The Luuuk: Οι ειδικοί της Ομάδας Παγκόσμιας Έρευνας και Ανάλυσης της Kaspersky Lab ανακάλυψαν στοιχεία που υποδεικνύουν μία στοχευμένη επίθεση ενάντια στους πελάτες μεγάλης Ευρωπαϊκής bankς. Σύμφωνα με τα logs που εντοπίστηκαν στον server που χρησιμοποίησαν οι επιτιθέμενοι, σε διάστημα μόλις μίας εβδομάδας, οι ψηφιακοί εγκληματίες έκλεψαν πάνω από μισό εκατομμύριο Ευρώ από λογαριασμούς της τράπεζας. Τα πρώτα σημάδια αυτής της εκστρατείας ανακαλύφθηκαν στις 20 Ιανουαρίου, όταν οι ειδικοί της Kaspersky Lab εντόπισαν έναν command & control (C&C) server στο Διαδίκτυο. Ο πίνακας ελέγχου του server υπέδειξε τα ίχνη ενός προγράμματος Trojan που χρησιμοποιούνταν για την κλοπή χρημάτων από τους τραπεζικούς λογαριασμούς των πελατών.
Experts have also identified transaction logs on the server, which included information about the amounts of funds that were disbursed from specific accounts. Altogether, the company's experts managed to identify more than 190 victims, most of whom were in Italy and Turkey. The amounts stolen from each bank account, according to the records, ranged between € 1.700 and € 39.000.
Η εκστρατεία υλοποιούταν για τουλάχιστον μια εβδομάδα όταν ανακαλύφθηκε ο C&C server, με date έναρξης τις 13 Ιανουαρίου 2014. Μέσα σε αυτό το χρονικό διάστημα, οι ψηφιακοί εγκληματίες κατάφεραν να κλέψουν περισσότερα από €500.000. Δύο μέρες αφότου η Ομάδα Παγκόσμιας Έρευνας και Ανάλυσης της Kaspersky Lab ανακάλυψε τον C&C server, οι εγκληματίες εφαίρεσαν κάθε ίχνος των αποδεικτικών στοιχείων που θα μπορούσαν να χρησιμοποιηθούν για τον εντοπισμό τους. Ωστόσο, οι ειδικοί της εταιρείας πιστεύουν ότι αυτό συνδέεται πιθανώς με αλλαγές στην τεχνική υποδομή που χρησιμοποιείται για την κακόβουλη εκστρατεία και όχι με τον τερματισμό της εκστρατείας Luuuk.
"Shortly after we located this C&C server, we contacted the bank's security service and authorities and submitted all the information we had collected," said Vicente Diaz, Principal Security Researcher at Kaspersky Lab.
The malicious tools used
In the case of Luuuk, experts have reason to believe that significant financial data were automatically intercepted and that the fraudulent transactions took place while victims were logging into their online bank accounts.
"On the C&C server we detected, there was no information about any specific malware used in this campaign. However, many of the existing variants of Zeus (Citadel, SpyEye, IceIX, etc.) have this necessary capability. "We believe the malware used in this campaign could be a variation of Zeus using web injects on victims," added Vicente Diaz.
Divestiture schemes
Stolen money was passed on to the fraudsters in an interesting and unusual way. Our specialists have recorded a distinct idiosyncrasy in the organization of so-called "traffickers," where those who participated in the fraud collected some of the stolen money into specially designed bank accounts and pumped liquid through ATM. There were proofs for several different groups of "traffickers", each of whom was responsible for different amounts. A team was responsible for handling funds between € 40.000 and 50.000, another group for how many from € 15.000 to € 20.000 and a third for amounts not exceeding € 2.000.
“Differences in the amounts of money being moved through the different groups may be indicative of the different levels confidences for each type of "trafficker". We know that members of these organizations often cheat their partners and get away with the money they were supposed to liquidate. Luuuk 'bosses' may try to protect themselves against these losses by creating different groups with multiple levels of trust: the more trustworthy a 'trafficker', the more money they ask him to handle," Vicente Diaz noted.
The C&C server associated with Luuuk shut down shortly after the investigation began. However, the level of complexity of this Man-in-the-Browser operation indicates that fraudsters will continue to search for new victims. Kaspersky Lab experts continue to research Luuuk's activities.
Security solutions for Luuuk
Data revealed by Kaspersky Lab experts suggest that the campaign was probably organized by professional criminals. However, the malicious tools they used to steal money can be effectively addressed by security technologies. For example, Kaspersky Lab has developed Kaspersky Fraud Prevention, a multi-level platform that helps financial institutions protect their clients from online financial frauds. The platform includes features that protect customer devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block malicious transactions.
More information about the "The Luuuk" campaign is available on Kaspersky Lab's blog at Securelist.com.
To learn more about Kaspersky Lab's security solution for financial organizations, you can visit the official σελίδα of Kaspersky Fraud Prevention.
