News

'Luuuk' bank fraud nets $680K in one week via ATM cash-out

June 25, 2014

As EMV makes card skimming less profitable in Europe, criminals are finding new ways to access accounts. But they're still cashing out their stolen proceeds at ATMs.

Kaspersky Lab experts have discovered evidence of a targeted attack against the clients of a large European bank. The organizers of the bank fraudLuuukused a man-in-the-browser campaign to steal more than a half-million euros ($680,000) from accounts at the bank, according to logs from the server used in the attack.

The first signs of the campaign were discovered on Jan. 20 when Kaspersky Lab detected a command and control server on the net. The server’s control panel indicated evidence of a Trojan program used to steal money from clients’ bank accounts.

On the server, Kaspersky discovered transaction logs that listed sums of money taken from each account. In all, more than 190 victims could be identified, most of them located in Italy and Turkey. According to the logs, amounts stolen ranged from 1,700–39,000 euros ($2,310–$53,000) per account.

The campaign was at least a week old when it was uncovered. Two days after the discovery, the criminals removed all evidence that might be used to trace them.

“Soon after we detected this C-and-C server, we contacted the bank’s security service and the law enforcement agencies, and submitted all our evidence to them,” said Vicente Diaz, principal security researcher at Kaspersky Lab.

Malicious tools

With the Luuuk case, experts have grounds to believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as the victim logged onto their online bank accounts. 

“On the C&C server we detected there was no information as to which specific malware program was used in this campaign," said Vicente Diaz, principal security researcher at Kaspersky Lab. "However, many existing Zeus variations — Citadel, SpyEye, IceIX, etc. — have that necessary capability. We believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims."

Money divestment via ATM

The stolen money was passed on to the cybercriminals’ accounts in an unusual way, Kaspersky said. Participants in the scam received some of the stolen money in specially created bank accounts, which were cashed out via ATMs.

There was evidence of several different ‘drop’ groups, each assigned a different sum of money. One group was responsible for transferring sums of 40,000–50,000 euros, another with 15,000–20,000 euros and a third with no more than 2,000 euros.

“These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each drop type," said Diaz. "We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: The more money a drop is asked to handle, the more he is trusted."

The server related to Luuuk was shut down shortly after the investigation started. However, the complexity level of the MITB operation suggests that the attackers will continue to look for new victims of this campaign. Kaspersky's investigation into Luuuk activities is ongoing, the company said.