McAfee Labs

Bank Account Logins for Sale, Courtesy of Citadel Botnet

0
By on May 16, 2013

Financial theft is one of the most lucrative forms of cybercrime. Malware authors continue to deliver sophisticated tools and techniques to unlock online bank accounts. Attackers design and develop botnets to perform financial fraud, targeting banks and other institutions for profit. These botnets traditionally have monitored victims’ Internet activities and intercepted banking transactions to extract account credentials and send them to their control servers. Recent botnets are armed with more advanced capabilities, yet traditional methods continue to be the most effective way to steal money.

Recently I came across an underground Russian forum in which an author was actively selling botnet logs with account-login details from one targeted bank.

cit1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

These botnet logs were from the Citadel botnet Version 1.3.4.5 (Extreme Edition). Citadel is a variant of the popular Zeus botnet and has been widely seen since late 2012. This botnet has already been covered in blogs and by McAfee Labs.

Here is an image of server code for extracting bank account information.

cit7

 

 

 

 

 

 

 

 

 

 

 

 

Our research has revealed that Citadel is one of the most active botnets in the world, spanning several locations across Europe. One of the major reasons for its common use is that the botnet setup services are fairly cheap via the underground community. Here is an advertisement for the Citadel setup service.

 

cit5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The same user offers the setup services on another forum:

 

cit6

 

 

 

 

 

 

 

 

 

 

cit8

 

 

 

 

 

 

 

 

 

 

Many cybercriminals avoid transferring money to their own accounts due to the risk of prosecution, but selling the account information and making the money from the sale is an effective way of preserving  anonymity. Thus the attacker can’t be held accountable for the transfers made from a stolen account.

As the precautionary measure, we should look out for accounts being accessed or transactions made to/from different geographical locations. Banks place limits on the amount of money that can be transferred in one day or in a single transaction. Spotting small, unauthorized transactions made from an account should be noticeable and prevent major financial losses.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>