New Malware (URLzone Bank Trojan) Re-Writes Online Bank Statements to Cover Fraud

It’s sophisticated, it’s nasty, it’s ruthless and it’s intelligent. And it leaves no clue to the account holders when it decides to rip their balance off. Security experts agree that cyber-criminals are getting smarter, but this new Trojan takes things to a whole new level. This is one such Trojan horse program, which is very sophisticated and it keeps reinventing itself in its greedy quest to empty bank accounts. The URLzone Trojan, identified by researchers at Web filtering vendor Finjan Software recently, represents “the next generation of bank Trojans,” said Yuval Ben-Itzhak, Finjan’s chief technology officer.

This new malware does more than letting hackers rob a bank account; it takes a long step ahead and in fact hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to the report. URLzone Trojan rewrites bank pages; victims do not get any clue that their accounts have been tampered with and emptied in many cases. Its interface is sophisticated and diabolical as it’s command-and-control feature allows the bad guys pre-set the percentage of the account balance they wish to clear out!

Once installed in the victim’s computer, the URLzone Trojan alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances. This trick buys the hackers behind the trojan some time before the victim discovers the fraud. Though thankfully, the victim can still identify the fraud if the victim uses an uninfected machine to check his or her bank balance.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” Ben-Itzhak says. “It’s a very sophisticated technique.”

According to Finjan, URLzone is a botnet that targets computer users in Western Europe. It has hijacked about 6,400 computer users last month and was clearing about €12,000 (£11,074) per day. The victims’ computers are infected with the Trojan after visiting compromised legitimate web sites or rogue sites set up by the hackers.

Once a victim is infected, the malware grabs the consumer’s log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank’s automated anti-fraud detectors, the malware will withdraw random amounts.  The Trojan checks to make sure the withdrawal doesn’t exceed the victim’s balance; a technique to make sure that the bank’s fraud detection system does not get triggered.

The money gets transferred to the legitimate accounts of unsuspecting money mules who’ve been recruited online for work-at-home gigs, never suspecting that the money they’re allowing to flow through their account is being laundered. These mules are often recruited from job sites such as Monster.com and they typically believe they’re doing legitimate payroll work for overseas companies, and not organized criminal enterprises. Once they send the stolen money offshore, they can be the ones who are held accountable for the loss. The mule transfers the money to the crook’s chosen account. The cyber gang Finjan tracked used each mule only twice, to avoid fraud pattern detection. The idea is to confuse researchers and to prevent the criminal’s real money mules from being discovered.

“They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there,” says Ben-Itzhak. “If you don’t know it, you won’t report it to the bank so they have more time to cash out.” Though over 90% of such cases involved Internet Explorer, according to Ben-Itzhak almost all browsers are vulnerable to URLzone Trojan.

The researchers were able to capture screen shots showing the rogue bank statements in action, disguising, for example, a transfer of Euro 8,576.31 as Euro 53,94.

“The example we found relates to German banks,” Ben-Itzhak says. “But we believe this will increase to other countries”. “Basically they say, ‘I will steal from you €5,000, but I want to make sure at least 5 percent will remain in your balance,’” Ben-Itzhak said.