Luuuk out! A banking fraud campaign muled away 500k Euros

A new criminal campaign targeting a large European bank had been discovered earlier this year – the Luuuk. For one week, criminals managed to steal as much as 500k Euros from 190 accounts, before they hastily withdrew from sight.

The experts at Kaspersky Lab’s Global Research and Analysis Team have uncovered evidence of a serious-scale targeted attack against the clients of a large European bank. The campaign which is now codenamed “Luuuk” after what appears to be a control panel for an unknown yet Trojan, costed the injured parties as much as 500,000 Euros.

 

Logs found in the server used by the attackers show that it took cybercriminals just one week to get away with half a million Euros from 190 accounts of bank clients, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between 1,700 to 39,000 Euros.

The first signs of this campaign were discovered as early as January 20th this year when Kaspersky Lab’s experts detected a C&C server on the net. The server’s control panel indicated that a Trojan program had been used to steal money from clients’ bank accounts.

The campaign was at least one week old when the C&C was discovered, having started no later than Jan. 13 2014. Over that period the cybercriminals successfully stole more than 500,000 Euros. Two days after GReAT discovered the C&C server, the criminals hastily removed every shred of evidence that might be used to trace them. However, experts think this was probably linked to changes in the technical infrastructure used in the malicious campaign rather spelling the end of the Luuuk campaign. 

Soon after detecting this C&C server, GReAT experts contacted the bank’s security service and the law enforcement agencies, and submitted all our evidence to them.

800-2

The experts have reason to believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as the victim logged onto their online bank accounts. According to Vicente Diaz, Principal Security Researcher at Kaspersky Lab, the C&C server itself lacked any information as to which specific malware program was used in this campaign. But it’s clear that the criminals used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, experts suggested that the malware stole usernames, passwords and OTP codes in real time. Many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have these capabilities and all of these are well-known in Italy.

“We believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims,” said Vicente Diaz.

What is especially interesting here it that the stolen money was passed on to the crooks’ accounts in a very unusual way. The criminals apparently used “drops” (aka “money mules”) – people with specifically created bank accounts where the stolen money was transferred in portions; that’s made to put off the scent. Owners of these accounts cashed out these money via ATMs, taking a small (or not so small) “fee” for their “services”. While using “drops” is quite a routine practice, this time it looked like criminals employed several different ‘drop’ groups, each assigned with different sums of money. One group was responsible for transferring sums of 40-50,000 Euros, another with 15-20,000 and the third with no more than 2,000 Euros.

This is probably indicative of varying levels of trust for each of the “drop” type. “We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a “drop” is asked to handle, the more he is trusted,” added Vicente Diaz.

The C&C server related to The Luuuk was shut down shortly after the investigation started. However, the complexity level of the MITB operation suggests that the attackers will continue to look for new victims of this campaign, and, given how much time passed since the discovery, . Kaspersky Lab’s experts are engaged in an on-going investigation in the Luuuk’s activities.

Banks routinely go to great lengths to ensure their clients’ accounts safety – the protection that is just not good enough will result in the incidents like this one. In the case of the Luuuk it is most likely that the professionals were at work. Everything – organization of the process, speed of withdrawal once they were discovered, tools used – show the rather “thoughtful” approach.

However, the malicious tools they used to steal money can be countered effectively by modern security technologies. Kaspersky Fraud Prevention is one of them. It’s a multi-tier platform to help financial organizations protect their clients from online financial fraud of many kinds. The platform includes components that safeguard client devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block fraudulent transactions in time.

For more technical information on The Luuuk campaign, read our blog at Securelist.com.

Tips