Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Ursnif Trojan Targets Italian Bank Customer Data

Researchers Say About 100 Institutions Affected
Ursnif Trojan Targets Italian Bank Customer Data

Payment card information and other data belonging to the customers of at least 100 Italian banks and one payment processor were compromised using the Ursnif banking Trojan, according to Avast Threat Labs.

See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks

Avast researchers found usernames, passwords and credit card, banking and payment information that appears to have been stolen from banking customers by the operators of the Ursnif banking Trojan. They did not identify where the information was found. But payment card information is often sold on darknet marketplaces.

"Our research teams have taken this information and shared it with the payment processors and banks we could identify. We've also shared this with financial services information sharing groups such as CERTFin Italy," Avast says, referring to the Italian Financial CERT, which addresses cyber risk in the country's banking industry.

Avast would not say how many individuals' data was exposed but said it found 1,700 records from a single unnamed payment processor.

The Italian Job

Fortinet researcher Xiaopeng Zhang reported in January that Ursnif's operators had been focusing their attention on Italy for about a year.

Avast could not definitively say if the customer data its researchers found was stolen during the operation described by Fortinet or at another time.

Avast would not disclose what information it had passed along to the banks and payment processor other than to say it is sufficient for these organizations to identify and then notify their customers whose data was exposed.

The Ursnif malware, also known as Gozi, is a banking Trojan that over its 14-year life span has been upgraded to deliver backdoors, spyware and file injectors.

Phishing Campaign

Ursnif's Italian operation used a phishing campaign to send emails containing malicious attachments that, if opened, downloaded an information stealer, according to Fortinet. The Ursnif malware is often delivered using the Valak malware loader, the company says (see: Operators Behind Valak Malware Expand Malicious Campaign).

Ursnif collects sensitive information, such as username, computer name and system uptime. This data is formatted into packets and sent to the gang's command-and-control server, according to Avast's security researchers.

The Ursnif Trojan is spyware that monitors traffic using screen capture and keylogging functions and can obtain login credentials stored in browsers and mail applications, security firm Trend Micro noted in a previous report. The malware uses a rootkit component to hide related processes, files and registry information.

Ursnif's creator, Latvian hacker Deniss Calovskis, was extradited from Latvia to the U.S. in 2013 for his role in helping to develop and enhance the Trojan. He pleaded guilty to a single count of conspiracy to commit computer intrusion in September 2015 and was sentenced to time served (see: Analysis: The Impact of Malware Developers' Takedowns).


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.