Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:06 PM
Connect Directly

At Least One Part of the Economy is Growing: Cybercrime

In case anyone thought it was getting easier to keep customer data safe, here are a few studies that will bring you back to reality.

The APWG (Anti-Phishing Working Group) released its latest Phishing Activity Trends Report and found that new records were being reached in a variety of areas, such as rogue anti-virus software, phishing websites and crimeware designed to target financial institutions' customers.

According to a release, the APWG H1, 2009 report found that the numbers of detected rogue anti-malware programs—fake security software that actually infects computers to animate assorted electronic crimes—grew 585 percent between January and the end of June 2009.

The number of unique phishing websites detected in June rose to 49,084, the highest since April, 2007's record of 55,643, and the second-highest recorded since APWG began reporting this measurement.

The number of hijacked brands also reached an all-time high of 310 in March and remained at an elevated level to the close of the half in June.

The APWG added a new metric to its Trends Report that measures proliferation of three categories of malevolent software: Crimeware (code designed to victimize financial institutions' customers); Data Stealing and Generic Trojans (designed to send information from the infected machine, control it, and open backdoors on it); and Other (commonly auto-replicating worms, dialers for telephone charge-back scams, etc.). This data was obtained from report contributor Websense.

This metric replaces counts of "Password-Stealing Malicious Code URLs" and "Password Stealing Malicious Code - Unique Applications" which, due to incongruent sources and counting methods became systematically unreliable.

According to Dan Hubbard, APWG Trends Report contributing analyst and Websense CTO, the growing complexity of these attacks is making it difficult for experts to distinguish between those attacks that are designed to steal banking credentials from customers.

"Due to evolution of attack sophistication, it is becoming increasingly difficult to separate and report on attacks that are specifically designed to steal customer banking information," Hubbard said in a statement. "Additionally, attacks that only look for credentials from popular social networking, web mail, and even gaming sites, can lead to attacks for banking theft and crimeware."

Other report highlights include:

  • The number of banking trojan/password-stealing crimeware infections detected increased during more than 186 percent between Q4, 2008 and Q2, 2009.
  • The total number of infected computers rose more than 66 percent between Q4 2008 and the end of the half, 2009 to 11,937,944 " now more than 54 percent of the total sample of scanned computers.
  • Payment Services became phishing's most targeted sector, displacing Financial Services in Q1 & Q2.
The full report can be found here:

Meanwhile, vendor Finjan's Malicious Code Research Center (MCRC) uncovered new techniques used by cybercriminals to rob online bank accounts. These techniques, said the company in a release, add functionality aimed to minimize detection by traditional anti-fraud technologies in use by banks.

Finjan's Cybercrime Intelligence Report details the activities of a particular cybercrime ring as it employed a combination of Trojans and money mules to steal hundreds of thousands of Euros and to minimize detection by the anti-fraud systems used by banks.

Money mule accounts are legitimate bank accounts owned by legitimate bank users. Cybercriminals hire "mules" by falsely telling them they are working for a legitimate business. The account mules think that they are being paid for "working from home" and other moneymaking schemes. To avoid warning signs by anti-fraud systems at the bank, the money mule accounts are only used for a limited number of times within a certain timeframe.

In one particular case, the crooks used compromised legitimate websites as well as fake websites, utilizing the crimeware toolkit LuckySpoilt to infect visitors. After infection, a bank Trojan was installed on the victims' machines and started communication with its Command & Control (C&C) server for instructions.

And to further illustrate the lengths to which criminals will go to outsmart the good guys online is SecureWorks' Threat Analysis report issued by the company's Counter Threat Unit (CTU).

SecureWorks' CTU researcher Kevin Stevens titles the report "The Underground Economy of the Pay-Per-Install (PPI) Business." The report demonstrates how malicious organizations are recruiting hundreds of affiliates to join their Pay-Per-Install Affiliate Programs. While purporting to be programs that merely install adware, they are actually scams to install some of the most malicious malware and spyware out on the market today, said a SecureWorks release.

One of the Pay-Per-Install programs that Stevens investigated was called InstallsCash. InstallsCash showed how one of their affiliates successfully installed malware on 4,510 computers over a 30 day period by tricking people into thinking they were downloading free music or software.

InstallsCash (now referred to as provides affiliates with a downloader that installs a malicious cocktail (a combination of malware) on the victim's computer. This cocktail contains:

  • Zeus Trojan (one of the most pervasive and sophisticated bank and data-stealing Trojans on the market)
  • Rogue Antivirus
  • Rustock (one of the most widely-used Trojans to send spam)
  • Vundo Trojan
  • Piptea (a Trojan downloader)
Computers compromised with the Zeus Trojan, for example, are at a high risk of having their banking and credit card credentials stolen and eventually used for theft. claims to have up to 1,000 affiliates working with them. And they're making pretty good money to boot! The CTU found that one established seller was offering credentials for U.S. bank accounts with balances ranging from $14,000 to $22,000 for prices starting at $900 up to $1,300. Verified business credit card, complete with the credit card number, business name, CVV2 security code, and billing address were being sold for $25 to $75 each.

Plus, there is also money in the selling of tools to support these malicious activities, reports SecureWorks CTU. One such tool category, called a packer or crypter, is used to hide malware from antivirus programs. Researcher Stevens investigated a packer variant named PXCrypter that costs $75. Another, he discovered, is called SDdownloader and is being offered for $225.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.