Researchers uncover large cyberfraud operation targeting Australian bank customers

A variant of the Carberp financial malware was used to infect 150,000 computers, mostly from Australia, Group-IB says

Security researchers from Russian cybercrime investigations firm Group-IB have uncovered a cyberfraud operation that uses specialized financial malware to target the customers of several major Australian banks.

Over 150,000 computers, most of them belonging to Australian users, have been infected with this malware since 2012 and were added to a botnet that Group-IB researchers have dubbed "Kangaroo" or "Kangoo," after a kangaroo logo used on the command-and-control server's interface, Andrey Komarov, the head of international projects at Group-IB, said Wednesday via email.

The malware is a modified version of Carberp, a financial Trojan program that so far has been used primarily against Internet banking users from Russian-speaking countries. In fact, the same Carberp variant is used as part of a different operation targeting customers of Sberbank in Russia, Komarov said.

Like the majority of financial Trojan programs, Carberp supports the use of "Web injects" -- special scripts that tell the malware how to interact with specific online banking websites. These scripts allow attackers to piggyback on a victim's active online banking session, initiate rogue transfers, hide account balances and display rogue forms and messages that appear to originate from the bank.

The Carberp variant targeting Australian users contains Web injects for the Internet banking websites of Commonwealth Bank, Bank of Queensland, Bendigo Bank, Adelaide Bank and ANZ. The malware is capable of hijacking the destination of money transfers in real time and uses specific transfer limits to avoid raising red flags, Komarov said.

Group-IB believes that the cybercriminals behind this operation are located in former Soviet Union states. However, the group has contacts with money mule services in Australia as well as its own "corporate drops" -- bank accounts registered to sham businesses -- in the country, Komarov said.

The attackers create thousands of Web pages riddled with terms from the banking industry that later appear in Web search results for specific keywords, a technique known as black hat search engine optimization, Komarov said. Users who visit these pages get redirected to attack sites that host exploits for vulnerabilities in browser plug-ins like Java, Flash Player, Adobe Reader and others, he said.

The number of 150,000 infected computers is not the number of currently active botnet clients, but a historical count of unique infections since 2012 gathered from the botnet's command and control server, Komarov said. Also, not all affected users actually use online banking, he said. The rate is roughly one in every three victims, he estimated.

Group-IB said that it is working with the targeted banks and has shared the information gathered from the botnet's command and control server with them, including compromised account credentials and the Internet Protocol addresses of the infected computers.

Tags Group-IBonline safetysecurityspywarefraudmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?