A NEW wave of automated hacking of online bank accounts might have stolen $78m in the past year from customers in Europe, Latin America and the US, according to researchers who peered into the computers of the hacking gangs.
The groups used recent improvements to two families of malicious software, Zeus and SpyEye, which lodged on the computers of clients at 60 banks. While previous versions of the software have proved adept at stealing log-on information, the latest variants automate the subsequent transfer of funds to accounts controlled by accomplices.
The findings, released by security companies McAfee and Guardian Analytics, confirmed and expanded on research from Japan-based Trend Micro that was first reported last week.
"This looks like the beginning of a new technique," said Guardian vice-president Craig Priess, whose firm specialises in protecting banks. The software is sophisticated enough to defeat "chip and PIN" and other two-factor authentication and to avoid transferring the entire contents of an account at one time, which can trigger review.
Trend Micro said it had seen the automated versions in action in Germany, the UK and Italy.
Guardian and Intel-owned McAfee said the same technology had been used by a dozen gangs against clients of financial institutions in those countries and in Colombia, the Netherlands and the US.
"Someone designing this system has insider knowledge as to what the banks are looking for," said Dave Marcus, research director at McAfee Labs.
Server logs viewed by the researchers saw commands from the fraud rings to transfer a total of $78m, including $130000 from one account.
Though written and controlled by different groups, SpyEye and Zeus share the ability to be installed on computers that visit malicious websites or legitimate pages that have been compromised by hackers, as well as through tainted links in e-mails. The programs have already used a technique called "web injection" to generate new entry fields when victims log on to any number of banks or other sensitive websites. Instead of seeing a bank ask for an account number and password, for example, a user sees requests for both of those and an ATM card number. The information is sent to the hacker, who signs in and transfers money to an accomplice's account.
Those transfers can be time-consuming and the hacker has to consider how much can be sent at once without drawing attention. Multiple, smaller transfers are preferable but take more time. For the past year or more, some variants have also captured one-time passwords, such as those sent from the banks by text message to clients' cellphones. But a hacker had to be online within 30 or 60 seconds to use the password.
Brett Stone-Gross, a senior security researcher with Dell unit Dell SecureWorks, said that previously the main limiting factor for crime groups was the number of accomplices, known as money mules, they could hire to accept transfers. Automation will not lessen the need for mules, Stone-Gross said.
Banks generally compensate individuals in full for such losses if they are detected quickly. But recent versions of SpyEye and Zeus can present fake account balances to individual bank customers, so they might not realise their savings are being drained until too late.