[wordup] Friends don't let friends use internet explorer

[Adam Shand]

This is amazing and appears to be legit reporting.  There's lots of  
details missing in how it actually works but … it's the most  
impressive piece of criminal hackery I've read about in a long time.

And to be fair, despite my snide subject line, it says that the below  
attack doesn't rely on internet explorer.

Adam.

Source: http://www.wired.com/threatlevel/2009/09/rogue-bank-statements/
More: http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf

New Malware Re-Writes Online Bank Statements to Cover Fraud

New malware being used by cybercrooks does more than let hackers loot  
a bank account; it hides evidence of a victim’s dwindling balance by  
rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the  
victim’s machine that alters html coding before it’s displayed in the  
user’s browser, to either erase evidence of a money transfer  
transaction entirely from a bank statement, or alter the amount of  
money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud,  
though won’t work if a victim uses an uninfected machine to check his  
or her bank balance.

The novel technique was employed in August by a gang who targeted  
customers of leading German banks and stole Euro 300,000 in three  
weeks, according to Yuval Ben-Itzhak, chief technology officer of  
computer security firm Finjan.

“The Trojan is hooked into your browser and dynamically modifies the  
text in the html,” Ben-Itzhak says. “It’s a very sophisticated  
technique.”

The information appears in a cybercrime intelligence report (.pdf)  
written by Finjan’s Malicious Code Research Center.

The victims’ computers are infected with the Trojan, known as URLZone,  
after visiting compromised legitimate web sites or rogue sites set up  
by the hackers.

Once a victim is infected, the malware grabs the consumer’s log in  
credentials to their bank account, then contacts a control center  
hosted on a machine in Ukraine for further instructions. The control  
center tells the Trojan how much money to wire transfer, and where to  
send it. To avoid tripping a bank’s automated anti-fraud detectors,  
the malware will withdraw random amounts, and check to make sure the  
withdrawal doesn’t exceed the victim’s balance.

The money gets transferred to the legitimate accounts of unsuspecting  
money mules who’ve been recruited online for work-at-home gigs, never  
suspecting that the money they’re allowing to flow through their  
account is being laundered. The mule transfers the money to the  
crook’s chosen account. The cyber gang Finjan tracked used each mule  
only twice, to avoid fraud pattern detection.

“They instruct the Trojan that the next time you log into your online  
banking account, they actually modify and change the statement you see  
there,” says Ben-Itzhak. “If you don’t know it, you won’t report it to  
the bank so they have more time to cash out.”

The researchers were able to capture screen shots showing the rogue  
bank statements in action, disguising, for example, a transfer of Euro  
8,576.31 as Euro 53,94.

The researchers also found statistics in the command tool showing that  
out of 90,000 visitors to the gang’s rogue and compromised websites,  
6,400 were infected with the URLZone trojan. Most of the attacks  
Finjan observed affected people using Internet Explorer browsers, but  
Ben-Itzhak says other browsers are vulnerable too.

Finjan provided law enforcement officials with details about the  
gang’s activities and says the hosting company for the Ukraine server  
has since suspended the domain for the command and control center. But  
Finjan estimates that a gang using the scheme unimpeded could rake in  
about $7.3 million annually.

“The example we found relates to German banks,” Ben-Itzhak says. “But  
we believe this will increase to other countries.”