Cybercriminals have managed to steal over 500,000 (401,000) from an unnamed bank at the beginning of the year using a combination of malware and a man-in-the-middle attack.
Over the course of a week, hackers stole from from the accounts of 190 people, mostly in Italy and Turkey. The scam was uncovered by IT security firm Kaspersky. Amounts of between 1,700 (1,300) and 39,000 (31,000) were debited from the accounts.
Researchers from the company detected a suspicious command and control (C&C) server on 20 January. Transaction logs were discovered by the firm detailing the amounts stolen.
However, it is unclear what malware was used in the attack. Vicente Diaz, principal security researcher at Kaspersky Lab said that it could possibly be a varient of the Zeus malware.
"On the C&C server we detected there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims," he said.
The company has codenamed the attack "Luuuk": A trojan was used to intercept account details and make fraudulent transactions after the user had logged onto the online bank account account.
A number of groups acting as money mules transferred the money to bank accounts created especially for the attack. Once in the accounts, criminals withdrew the money via cash machines.
Diaz added that the way money was transferred showed that organised crime was behind the attack.
"These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each drop' type. We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk's bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a drop' is asked to handle, the more he is trusted," he added.
The C&C server related to The Luuuk was shut down shortly after the investigation started. Law enforcement was alerted to the incident.
However, Kaspersky added that the complexity level of the MITB operation suggests that the attackers will continue to look for new victims of this campaign.
