Web security firm, Finjan, published a report (Issue 2, 2009) this week on a more advanced funds transfer fraud trojan called URLZone. It basically follows the now well understood process I blogged about previously, where:
- Cybercriminals infect Web sites using, for example, Cross Site Scripting.
- Web site visitors are infected with a trojan, in this case URLZone.
- The trojan is used to collect bank credentials.
- Cybercrirminals transfer money from the victims to mules.
- The money is transferred from the mules to the cybercriminals.
URLZone is a more advanced trojan because of the level of automation of the funds transfer fraud (direct quotes from the Finjan report):
- It hides its fraudulent transaction(s) in the report screen of the compromised account.
- Its C&C [Command and Control] server sends instructions over HTTP about the amount to be stolen and where the stolen money should be deposited.
- It logs and reports on other web accounts (e.g., Facebook, PayPal, Gmail) and banks from other countries.
In the past, the trojan was merely a keylogger that sent credentials back to the cybercriminal. These exploits were mostly against small businesses and schools where relatively large amounts of money could be stolen. But the URLZone trojan has much more sophisticated command and control which enables a much higher volume of transactions. Finjan reports 6,400 victims in 22 days losing 300,000 Euros. So far all the victims have been in Germany.