A researcher has uncovered malware that targets commercial bank customers by logging into their online accounts and wiring large sums to accounts under the control of criminals.
The Prg Bank Trojan is known to have cost victims at least $200,000, but the actual damage is suspected to be much higher, said Don Jackson, a researcher with Security services provider SecureWorks. The software has attacked commercial clients of about 20 banks in the US, the UK, Spain and Italy over the past six months.
Jackson attributes the malware's success to several clever design features. For one, hackers are alerted each time an online transaction is initiated, allowing the account to be compromised without having to enter a victim's username and password. In addition, the trojan is notable for a focus on commercial banking clients.
"These people have high balances and by default, because the liability for these accounts is on the business and not the bank, they have access to wire transfers," he told El Reg.
The malware is a variant of the Prg Trojan, which logs all data entered into a web browser and transmits it to its authors. The older Trojan has been in the wild for more than a year and is known to have stolen social security numbers, credit card details and other personal details for more than 50,000 victims, according to SecureWorks. The new banking version was unleashed about six months ago and is the handiwork of a Russian cybergang known as UpLevel.
Prg Trojan spreads through malicious links embedded in emails and from booby-trapped iFrames injected into websites. Once Prg is installed, hackers use stolen information to spear phishing victims who control commercial bank accounts by sending a well-crafted email that purports to be from their bank. It entreats the mark to download a new soft token, client certificate or security code. When victims take the bait, the updated Prg Banking Trojan is installed.
The update phones home every time the victim does online banking, allowing the hacker to piggyback on sessions. The malware simulates the keystrokes a user would be expected to type if requesting a wire transfer. Because each bank's website is different, the Trojan is customized for about 20 different institutions, Jackson said.
Through work with law enforcement investigators, Jackson has seen losses of $200,000, but because he believes he is seeing only about 10 percent of the operation, he believes total losses could be as high as $1m. ®