Sophisticated banking Trojan – Human consequences

I was contacted by a friend yesterday who was understandably very concerned to find that a large amount of money had been transferred from her bank account to the account of a complete stranger hundreds of miles away. My friend had been using her online banking at home the evening before, had made a couple of transfers and all appeared to go normally. However when she heard the following day that one of the transfers hadn’t arrived she checked her account from a PC at work and was devastated to find the hitherto invisible transfer of €5000.

Bank statement showing the fraudulent transaction

Bank statement showing the fraudulent transaction


Of course the incident was reported to the bank and to the police. The bank shut down the online facility of the account and set about tracing the money and we set about finding out what kind of malware she had on her PC.


You may, if you’re interested in malware, have seen some reports recently of a “next generation” banking Trojan that goes by the name of Bebloh or URLZone, and this is what was responsible for the theft of just enough money to stay within the agreed overdraft facility of the account, helping to ensure the transfer was successful.


Later in the day someone else in Germany reported the incident from their end. A woman had met some people in a Russian chat room, they offered her 500 euros if she would transfer the money on. Part of the money was to go to an account in Turkey and part to a Russian account. The mule account holder though was this lady’s son, she had given the Russian criminals his bank details “because he still had some overdraft allowance”. The morning after the transfer they called her every ten minutes, to prompt her to send the money on. Since she had given her son’s details she had to get him out of school and go to the bank with him. By the time they arrived at the bank, the theft had already been reported by the victim, so the bank refused to forward the money. Even then she still got calls, while she was at the bank. As soon as the bank told the mules that fraud had been reported and she told the criminals, they stopped calling her. The mule then went to the police herself. The mule is obviously worried and shaken by her brush with serious organised crime and embarrassed by her naïveté. The victim has been left with no access to cash and no way to meet her direct debit commitments until the investigations are completed.


Bebloh is a banking Trojan that spreads through what we call drive-by-download techniques, in which websites including legitimate ones are infiltrated and booby-trapped. Unwary visitors with unpatched web browsers or other software that hasn’t been kept up-to-date are then infected simply by visiting the sites.


Once installed the Trojan connects back to a command & control server to receive instructions, instructions on how much money to steal from you and where to send it. The Trojan is sophisticated enough be able to work out exactly how much money it can siphon from your account without being refused and is able to hide the fact that these transfers have taken place. The stolen funds are then transferred to mule accounts where volunteers have agreed to “process payments” in return for a small fee or percentage. A detailed report on the malware is available from RSA FraudAction Research Labs and in a TrendLabs Malware blog posting.


This malware surfaced in Germany which has long had the reputation of leading the way in online banking security, as I mentioned in a previous blog post. Germany uses a system of transaction authentication numbers (TAN) to validate money movements. To overcome this Bebloh operates inside the web browser, hijacking authenticated sessions even to the extent of faking the balance that is displayed to the user to hide all trace of it’s malicious activity. Estimates have put its earnings at £11000 per day.