UpLevel, a Russian criminal organization, and its German affiliates are using a version of the Prg trojan
to attack commercial banking clients, according to anti-virus vendor SecureWorks
SecureWorks disclosed that the financially focused version of Prg has been in use for about six months, pilfering the commercial bank accounts of customers from several dozen banks in the United States and Europe.
The variant of the widely used “generic” version of Prg has been customized to perform fraudulent banking transactions, Don Jackson, senior security researcher at SecureWorks, who discovered the original Prg trojan, told SCMagazineUS.com.
"They put a lot of work into this," said Jackson. "They have logs on tens of thousands of victims, and send out targeted emails using information stolen in previous attacks."
The latest attack is being orchestrated by a German group working in conjunction with UpLevel, a Russian malware-developing organization, according to Jackson. He said that the German group purchased the confidential information of thousands of victims of previous Prg attacks from UpLevel, which is also providing hosted servers and various other services for the unnamed group.
The victims' confidential information was gleaned as a result of earlier hacks of online job sites, according to Jackson. UpLevel used the attacks to download trojans onto victims' computers, then collected personal information, such as bank account information.
UpLevel mined the stolen data for victims with commercial banking accounts, according to Jackson. The German group then used that information to send spear phishing
emails telling victims to download software, which, in fact, contained the Prg trojan.
Prg runs without the user's knowledge when they log into a commercial account and transfer funds, Jackson said. The money moves to an account compromised in a previous attack, then is relocated again to avoid detection.
The original Prg trojan stole data, including banking URLs that victims entered into their web browsers. That trojan, in circulation for more than a year, was responsible for stealing the Social Security numbers, credit card numbers and other personal data from more than 50,000 victims in previous attacks, according to Jackson.
UpLevel members infected victims with the Prg trojan through spam emails with malicious links, infected websites and malicious ads, SecureWorks researchers said on a company blog
SecureWorks estimated that the thieves have stolen more than $200,000 in the U.S. since attacks on banks began late last month, Jackson added. The two groups stole a similar total from U.K.-based accounts as well.
“We see only about 10 percent of the attacks," said Jackson. “We expect to see more than $1.2 million in losses."
SecureWorks is working with the US-CERT
and the U.S. Secret Service
to stop the attacks, Jackson said, warning bank customers to avoid visiting untrusted websites and clicking on emailed links.