The Luuuk Banking Fraud Campaign: Half a Million Euros Stolen in a Single Week
Man-in-the-Browser Attack Used to Target Clients of a
Large European Bank
Woburn, MA –
June 25, 2014 -Kaspersky
Lab Global Research and Analysis Team experts have discovered
evidence of a targeted attack against the clients of a large European bank. The
organizers of the bank fraud Luuuk used a Man-in-the-Browser (MITB) campaign to steal more
than half a million Euros from accounts at the bank, according to the logs of
the server used by the attackers.
The first signs of this campaign were discovered on January
20, 2014, when Kaspersky Lab detected a command and control (C&C) server on
the net. The server’s control panel indicated evidence of a Trojan program used
to steal money from clients’ bank accounts. Also detected, were transaction
logs on the server, containing information about which sums of money were taken
from which accounts. All in all, more than 190 victims could be identified,
most of them located in Italy and Turkey. The sums stolen from each bank
account, according to the logs, ranged between 1,700 to 39,000 € (about $2,310
to $53,000 US Dollars).
The campaign was at least one week old when the
C&C was discovered, having started no later than January 13, 2014. In that
time, the cybercriminals successfully stole more than 500,000 € (about $680,000
US Dollars). Two days after Kaspersky Lab discovered the C&C server, the
criminals removed all evidence that might be used to trace them. However, based
on the transaction activity, Kaspersky Lab believes it could be a technical
infrastructure change rather than a complete ending to the Luuuk campaign.
after we detected this C&C server, we contacted the bank’s security service
and the law enforcement agencies, and submitted all our evidence to them,” said
Vicente Diaz, principal Security Researcher at Kaspersky Lab.
Malicious tools used
With the Luuuk case, experts have grounds to believe
that important financial data was intercepted automatically and fraudulent
transactions were carried out as soon as the victim logged onto their online
“On the C&C server we detected there was no
information as to which specific malware program was used in this campaign.
However, many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) – have
that necessary capability. We believe the malware used in this campaign could
be a Zeus flavor using sophisticated web injects on the victims,” added Vicente Diaz.
Money divestment schemes
The stolen money was passed on to the cybercriminals’
accounts in an unusual way. Kaspersky Lab noticed that participants in the scam
receive some of the stolen money in specially created bank accounts and cash
out via ATMs. There were evidences of several different ‘drop’ groups, each
assigned with different sums of money. One group was responsible for
transferring sums of 40-50,000 €, another with
15-20,000 and the third with no more than 2,000 €.
“These differences in the amount of money entrusted to
different drops may be indicative of varying levels of trust for each ‘drop’
type. We know that members of these schemes often cheat their partners in crime
and abscond with the money they were supposed to cash. The Luuuk’s bosses may
be trying to hedge against these losses by setting up different groups with
different levels of trust: the more money a ‘drop’ is asked to handle, the more
he is trusted,” added Vicente Diaz.
The C&C server related to Luuuk was shut down
shortly after the investigation started. However, the complexity level of the
MITB operation suggests that the attackers will continue to look for new victims
of this campaign. Kaspersky Lab’s experts are engaged in an on-going
investigation in the Luuuk’s activities.
evidence uncovered by Kaspersky Lab’s experts indicates that the campaign was likely
organized by professional criminals. However, the malicious tools they used to
steal money can be countered effectively by security technologies. For
instance, Kaspersky Lab has developed Kaspersky Fraud Prevention – a multi-tier platform to help financial
organizations protect their clients from online financial fraud. The platform
includes components that safeguard client devices from many types of attacks,
including Man-in-the-Browser attacks, as well as tools that can help companies
detect and block fraudulent transactions.
About Kaspersky Lab Kaspersky Lab is the world’s largest privately held vendor of
endpoint protection solutions. The company is ranked among the world’s top four
vendors of security solutions for endpoint users*. Throughout its more than
16-year history Kaspersky Lab has remained an innovator in IT security and
provides effective digital security solutions for large enterprises, SMBs and
consumers. Kaspersky Lab, with its holding company registered in the United
Kingdom, currently operates in almost 200 countries and territories across the
globe, providing protection for over 300 million users worldwide. Learn more atwww.kaspersky.com.
the latest in-depth information on security threat issues and trends, please
* The company was rated fourth in the IDC rating
Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published
in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012
Vendor Shares (IDC #242618, August 2013). The report ranked software vendors
according to earnings from sales of endpoint security solutions in 2012.