Australia's banks quietly swatting trojan
Australia's banks have been quietly working with a Russian security and forensics firm to swat a nasty banking trojan crafted in the Ukraine that has infected 150,000 Australian PCs since last year.
Once installed, the fraud software Carberp waits for a victim to login to their accounts and, via the browser, attempts to commandeer their transactions hijacking credentials and payments. Success rates vary, but its makers are responsible for millions in losses across Russia and Europe.
Security vendors including Symantec, Microsoft, Kaspersky and McAfee recognise Carberp as a nasty “family” of trojans that has been known to grab screen shots of victim's PCs, log keystrokes and steal banking credentials.
According to Andrey Komarov, head of international projects at Russian firm Group-IB, the hackers behind Carberp have franchised their product to a well-known developer on the underground who built a module (a bolt-on component known as a "web-inject") that repurposes attacks for banking customers in other parts of the world for Australia.
ANZ Bank and the Bank of Queensland were the first to respond to the company's recent fraud alert, said Komarov, who is supplying data to the banks on the latest Australian infections.
“An ANZ representative responded immediately,” Komarov told IT Pro. “We provided him all the details about compromised customers of his bank and he immediately blocked it and assisted to contact other banks. We are also preparing some additional investigation details for ANZ right now, as its e-crime division is one of the most positive we have ever seen.”
The module contains technical and social trickery: it presents to victims a fake transaction page and contains tools that allow the attacker to view the victim's browser in real-time. The package includes attacks for customers of Commonwealth Bank, ANZ, Westpac, the Bank of Queensland, Bendigo Bank, Adelaide Bank, Teachers Mutual Bank, DefenceBank, Suncorp, BankWest and NAB, according to Group-IB.
“Right after the user goes online and wants to make a transfer, they will intercept his session on the browser and spoof the destination of the transfer absolutely silently,” Komarov said.
To build a network of infected PCs, the group uses bank-related keywords, such as “Melbourne bank” to game search engine algorithms. If the victim takes the bait, they are lead to websites that host attacks for ubiquitous software, such as the browser plug-ins for Adobe Flash, Oracle Java, and Microsoft's Office products.
Exactly how much the gang and its networks have stolen from Australian banking customers remains unknown, however Komarov estimates typically 10 per cent of PCs that have been infected result in losses for their users. Group-IB assisted Russian authorities arrest six Carberp gang members last June who were accused of stealing over $4 million from Russian accounts over a four-year spree.
The ANZ declined to comment on its investigation.
"ANZ does not comment on security matters other than to say protecting our customers is one of our highest priorities and we are confident in the security tools and team that we have in place,” ANZ spokesperson Stephen Ries said.
“It should also be noted that any customers who are the innocent victim of fraud will be protected by the bank."
Personal accounts are protected from online fraud under Australia's ePayments Code, but businesses face a different risk: liability for malware for businesses small and large is determined by contract.
"As far as commercial customers go, liability for malware fraud would be allocated by contract and certainly from my perspective any properly advised financial institution would seek to allocate risk away from itself and to its counter party," special counsel at Clayton Utz, David Kreltszheim recently told IT Pro.
According to Komarov, around 90 per cent of the victims he had seen in Australia were personal accounts and 10 percent were business accounts. The company gathers its data through the Honeynet security project, infiltrating criminal networks and by sink-holing the botnet, which involves commandeering a component of the botnet and intercepting its communications.
Fairfax Media has seen emails from CERT Australia, the Attorney General's Department's information security response team, that show it is also investigating Carberp infections in Australia, however it declined to comment.
"CERT Australia works on a trust partnership basis with business and does not comment publicly about any specific work or issues," a spokesperson from the A-G's department told IT Pro.
The Australian Government however has been tackling Carberp with the aid of ISPs.
The Australian Communications and Media Authority (ACMA) runs the Australian Internet Security Initiative (AISA), and has been tackling Carberp with the aid of ISPs by sending them alerts, according to Bruce Matthews, ACMA's manager of e-security operations.
"I can confirm that the ACMA is sending reports of Carberp infections to ISPs and universities that participate in the AISI - although this data is not sourced from Group IB," Matthews told IT Pro.
There are around 240 new live Carberp infections every day and ACMA's AISA has been reporting these for the past two years, said Matthews.
However, Carberp could be much larger. "It is also possible that we are reporting some Carberp infections under our 'Trojan: Generic' classification. Around 1500 infections per day are currently being reported under this category," Matthews said.
Microsoft and the FBI's launched an attack on another cybercrime ring last week. They say the Citadel botnet was used to steal more than $US500 million from bank accounts in more than 80 countries, including Australia, over the past 18 months.