Researchers uncover large cyberfraud operation targeting Australian bank customers

A variant of the Carberp financial malware was used to infect 150,000 computers, mostly from Australia, Group-IB says

Security researchers from Russian cybercrime investigations firm Group-IB have uncovered a cyberfraud operation that uses specialized financial malware to target the customers of several major Australian banks.

Over 150,000 computers, most of them belonging to Australian users, have been infected with this malware since 2012 and were added to a botnet that Group-IB researchers have dubbed "Kangaroo" or "Kangoo," after a kangaroo logo used on the command-and-control server's interface, Andrey Komarov, the head of international projects at Group-IB, said Wednesday via email.

The malware is a modified version of Carberp, a financial Trojan program that so far has been used primarily against Internet banking users from Russian-speaking countries. In fact, the same Carberp variant is used as part of a different operation targeting customers of Sberbank in Russia, Komarov said.

Like the majority of financial Trojan programs, Carberp supports the use of "Web injects" -- special scripts that tell the malware how to interact with specific online banking websites. These scripts allow attackers to piggyback on a victim's active online banking session, initiate rogue transfers, hide account balances and display rogue forms and messages that appear to originate from the bank.

The Carberp variant targeting Australian users contains Web injects for the Internet banking websites of Commonwealth Bank, Bank of Queensland, Bendigo Bank, Adelaide Bank and ANZ. The malware is capable of hijacking the destination of money transfers in real time and uses specific transfer limits to avoid raising red flags, Komarov said.

Group-IB believes that the cybercriminals behind this operation are located in former Soviet Union states. However, the group has contacts with money mule services in Australia as well as its own "corporate drops" -- bank accounts registered to sham businesses -- in the country, Komarov said.

The attackers create thousands of Web pages riddled with terms from the banking industry that later appear in Web search results for specific keywords, a technique known as black hat search engine optimization, Komarov said. Users who visit these pages get redirected to attack sites that host exploits for vulnerabilities in browser plug-ins like Java, Flash Player, Adobe Reader and others, he said.

The number of 150,000 infected computers is not the number of currently active botnet clients, but a historical count of unique infections since 2012 gathered from the botnet's command and control server, Komarov said. Also, not all affected users actually use online banking, he said. The rate is roughly one in every three victims, he estimated.

Group-IB said that it is working with the targeted banks and has shared the information gathered from the botnet's command and control server with them, including compromised account credentials and the Internet Protocol addresses of the infected computers.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Group-IBonline safetysecurityspywaremalwarefraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?