RSA Report: 500,000 Banking ID's Stolen

The RSA Fraud Action Research Team says it has found a single Trojan that it believes to be behind the theft of more than 500,000 online bank account credentials, credit cards and many other resources.

The security vendor's team revealed its findings late last week and says the gang behind the Trojan may have been operating for as long as three years.

No specific bank names were revealed by RSA, "as it is critical to protect their privacy and security, as well as that of their customers," a spokesperson says.

The research team says its findings are "startling." Based on its tracking and research of the Sinowal Trojan, (also known as Torpig and Mebroot) the team indicates that this may "be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters."

The researchers say that the Sinowal Trojan may have been working back as early as February 2006 to compromise and steal login credentials from about 300,000 online bank accounts and a similar amount of credit and debit cards. The hackers also compromised email, FTP accounts from many websites. RSA researchers add that this particular Trojan, Sinowal, was the subject of much rumor and speculative talk, and that little is known of its source. It had strong ties earlier in its life to the now infamous Russian Business Network (RBN).

The researchers warn that Sinowal is one of the most serious threats to anyone with an Internet connection. Why? "Simply put, Sinowal infects victims' computers without even an inkling of a trace." RSA says those behind the Trojan "have not only created highly-advanced and malicious crimeware, but have also maintained one of the most hidden and reliable communication infrastructures. This infrastructure has been designed to keep Sinowal collecting and transmitting information for almost three years." Along with this record is the fact that the online gang was able to take the stolen data and methodically organize it within a single repository. The Sinowal Trojan has also capable of evolving and has been doing so at a dramatic uptick, the RSA researchers saw its rate of attack spiking upward from March through September, 2008.

The compromised data belongs to customers of hundreds of financial institutions within many regions of the world. The team found affected financial institutions within North America (both the United States and Canada), Europe (United Kingdom, France, Spain, Germany, the Netherlands, Italy and others), Asia Pacific (Australia, China, Malaysia, and others) as well as some countries in Latin America. However, the research team found that no Russian accounts were compromised by Sinowal, leading them to suspect that the online gang is operating in Russia. RSA has contacted several law enforcement agencies to inform them of the findings.

For any financial institution that may think it is a target, RSA recommends a layered approach that increases online security and provides a necessary defense-in-depth strategy. This strategy can be executed through the combination of external threat protection, login authentication and risk-based transaction. More specifically, RSA says, organizations can use services that provide real-time protection against external threats such as phishing, pharming and Trojan attacks through:

  • 24x7 monitoring and detection,
  • Real-time alerts and reporting,
  • Forensics and countermeasures,
  • Site blocking and shutdown.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.