Feeds

Eastern European banks under attack by next-gen crime app

BlackEnergy 2's one-two punch

Top 5 reasons to deploy VMware with Tegile

Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions' authentication system and then hits it with a denial-of-service attack.

The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks' Counter Threat Unit.

The attacks, which also use a BlackEnergy 2 module to bypass a Java-based application the banks use to authenticate customers online, began near the end of 2009. They show no signs of letting up, said Stewart, who observed the same modus operandi earlier this week.

“Over the months that I've been monitoring this botnet, it's attacked probably a dozen or more banks with the same type of pattern of attacking the java authentication app,” Stewart told The Register. “All we see is, yes, this group has the plug-in that does the banking theft and then we see them also hacking that same banking authentication with the DDoS attack.”

BlackEnergy came to prominence in 2008 when it was reportedly used to disrupt internet communications in Georgia during the armed conflict between the former Soviet republic and Russia. It quickly became a major staple among Eastern European thugs, selling online for about $40 until free, pirated copies became widely available.

BlackEnergy 2, which Stewart first began monitoring in 2009, greatly expands what the software can do. It brings modular functionality to the tool, so separate programmers can write plug-in programs in much the way developers do for the Firefox browser. The gangs Stewart is monitoring are combining BlackEnergy's core DDoS functionality with an add-on to hack the Java authentication application, said Stewart, who presented his findings at this week's FIRST, or Forum of Incident Response and Security Team, conference in Miami.

“It's a good technique to keep [bank employees] distracted while they get the money moved out,” Stewart said. It also “keeps people whose money is in transfer from logging on and seeing what's happening.”

Bank customers victimized in the attacks are being targeted by trojans disguised as pay-per-install applications

In a major break from previous methods, the gangs are exclusively attacking banks in Russia and Ukraine. Previously, they went out of their way to avoid attacking banks in the region, presumably out of fear of attracting attention of law enforcement agents in the criminals' own backyard. Stewart said he's seen at least two unrelated bank fraud scams exclusively targeting banks in Russia and Ukraine, including the Bredavi trojan.

Stewart's report is here. ®

Secure remote control for conventional and virtual desktops

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.