Crimeware-as-a-Service Threatens Banks

Why Evolving Malware Families Are Big Cause for Concern
Crimeware-as-a-Service Threatens Banks

A new report from security firm Sophos raises alarms about the increasing sophistication of crimeware-as-a-service, an underground business model that pushes adaptable malware from a botnet, rather than simply infecting a single machine.

See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers

In Sophos' new report, Vawtrak - International Crimeware-as-a-Service, researchers focus on the banking malware strain known as Vawtrak, which compromises commonly used URLs by injecting them with code. This allows the hackers to steal online banking credentials as they are input on the bank's website, and the attack is garnering attention from security experts at other firms as well.

"Vawtrak is formerly known as Gozi, a name adopted by the Vawtrak operation for their malware," says Don Jackson, director of threat intelligence for online security firm PhishLabs.

But unlike Gozi, Vawtrak ranks as the "single most dangerous threat" among botnet-based cybercrime malware strains on the market today, he says.

While Vawtrak's crimeware-as-a-service model, better known as CaaS, has been around since about 2006, researchers say the crime rings that manage this type of service have perfected their techniques, affording them the ability to adapt their attacks for specific targets.

Sophos' Research

Over a three-month period, Sophos' review of the Vawtrak botnet found that banking institutions and other businesses in Germany, Poland, Japan, the U.S., the United Kingdom, Australia, Turkey, Slovakia, the Czech Republic, India, Italy, Saudi Arabia, the UAE, Malaysia, Portugal and Spain were being targeted.

Some of the most notable U.S. banking institutions that have been targeted by this attack so far include Bank of America, Wells Fargo, Capital One Financial Corp., Citigroup and JPMorgan Chase, says Sophos' spokesman Mike Bradshaw.

None of those institutions responded to Information Security Media Group's inquiry about whether they had suffered incidents and subsequent fraud as the result of a Vawtrak attack, and Sophos would not comment about any specific attacks, either.

But Sophos' Bradshaw says targeted institutions should remind online banking customers to patch operating systems and install up-to-date security patches to ensure their PCs are protected.

"In addition, proper endpoint-protection (anti-virus) software is a must," he says for banking institutions. "And always be alert for suspicious behaviors, like being asked for information that you don't normally have to provide when initiating an online transaction."

Banks also should mandate two-factor authentication, Bradshaw says.

Vawtrak's Growth

Sophos found Vawtrak was the second most popular malware distributed by Web-based exploit kits between September and November 2014.

"Vawtrak represents 11 percent of all malware, replacing Zbot [Zeus] as the leading banking malware botnet," Bradshaw adds. "Vawtrak operators are setting up the botnet to deliver crimeware-as-a-service, rather than following a more traditional kit-selling model that older families, such as Zeus or SpyEye, once employed."

The code that's injected is customized, based on the targeted domain, Sophos notes.

"Vawtrak is an information-stealing malware family that is primarily used to gain unauthorized access to bank accounts through online banking websites," Sophos points out. "Machines infected by Vawtrak form part of a botnet that collectively harvests login credentials for the online accounts to a wide variety of financial and other industry organizations."

Crimeware-as-a-Service Evolves

But what makes this Vawtrak attack stand out is that the CaaS model used to distribute this malware in the underground is more widespread than any other CaaS model used before to compromise online banking credentials.

"A major factor is prevalence," PhishLabs' Jackson says. "Only Zeus and its many variants -GameOver, KINS, ZeusVM, Zberp, etc. - taken as a single malware 'family' would outrank Vawtrak."

PhishLabs has been tracking Vawtrak and its botnet since September.

"Those in control of Gozi in the past, and its evolved Vawtrak version, originally pioneered the crimeware-as-a-Service model under the name 76Service and described in early 2007, he says. "That focus continues, with Project Blitzkrieg in 2010, up until the latest campaigns beginning in June 2014."

Jackson says PhishLabs' Research Analysis and Intelligence Division recently observed a new version of Vawtrak that showed a dramatic acceleration in the development of the software that drives Vawtrak's CaaS model, as well as an expanded targeting configuration, which has continually grown at the same pace since September 2014.

Sophos also found that Vawtrak is using networks from earlier malware strains.

"Vawtrak, also known as NeverQuest and Snifula, injects a DLL [dynamic link library] into browser processes," Sophos writes in its report. "When targeted URLs are visited, Vawtrak inserts extra code into the Web page. The extra code is used for a wide variety of purposes, including bypassing two-factor authentication, attempting to infect the victim with a mobile malware component using social engineering, and automatically initiating a transfer out of the victim's account and subsequently hiding the evidence of the transfer."

Stolen credentials are used, in combination with injected code and proxying through the victim's machine, to initiate fraudulent transfers to bank accounts controlled by the Vawtrak botnet administrators, Sophos concludes in its report.

From there, Vawtrak's operators create attack campaigns based on their criminal customers' requests, selling the output of the botnet to them, which is effectively data, Sophos notes. "This is an example of crimeware-as-a-Service, a model that we have seen in other high-profile banking-malware families, such as Gameover Zeus, and which is examined in the European Cybercrime Centre's Internet Organised Crime Threat Assessment."

But Andrew Komarov, CEO of cyber-intelligence firm Intelcrawler, says hackers are increasingly targeting banking institutions outside the U.S.

"U.S. banks were overloaded with various types of fraud, and lots of customer protection mechanisms were successfully improved, which resulted in some new trends in underground," Komarov says. "We have identified a growth in interest toward EU and U.K. money-mule services, which shows that EU countries might be one of the priorities for cybercriminals in the future."

This, too, is a point noted by Sophos in its report.

"Although Vawtrak is neither technically ground-breaking nor innovative, it is an example of how a banking malware botnet can be used extremely effectively to achieve its goals," Sophos points out. "Vawtrak targets banks in a wide range of different countries, including some that are highly unusual to see banking malware target, and also targets companies from other industries that are off the radar of typical banking malware families. Combined with the use of specific campaign IDs, it's evident that the Vawtrak operators are setting up the botnet to deliver crimeware-as-a-service, rather than following a more traditional kit-selling model that older families such as Zeus or SpyEye once employed."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network