Highly Advanced Trojan Steals 500,000 Financial Accounts
A cyber-gang has stolen the details of over 500,000 financial accounts over the course of the past three years using a highly advance Trojan that remains undetectable to the majority of its victims.
The Sinowal Trojan has enabled one of the largest ever gathering of banks, credit and debit card details in history, and was spotted by researchers at the RSA FraudAction Research Lab. The program, also known as Torpig and Mebroot, as been operating constantly for almost three years, claim the team, which is an unusual amount of time in the cybercrime world.
“Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006,” RSA researchers wrote.
Even more impressive is that Sinowal has managed to become more productive over time. In the past six months, the Trojan has compromised over 100,000 accounts. Since February, the number of variants has jumped from less than 25 a month, to mover than 70, according to the RSA.
The figures are staggering. The research team reckons that at least 300,000 windows machines have been infected, stealing over 270,000 online bank account numbers and 240,000 credit and debit credentials.
Unlike most other Trojans, Sinowal spreads silently via websites that prey on unpatched vulnerabilities in the Windows OS or in third part apps like Adobe’s Flash Player or Apple’s QuickTime Media Player – a user doesn’t even have to click a link or file to have the Trojan installed.
“This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed,” Sean Brady, manager of identity protection at RSA, said.
The Trojan hides itself in the computers master boot record, making the infection very difficult to spot. The best way to remove the Trojan is by formatting their hard drive and reinstalling their operating system.
The RSA has shared the data it discovered with affected banks so that they can warn their customers.
Sinowal lays dormant on a system until a user looks at the website of a bank. An HTML injection engine adds fields to the website’s login page that prompts victims to enter in passwords, social security numbers and other details, This information is then carried to a server controlled by the cyber criminals. The HTML injection can be triggered by more than 2,700 web addresses.
Although no one can be totally sure, the trojan’s origin is likely to be Russia. Financial institutions in Europe, Asia and North American have seen the Trojan, but nothing was located in Russia.
Leave a Comment