Financial theft is one of the most lucrative forms of cybercrime. Malware authors continue to deliver sophisticated tools and techniques to unlock online bank accounts. Attackers design and develop botnets to perform financial fraud, targeting banks and other institutions for profit. These botnets traditionally have monitored victims’ Internet activities and intercepted banking transactions to extract account credentials and send them to their control servers. Recent botnets are armed with more advanced capabilities, yet traditional methods continue to be the most effective way to steal money.
Recently I came across an underground Russian forum in which an author was actively selling botnet logs with account-login details from one targeted bank.
These botnet logs were from the Citadel botnet Version 1.3.4.5 (Extreme Edition). Citadel is a variant of the popular Zeus botnet and has been widely seen since late 2012. The latest edition of this botnet has already been covered in several blogs out there.
Here is a snapshot of server code for extracting bank account information stored in the database of the C&C server.
Here is what this mysterious banking botnet can do.It can log all the credentials used to login into the bank account , from the Citadel infected machine and sends it to the C&C server.
Research has revealed that Citadel is one of the most active botnets in the world, spanning several locations across Europe. One of the major reasons for its common use is that the botnet setup services are fairly cheap via the underground community. Here is an advertisement for the Citadel setup service.
Same user advertising his setup service on another forum.
Yet another service offered for the same botnet.
Many cybercriminals avoid transferring money to their own accounts due to the risk of prosecution, but selling the account information and making the money from the sale is an effective way of preserving anonymity. Thus the attacker can’t be held accountable for the transfers made from a stolen account.
As the precautionary measure, we should look out for accounts being accessed or transactions made to/from different geographical locations. Banks place limits on the amount of money that can be transferred in one day or in a single transaction. Spotting small, unauthorized transactions made from an account should be noticeable and prevent major financial losses.
Posts
