{"id":14968,"date":"2014-06-25T07:16:38","date_gmt":"2014-06-25T07:16:38","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2096"},"modified":"2021-08-06T07:14:29","modified_gmt":"2021-08-06T11:14:29","slug":"luuuk-out-fraud-campaign","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/luuuk-out-fraud-campaign\/14968\/","title":{"rendered":"Luuuk out! A banking fraud campaign muled away 500k Euros"},"content":{"rendered":"<p>The experts at Kaspersky Lab\u2019s Global Research and Analysis Team have uncovered evidence of a serious-scale targeted attack against the clients of a large European bank. The campaign which is now codenamed \u201cLuuuk\u201d after what appears to be a control panel for an unknown yet Trojan, costed the injured parties as much as 500,000 Euros.<\/p>\n<p style=\"text-align: center\">\n<\/p><p>\u00a0<\/p>\n<p>Logs found in the server used by the attackers show that it took cybercriminals just one week to get away with half a million Euros from 190 accounts of bank clients, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between 1,700 to 39,000 Euros.<\/p>\n<p>The first signs of this campaign were discovered as early as January 20<sup>th<\/sup> this year when Kaspersky Lab\u2019s experts detected a C&amp;C server on the net. The server\u2019s control panel indicated that a Trojan program had been used to steal money from clients\u2019 bank accounts.<\/p>\n<p>The campaign was at least one week old when the C&amp;C was discovered, having started no later than Jan. 13 2014. Over that period the cybercriminals successfully stole more than 500,000 Euros. Two days after GReAT discovered the C&amp;C server, the criminals hastily removed every shred of evidence that might be used to trace them. However, experts think this was probably linked to changes in the technical infrastructure used in the malicious campaign rather spelling the end of the Luuuk campaign.\u00a0<\/p><blockquote class=\"twitter-pullquote\"><p>A new cybercriminal campaign has been discovered targeting a large European bank.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FyPK3&amp;text=A+new+cybercriminal+campaign+has+been+discovered+targeting+a+large+European+bank.+\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Soon after detecting this C&amp;C server, GReAT experts contacted the bank\u2019s security service and the law enforcement agencies, and submitted all our evidence to them.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/06\/06020032\/800-2-1.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-2098\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/06\/06020032\/800-2-1.png\" alt=\"800-2\" width=\"800\" height=\"634\"><\/a><\/p>\n<p>The experts have reason to believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as the victim logged onto their online bank accounts. According to Vicente Diaz, Principal Security Researcher at Kaspersky Lab, the C&amp;C server itself lacked any information as to which specific malware program was used in this campaign. But it\u2019s clear that the criminals used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, experts suggested that the malware stole usernames, passwords and OTP codes in real time. Many existing Zeus variations (Citadel, SpyEye, IceIX, etc.) have these capabilities and all of these are well-known in Italy.<\/p>\n<p>\u201cWe believe the malware used in this campaign could be a Zeus flavor using sophisticated web injects on the victims,\u201d said Vicente Diaz.<\/p>\n<p>What is especially interesting here it that the stolen money was passed on to the crooks\u2019 accounts in a very unusual way. The criminals apparently used \u201cdrops\u201d (aka \u201cmoney mules\u201d) \u2013 people with specifically created bank accounts where the stolen money was transferred in portions; that\u2019s made to put off the scent. Owners of these accounts cashed out these money via ATMs, taking a small (or not so small) \u201cfee\u201d for their \u201cservices\u201d. While using \u201cdrops\u201d is quite a routine practice, this time it looked like criminals employed several different \u2018drop\u2019 groups, each assigned with different sums of money. One group was responsible for transferring sums of 40-50,000 Euros, another with 15-20,000 and the third with no more than 2,000 Euros.<\/p>\n<p>This is probably indicative of varying levels of trust for each of the \u201cdrop\u201d type. \u201cWe know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk\u2019s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a \u201cdrop\u201d is asked to handle, the more he is trusted,\u201d added Vicente Diaz.<\/p>\n<p>The C&amp;C server related to The Luuuk was shut down shortly after the investigation started. However, the complexity level of the MITB operation suggests that the attackers will continue to look for new victims of this campaign, and, given how much time passed since the discovery, . Kaspersky Lab\u2019s experts are engaged in an on-going investigation in the Luuuk\u2019s activities.<\/p><blockquote class=\"twitter-pullquote\"><p>Criminals stole 500k Euros using a banking Trojan and a number of \u201cmoney mules\u201d.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FyPK3&amp;text=Criminals+stole+500k+Euros+using+a+banking+Trojan+and+a+number+of+%26%238220%3Bmoney+mules%26%238221%3B.+\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Banks routinely go to great lengths to ensure their clients\u2019 accounts safety \u2013 the protection that is just not good enough will result in the incidents like this one. In the case of the Luuuk it is most likely that the professionals were at work. Everything \u2013 organization of the process, speed of withdrawal once they were discovered, tools used \u2013 show the rather \u201cthoughtful\u201d approach.<\/p>\n<p>However, the malicious tools they used to steal money can be countered effectively by modern security technologies. <a href=\"https:\/\/www.kaspersky.com\/business-security\/fraud-prevention\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Fraud Prevention<\/a> is one of them. It\u2019s a multi-tier platform to help financial organizations protect their clients from online financial fraud of many kinds. The platform includes components that safeguard client devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block fraudulent transactions in time.<\/p>\n<p>For more technical information on The Luuuk campaign, <a href=\"https:\/\/securelist.com\/use-the-force-luuuk\/63704\/\" target=\"_blank\" rel=\"noopener\">read our blog at Securelist.com<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new criminal campaign targeting a large European bank had been discovered earlier this year &#8211; the Luuuk. For one week, criminals managed to steal as much as 500k Euros from 190 accounts, before they hastily withdrew from sight.<\/p>\n","protected":false},"author":209,"featured_media":16017,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[93,724,2117,726],"class_list":{"0":"post-14968","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cybercriminals","10":"tag-luuuk","11":"tag-online-banking-security","12":"tag-scam"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/luuuk-out-fraud-campaign\/14968\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/luuuk-out-fraud-campaign\/14968\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/luuuk-out-fraud-campaign\/14968\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/scam\/","name":"scam"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14968","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14968"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14968\/revisions"}],"predecessor-version":[{"id":41078,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14968\/revisions\/41078"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/16017"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}