Australia's banks quietly swatting trojan

By: Liam Tung, The Sydney Morning Herald

Australia's banks have been quietly working with a Russian security and forensics firm to swat a nasty banking trojan crafted in the Ukraine that has infected 150,000 Australian PCs since last year.

Once installed, the fraud software Carberp waits for a victim to login to their accounts and, via the browser, attempts to commandeer their transactions hijacking credentials and payments. Success rates vary, but its makers are responsible for millions in losses across Russia and Europe.

Security vendors including Symantec, Microsoft, Kaspersky and McAfee recognise Carberp as a nasty “family” of trojans that has been known to grab screen shots of victim's PCs, log keystrokes and steal banking credentials.

According to Andrey Komarov, head of international projects at Russian firm Group-IB, the hackers behind Carberp have franchised their product to a well-known developer on the underground who built a module (a bolt-on component known as a "web-inject") that repurposes attacks for banking customers in other parts of the world for Australia.

ANZ Bank and the Bank of Queensland were the first to respond to the company's recent fraud alert, said Komarov, who is supplying data to the banks on the latest Australian infections.

“An ANZ representative responded immediately,” Komarov told IT Pro. “We provided him all the details about compromised customers of his bank and he immediately blocked it and assisted to contact other banks. We are also preparing some additional investigation details for ANZ right now, as its e-crime division is one of the most positive we have ever seen.”

The module contains technical and social trickery: it presents to victims a fake transaction page and contains tools that allow the attacker to view the victim's browser in real-time. The package includes attacks for customers of Commonwealth Bank, ANZ, Westpac, the Bank of Queensland, Bendigo Bank, Adelaide Bank, Teachers Mutual Bank, DefenceBank, Suncorp, BankWest and NAB, according to Group-IB.

“Right after the user goes online and wants to make a transfer, they will intercept his session on the browser and spoof the destination of the transfer absolutely silently,” Komarov said.

To build a network of infected PCs, the group uses bank-related keywords, such as “Melbourne bank” to game search engine algorithms. If the victim takes the bait, they are lead to websites that host attacks for ubiquitous software, such as the browser plug-ins for Adobe Flash, Oracle Java, and Microsoft's Office products.

Exactly how much the gang and its networks have stolen from Australian banking customers remains unknown, however Komarov estimates typically 10 per cent of PCs that have been infected result in losses for their users. Group-IB assisted Russian authorities arrest six Carberp gang members last June who were accused of stealing over $4 million from Russian accounts over a four-year spree.

The ANZ declined to comment on its investigation.

"ANZ does not comment on security matters other than to say protecting our customers is one of our highest priorities and we are confident in the security tools and team that we have in place,” ANZ spokesperson Stephen Ries said.

“It should also be noted that any customers who are the innocent victim of fraud will be protected by the bank."