- Date: March 3, 2008
- Author: Counter Threat Unit™
SecureWorks, one of the leading Security as a Service providers, announced today that hackers are successfully scamming banking customers with spear phishing emails stating that their banking digital certificate has expired. The malicious emails state that in order for the bank customer to access their bank account, they must load a new certificate by clicking on an enclosed link. See illustration below.
Once they click on the link, they are actually downloading the Prg Banking Trojan. This banking Trojan, originally discovered by SecureWorks in December 2007, is one of the most sophisticated and lethal pieces of banking malware developed. See more details on the Prg Banking Trojan
Illustration: Spear phishing email using banking digital certificate ploy
The Prg Banking Trojan enables the hacker to be alerted when the victim is doing online banking so the hacker can piggyback in on the session with the victim. This way the hacker can compromise the victim's bank account without using the victim's username and password. SecureWorks has had countermeasures in place for its clients to protect against the Prg Trojan and its variants since June 2007.
According to Don Jackson, Senior Security Researcher with SecureWorks' Counter Threat Unit™, the hackers behind the Prg Banking Trojan scam have successfully used the digital certificate ploy since September 2007. SecureWorks reported that the Prg Banking hackers targeted commercial banking customers last December and the one scam resulted in the theft of over $6 million dollars from banks in the US, UK, Spain and Italy.
Jackson has now discovered that the same hackers, using digital certificate and bank token phishing emails, have also stolen monies from banks in Australia and New Zealand. Servers containing Prg configuration files specifically targeting many of the leading banks in Australia and New Zealand were uncovered. Jackson has been working with law enforcement officials and banking authorities in the two countries and has determined that the hackers launched their Prg Banking Trojan campaign in Australia, New Zealand, as well as the UK, beginning last September, prior to targeting the US and European banks in December. Where will the hackers strike next? South America would be a logical choice.
"According to our databases and other research/investigators, this is the first example we have seen of attackers actually taking advantage of banking digital certificates," said Jackson. "The hackers in this case actually enhanced their social engineering ploys by matching the certificate, soft token, PassMark™, or other authentication tool to the actual bank and customers. As attackers create huge warehouses of compromised data, it is becoming easier to mine these and spear phish on a large scale."
"This scheme is extremely clever and quite ironic considering that digital certificates are provided by financial institutions to protect online bank users from fraud."
What Hackers are Behind the Prg Banking Trojan Attacks?
A German fraud ring contracted with the Russian group, UPLEVEL, to develop this Trojan. SecureWorks' researchers have seen a huge increase in activity from the German hacking/malware groups like Ego Crew, the "NSA" hacking group, and others. There is continued interest in hacking, specifically cyber crimes like bank fraud, identity theft, and server compromise in order to repurpose them for illegal pornography and copyrighted software and media servers.
How to Protect Against the Banking Digital Certificate Hacking/Phishing Scam
Bank customers should avoid clicking on any links within emails from untrusted sources. Even if they recognize the sender, they should find some way, besides replying to the email, to verify the email's authenticity such as calling the bank directly.