Feeds

Undetectable data-stealing trojan nabs 500,000 virtual wallets

Sinowal's evil genius

3 Big data security analytics techniques

A well-organized crime gang has stolen credentials for more than a half-million financial accounts in less than three years using a sophisticated trojan that remains undetectable to the vast majority of its victims, a report published Friday warns.

The haul of bank, credit, and debit card account numbers stolen by the Sinowal trojan is among the largest ever discovered. It was unearthed by researchers at RSA's FraudAction Research Lab. They say the program, which is also known as Torpig and Mebroot, has been operating non-stop for almost three years, an unusually long time in the fly-by-night world of cybercrime.

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006," RSA researchers wrote.

What's more, Sinowal has only managed to become more productive over time. In the past six months, it has compromised more than 100,000 accounts. Since February, the number of variants has spiked, from fewer than 25 per month to more than 70, according to RSA. The increase helps the malware evade detection by anti-virus programs.

In all, the trojan has infected at least 300,000 Windows machines and stolen 270,000 online banking account numbers and 240,000 credit and debit credentials.

Sinowal is impressive for other reasons as well. Unlike many trojans, it doesn't rely on tricking the end user into clicking on a link or file to get installed. Rather, it spreads silently via websites that prey on unpatched vulnerabilities in the Windows operating system or in third-party applications, such as Adobe Flash and Apple's QuickTime media player.

"This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed," Sean Brady, manager of identity protection at RSA, said in an interview.

It then hides itself on a computer's master boot record, making the infection extremely difficult to find. About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system.

Brady said RSA has shared the data it discovered with affected banks in the hopes they will notify customers who are infected.

Sinowal sits dormant on a machine until a user points a browser at the website of a bank or other financial institution. Then an HTML injection engine adds fields to the website's login page that prompt victims to enter social security numbers, passwords, and other credentials. Once entered, the information is transmitted to a server under the control of the malware authors. The injection mechanism is triggered by more than 2,700 different web addresses.

Little is known about the group responsible for Sinowal, but at least one clue suggests the group has ties to Russia: While the trojan targets institutions in dozens of countries in North America, Europe and Asia, none were located in Russia. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.