Australia Targets Ukraine Global Banking Malware

SYDNEY, Australia -- Microsoft and the FBI's attack on the Citadel botnet has put a dint in one of the largest threats on the internet, but it's only one nasty piece of crime-ware from eastern Europe that is affecting Australians.

Cybercrime: Citadel was only one piece of the puzzle.

Citadel, known primarily as a banking trojan, is also one of the driving forces behind the surge in "ransomware" in the US, Europe and Australia, which present messages that pose as local law enforcement and lock down the infected PC until a payment is made.

But it's only one platform for attacks that rely on a network of contracted developers who help spawn new variants of the same threat.

Australia's banks have been quietly working with a Russian security and forensics firm Group-IB to swat Carberp, a nasty piece of banking malware crafted in Ukraine that has infected 150,000 Australian PCs since last year.

Once installed, the fraud software waits for a victim to login to their accounts and, via the browser, attempts to commandeer their transaction.

Success rates vary, but its makers from the Ukraine are responsible for millions in losses across Russia and Europe.

Advertisement Security vendors including Symantec, Microsoft, Kaspersky and McAfee recognise Carberp as a nasty "family" of trojans that has been known to grab screen shots of victim's PCs, log keystrokes and steal banking credentials.

According to Andrey Komarov, head of international projects at Group-IB, the hackers behind Carberp have franchised their product to a well-known developer on the underground who built a module (a bolt-on component known as a "web-inject") that repurposes attacks for banking customers in other parts of the world for Australian customers.

ANZ Bank and the Bank of Queensland were the first to respond to the company's recent fraud alert, said Komarov, who is supplying data to the banks on the latest Australian infections.

"An ANZ representative responded immediately," Komarov told IT Pro.

"We provided him all the details about compromised customers of his bank and he immediately blocked it and assisted to contact other banks. We are also preparing some additional investigation details for ANZ right now, as its e-crime division is one of the most positive we have ever seen."

The module contains technical and social trickery: it presents to victims a fake transaction page and contains tools that allow the attacker to view the victim's browser in real-time.

The package includes attacks for customers of CommBank, ANZ, Westpac, the Bank of Queensland, Bendigo Bank, Adelaide Bank, Teachers Mutual Bank, DefenceBank, Suncorp, BankWest and NAB, according to Group-IB.

"Right after the user goes online and wants to make a transfer, they will intercept his session on the browser and spoof the destination of the transfer absolutely silently," Komarov said.

To build a network of infected PCs, the group uses bank-related keywords, such as "Melbourne bank" to game search engine algorithms.

If the victim takes the bait, they are led to websites that host attacks for ubiquitous software, such as the browser plugins for Adobe Flash, Oracle Java and Microsoft's Office products.

Exactly how much the gang and its networks have stolen from Australian banking customers remains unknown, however Komarov estimates typically 10 per cent of PCs that have been infected result in losses for their users.

Group-IB assisted Russian authorities arrest six Carberp gang members last June who were accused of stealing over $4 million from Russian accounts over a four-year spree.

ANZ declined to comment on its investigation.

"ANZ does not comment on security matters other than to say protecting our customers is one of our highest priorities and we are confident in the security tools and team that we have in place," ANZ spokesman Stephen Ries said.

"It should also be noted that any customers who are the innocent victim of fraud will be protected by the bank."

Personal accounts are protected from online fraud under Australia's ePayments Code, but business faces a different risk: liability for malware for businesses small and large is determined by contract.

"As far as commercial customers go, liability for malware fraud would be allocated by contract and certainly from my perspective any properly advised financial institution would seek to allocate risk away from itself and to its counter party," special counsel at Clayton Utz, David Kreltszheim recently told IT Pro.

According to Komarov, about 90 per cent of the victims in Australia he had seen were personal accounts and 10 per cent were business accounts.

The company gathers its data through the Honeynet security project, infiltrating criminal networks and by sink-holing the botnet, which involves commandeering a component of the botnet and intercepting its communications.

Komarov sent IT Pro emails from CERT Australia, the information security response team of the Attorney-General's Department (AGD), which that show it is also investigating Carberp infections in Australia.

"CERT Australia works on a trust partnership basis with business and does not comment publicly about any specific work or issues," a spokesperson from AGD told IT Pro.

The Australian government however has been tackling Carberp with the aid of ISPs.

The Australian Communications and Media Authority (ACMA) runs the Australian Internet Security Initiative (AISA), and has been sending alerts to ISPs, according to Bruce Matthews, ACMA's manager of e-security operations.

"I can confirm that the ACMA is sending reports of Carberp infections to ISPs and universities that participate in the AISI – although this data is not sourced from Group IB," Matthews told IT Pro.

Every day there are about 240 live Carberp infections and ACMA's AISA has been reporting these for the past two years, said Matthews.

However, Carberp could be much larger, he said.

"It is also possible that we are reporting some Carberp infections under our 'Trojan: Generic' classification. Around 1500 infections per day are currently being reported under this category," said Matthews.

Source: The Sydney Morning Herald