Dennis Schwarz, Research Analyst for ASERT at Arbor Networks

As the sophistication of cyber-attacks continues to increase, it has never been more important for organisations to implement the right security. This is especially relevant to the financial services industry, where there is a large amount of sensitive data at risk of falling into the wrong hands.

There are many different threats that affect the financial services industry, but one threat that continues to affect banks and payment providers is UrlZone. This banking trojan started appearing in 2009 and specialises in manipulating the bank balance that victims see when they log into their bank accounts. The malware uses command and control to present the customer with a message stating that the account has been hacked and is frozen. While the victim starts to sort his or her bank balance out, the malware transfers large amounts of money to a cyber-criminal’s account while prompting the victim with a fake balance – leaving the victim completely unaware of what has just happened.

The malware has mostly recently evolved by upgrading its encryption method used to protect the command and control communications between an infected computer and the threat actor’s control panel. Previous versions used simpler mechanisms, but the latest version of this malware uses the Advanced Encryption Standard (AES) in conjunction with a public key algorithm (RSA). This is important because it allows attackers to understand what existing protections are on the device.  Therefore software like Intrusion Detection/Prevention Systems may need to be upgraded to detect the latest version of the malicious traffic.

To prevent this type of attack, consumers need to be cautious when accessing their bank account. If something out of the ordinary happens, they should stop what they are doing. As well as this, by having up to date security software on personal computers and at work, consumers should be able to protect their computers and devices from this type of malware.

By revisiting this threat actor, it is clear that this threat has not gone away even though the press activity around this has faded. Although new threats will continue to steal away this attention, it is important to remain cautious about all types of different malwares, as you could become the next victim.

A more technical analysis of this malware can be seen on Arbor Networks’ blog[1]


Related Articles