Cybercrooks have stolen more than EUR300,000 in just three weeks from German bank accounts using a sophisticated new Trojan that forges online statements to hide the theft from victims, according to a report from security outfit Finjan.
Finjan says the Ukraine-based gang used Web sites - legitimate infected ones as well as fakes - to spread malicious code with the crimeware toolkit LuckySpoilt.
After infection, a bank Trojan was installed on the victims' machines and logged their account details before starting communication with a command and control server in the Ukraine.
The server told the Trojan, called URLZone, how much to steal from each account and where to send it.
Finjan says the gang had a good idea of how bank anti-fraud systems work, and minimised the chances of detection by stealing random amounts in each transaction, making sure balances were left in the black and not taking large amounts.
The stolen funds were sent to money mule accounts which belonged to innocent victims who were told they were being paid for working from home or other moneymaking schemes.
Once the stolen money was in their accounts, the mules were asked to transfer it - after taking a commission - to an account provided by the cybergang.
To beat bank anti-fraud systems, the money mule accounts were only used for a limited number of times within a certain timeframe. Since banks monitor large bank transfers, the amount of money deposited in a money mule account was predefined in order to stay under the radar.
Yuval Ben-Itzhak, CTO, Finjan, says: "In this case, the specific criteria that the Trojan received from its Command & Control center mark a whole new level of cybercrime sophistication in the techniques used by cybercriminals. Using these methods they successfully evade anti-fraud systems that banks deploy - we dubbed it the Anti anti-fraud."
Meanwhile, in another example of the increasing sophistication of hackers, a real-time Trojan has been used to steal $477k from a US firm, by gaining access to their one-time-use password.
According to an article in the Technology Review, an account manager at construction firm Ferma, logged in to the company's bank account using a one-time-password generator to pay bills this July.
Despite the fact the password changes every 30 to 60 seconds, a hacker, using what is known as a real-time Trojan horse, accessed it and stole $477,000 from Ferma is the space of a few minutes. As a result of the attack, Ferma has reverted back to issuing cheques for payments.
Alleged phishers extradited
Separately, two Romanians accused of participating in a phishing scam against PayPal and several banks have been extradited to the United States to face charges. Petru Belbita, 25, was extradited from Canada last week after being arrested in January. Cornel Tonita, 28, was arrested on an Interpol warrant in Croatia.
The two men were indicted, along with five other Romanian citizens, in 2007 for their alleged participation in the phishing scheme, which allegedly used spam e-mails to steal bank account details and passwords from thousands of customers. Investigators say the gang targeted Citibank, Capital One, JPMorgan, Comerica Bank, Wells Fargo, eBay and PayPal.
One gang member, Ovidiu-Ionut Nicola-Roman, pleaded guilty to a charge of conspiracy to defraud with access devices last year.
Belbita and Tonita, who have both pleaded not-guilty, face over 30 years in jail if convicted.
Over in the UK, a court has heard how fraudsters used a sophisticated Trojan to steal banking details, reports the Daily Mail. Malware redirected victims to a fake NatWest site before siphoining off around £600,000 from 138 customer accounts.
Azim Rahmanov is on trial at London's Southwark Crown Court accused of conspiracy to defraud and transferring criminal property. The case continues.