Over 190 clients of a large European bank were the target of a man-in-the-browser (MitB) campaign that allowed cybercriminals to pocket at least $680,000 out of their accounts.
MitB are attacks similar to man-in-the-middle campaigns, but differ because the Trojan dynamically intercepts and manipulates calls between the web browser and its security mechanisms. Detecting this type of attack is difficult because all security controls still display properly and work normally.
Researchers at Kasperky found evidence of the attack when they encountered a command and control server in January. However, the bad guys successfully deleted all the information that could lead to tracing them on January 22, two days after the discovery of the server.
In the two days they had at their disposal, the researchers analyzed the logs available and determined more than 190 customers of a large bank in Europe, whose name remains undisclosed, had fallen victim to the heist.
The victims are from Italy and Turkey and had their accounts robbed of sums between $2,300 and $53,000.
Researchers could not determine the specific malware used in the campaign and speculate it may be a Zeus variant that relies on sophisticated web injects.
“On the C&C server we detected there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) – have that necessary capability,” said Vicente Diaz, Principal Security Researcher at Kaspersky Lab.
Nevertheless, they were able to determine the malware exfiltrated usernames, passwords and OTP (one-time password) codes in real time.
The report from Kaspersky found the money extracted from the victims’ accounts ended up distributed to three money-mule groups, each trusted with a limited sum of money to cash out from ATMs.
One of the groups ended up entrusted with large sums (up to $68,000), another with medium values limited to $27,000, while a third dealt with sums no larger than $2,700.
This way, the masterminds of the operation ensured minimum losses if the mules decided to cheat their partners.
Kaspersky named the campaign Luuuk after the path used by the administration panel on the command and control server: “/server/adm/luuuk/.”
It is possible the campaign had been active for more than one week, in which case, the amount stolen is much higher. However, the researchers linked the campaign to professional criminals and future attacks are very likely to occur.