves into action when users access the websites of what are now hundreds of financial institutions worldwide.

Sean Brady, the product marketing manager for RSA's ID and access assurance group provided a few comments and a few more details in a PC World article.

"The sheer enormity of this makes this unique," said Brady. "And the scale is very unusual." All told, the gang behind Sinowal managed to obtain access to nearly half a million bank accounts and credit cards, a volume RSA dubbed "ruthless" and "extraordinary."

"And the fact that the Trojan was managed by one group through its history, and maintained for nearly three years is also very unusual," Brady said. RSA uncovered records that showed the Trojan had been in active operation since at least February 2006. "In malware life cycles, that's ancient, and to keep it up required a high degree of resources and effort."

The compromised data belongs to customers of hundreds of financial institutions within many regions of the world. RSA found affected financial institutions within North America (both the United States and Canada), Europe (United Kingdom, France, Spain, Germany, the Netherlands, Italy and others), Asia Pacific (Australia, China, Malaysia, and others) as well as some countries in Latin America. However, they note that they found that no Russian accounts were compromised by Sinowal.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you