A fraud campaign siphoned more than half a million dollars from a European bank over the course of a week earlier this year, researchers with Kaspersky Lab announced this week.
The campaign, dubbed Luuuk, extracted €500,000 (roughly $679,700 USD) from 190 victims, mostly in Italy and Turkey, from Jan. 13 to Jan. 20.
Senior security researcher Stefan Tanase of Kaspersky Lab’s Global Research and Analysis Team (GReAT) discussed the scheme Monday at a company event in London in a talk “How to Avoid E-bankruptcy.”
The campaign came to light shortly after Kaspersky detected a suspicious looking control and command server. The server contained multiple log files that showed bots conversing with a Web panel. The data suggested financial fraud because it included victims’ details such as the amount of money stolen from clients’ bank accounts.
The researchers named the campaign after the panel used in the server (/server/adm/luuuk/) and got in touch with the unnamed bank, along with law enforcement immediately to launch an investigation around the attacks.
It appears the scam was executed through a combination of man-in-the-browser attacks that allowed the criminals to usurp victims’ credentials via a Web injection. After the money was stolen, automatic transactions funneled funds to “pre-set money mule accounts.”
While sums stolen from each bank account varied–amounts between €1,700 and €39,000–the way the attackers muled money was much more compartmentalized.
According to GReAT’s research, there were four separate drop groups that transmitted funds via special bank accounts and via cash-outs at ATMs.
One particular group was responsible for transferring sums of €40,000 to €50,000 , another was responsible for transferring 15,000 to 20,000 Euros, and a third was responsible for transferring between €2,500 and €3,000. The last drop group was responsible for transferring between €1,750 and €2,000.
Experts believe the separate groups may hint at varying levels of trust within the scheme.
“The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a ‘drop’ is asked to handle, the more he is trusted,” said Vicente Diaz, a principal security researcher with GReAT.
It’s unclear exactly what type of malware was leveraged by Luuuk but experts believe that a strain of Zeus, or malware that allows the interception of financial data automatically, as soon as users log into their bank accounts, was at play here. Zeus is plenty diverse on its own but variations such as Citadel, SpyEye and IceIX all have similar configurations that allow for covert web injections and the theft of usernames, malware and one-time passwords (OTP), like Luuuk did.
It’s also plausible the campaign was carried out by a completely new type of malware, Tenase posited Monday.
While the server associated with Luuuk disappeared two days after it was discovered, experts with the Russian security firm claim the move may not be indicative of Luuuk’s demise. Crediting the campaign’s complexity, researchers believe the criminals “are very active” and may soon restart the project in a different capacity.
“Based on the transaction activity we believe that this could be an infrastructure change rather than a complete shutdown of the operation,” the researchers warned Wednesday, in a blog post on Securelist.