Today’s Trojans generally steal all the HTTP and HTTPS communications sent from an infected system. This includes YouTube searches for Lady Gaga videos, as well as weather, sports, and stock-market-related searches. Some of the more sophisticated Trojans, such as Qakbot and Zeus, employ scripts that filter out the ‘cashable’ information from the ‘non-cashable’ information, leaving the botmaster with data that can be monetized relatively easily. What remains in the botmaster’s hands is a collection of sensitive data, such as consumers’ digital certificates and cookies used by banks to authenticate users when they access the bank’s website, as well as payment card numbers, and online banking usernames and passwords.
Once in the botmaster’s hands, this information can be used by the botmaster, or his gang, in one of two ways: 1) The botmaster may perform a range of unauthorized transactions himself, including ecommerce fraud, wire transfers to mule accounts, or fraudulent ATM withdrawals, to name a few, or 2) The botmaster may choose to sell the information. As a vendor in an underground forum, the fraudster may sell the credentials himself other forum residents, or, alternatively, he may sell them to operators of underground blackmarket “credit card store” where fraudster can freely buy and sell compromised payment cards and online banking credentials.
As part of fraudsters’ efforts to monetize existing botnets, specialized per-country infection services, called “Installs” or “Loads” services, are offered in the English and Russian-speaking underground. These are generally offered by fraudsters who have the ability to spam a large number of online users for the purpose of infecting their systems9
Figure 18
. RSA has traced instances of German ‘installs’ packages being sold for $100-$120 per 1,000 infections ( – Figure 19).
Botmasters can also monetize their botnets by renting out or selling individual infected systems (bots) for use as one-time proxies. This functionality enables other perpetrators to mask their true IP address when accessing a victim’s online bank account. RSA has traced offerings by fraudsters in which data sets that enable remote access to a victim’s computer are sold for $1 to $2 each.
A third botnet monetization method comes in the form of selling botnets as-is: Clusters of hundreds and even thousands of infected machines operated by the same Trojan variant (containing the same MD5 signature and communication resources) are offered for sale in the underground, as part of a complete country-specific ready-made botnet package. Each botnet package comes with a matching set of HTML injections targeting that region’s most prominent financial institutions. In one example, ready-made botnets exclusively composed of German consumers’ systems were offered for $700 each (Figure 20).
Back to The Underground Black Market Back to Overview
9The two most common malware infection vectors are spam email messages and drive-by-downloads. Spam emails distributed for malware infection campaigns contain malicious hyperlinks or attachments that download malicious code to a user’s machine. Drive-by-downloads, on the other hand, download malicious code to users’
computers when they visit a website that contains an infection point. Drive by downloads normally utilize invisible iFrames, which pull malicious code from a remote server. The code scans a user’s system for a vulnerability, and if one is traced, allows for a Trojan to gain a foothold and install itself on a victim’s machine.
The above HTML injections were traced by the FraudAction Research Lab while analyzing an advanced MITM attack launched using a variant of the SpyEye Trojan. Depending on the website accessed by the user, the Trojan injected the appropriate request for an OTP following the user’s successful login.
For more details on this attack, see the FraudAction Research Lab blog entry on this finding.
Back to Overview
Back to MITM Attacks
Back to Two-Factor Authentication and the German Banking Market Figure 1: HTML Injections
requesting Mobile-based OTP and Card Reader Codes
Banker Trojans targeting German consumers often request users to enter a full set of valid iTAN numbers. With banks moving away from iTANs and shifting to more sophisticated transaction-signing OTPs, Trojan attacks will likely target newer 2FA methods, such as mTANS, using social engineering methods.
Back to Overview Figure 2: HTML Injection used by
a Variant of the Zeus Trojan
Back Figure 3: Fraudster offers
German Credit Cards (€5 each) + Unverified Credit Cards with Bank Data (€15 per set)
Figure 4: Fraudster offers 3 German Credit Cards with MCSC for $30 each
Back Figure 5: Fraudster Offers
German Credit Cards for €5 -
€30 each
Back Figure 6: Fraudster Offers Login with complete list of TANs
Back Figure 7: For Sale! Spam Mailing List + Trojan Logs of German Consumers (“DE Dumps”)
Back Figure 8: Unsorted Trojan Logs of 15,000 German Victims offered for Sale. Price: €15
Back Figure 9: Deutsche Post
Packstation Gold Cards Offered for € 3 each
Back Figure 10: Sample Flow of a MITM Attack
Back Figure 11: Sample Flow of a MITB Attack
Research of the Qakbot’s server-side code showed that Qakbot’s operators receive real time notification on the receipt of targeted credentials via a TCP message sent from the Trojan’s C&C server. The TCP messages contain compromised HTTP/S POST requests and appear in the format shown above. The word “Achtung”, which is German for “Attention”, appears in each of the TCP messages reporting stolen credentials. This interjection may be indicative of the Trojan authors’
nationality as being German or Austrian.
Back Figure 12: Real Time TCP
Notification Message containing Targeted Credentials
Gozi’s fake warning page reads as follows:
Attention!
For reasons of momentary malfunction in our Strong Authentication Electronic system, a problem sending and receiving SMS messages presently affects money transfers, payments and data loading.
Your account is disabled and needs to be reactivated. In order to repair the system and reactivate your account, our system has to test the connectivity of our Strong Authentication Electronic system to your mobile device. You will shortly receive an SMS message containing an authorization code generated by our system.
Attention! No transfers will be made; this is a system verification only. We provide randomly generated codes to verify the functionality of your account and the correctness of your authorization code.
GENERATE SMS
Back Figure 13: Socially-Engineered HTML Injection used by Gozi Variant (Example 1 of 3)
Another version of this fake warning was created for other targets:
ATTENTION
For reasons of malfunction in our Signing Code system we are currently experiencing problems in sending and receiving SMS messages for money transfers, payments and data loading.
Your account has been disabled and needs to be reactivated. In order to repair the system and reactivate your account, our security system must test the connectivity of our Signing Code system to your mobile device. You will shortly receive a message containing a signature code.
Victims who were in the midst of conducting their online banking activities could easily believe that the bank’s website may have malfunctioned. Receiving an SMS at that same time would have only increased the message’s credibility, making it possible for the fraudster to harvest the SMS code from the victim and use it to complete the fraudulent money transfer.
Back
LOG OFF
For security reasons and due to an extended inactivity period, your online banking access has been revoked by our system. In order to re-establish access to your account you must enter your user name and secret code into our access page.
CONFIRM
Back Figure 14: Socially-Engineered HTML Injection used by Gozi Variant (Example 2 of 3)
Figure 15: Socially-Engineered HTML Injection used by Gozi Variant (Example 3 of 3)
Back Figure 16: Gozi Script Designed
to Pop-Up Social Engineering Page
Back Figure 17: Transfer Log of Mule Control Panel used by a fully automated MITB SpyEye Trojan Attack
Back Figure 18: “installsmarket.net” – Country-Specific Infection Service
Back Figure 19: “installsforyou.biz” – Country-Specific Infection Service
E x c e r p t f r o m U n d e r g r o u n d A d , T r a n s la t e d f r o m R u s s i a n b y R S A Service for selling Botnets just for you!
We will create a SpyEye botnet especially for you. Latest version of SpyEye. We are the only ones to offer a 15% discount for bulletproof servers from *****. 10% discount for BlackHole exploit kit (rent or purchase).
Private encryption services for our clients - 20$/crypt.
Botnet for UK: 700$
Botnet for ES: 700$
Botnet for DE: 700$
Botnet for PT: 700$
Botnet for USA: 700$
Back Figure 20: Ready-Made
Country-Specific SpyEye Botnets offered for $700 each
www.emc.com/rsa