Slovenian police on Thursday raided 12 homes and arrested five Slovenian citizens in connection with sending malware-packed email to small and medium businesses’ accounting departments.
The email was spoofed to look like it came from a local bank or, in one case, the state tax authority, and it typically warned of a late payment.
The fake tax letter fictionalized a change of legislation that would financially affect the targeted victim. The email came with an attachment that carried a trojan.
The RAT (Remote Administration Toolkit) contacted a controlling server that frequently changed network location.
Once a target clicked on the attachment and installed the RAT, the cybercriminals could observe activity on the infected system.
With stolen credentials and, sometimes, if the victim didn’t remove the smart card containing a bank-issued certificate from a reader after use, the victimized companies’ bank accounts were laid wide open for ransacking.
According to a release from SI-CERT (the Slovenian national CERT [Computer Emergency Response Team]), the gang usually raided bank accounts on Fridays or the day before a national holiday.
That gave the crooks enough time to queue bank transfer orders unobserved during weekends and holidays, provided that the victim did not shut down the computer or remove the smart card from the reader.
The bank robber gang employed 25 money mules to transfer almost €2 million ($2.57M, £1.7M).
They also concocted a nonexistent British insurance company to hide behind as they hired money mules in a work-at-home scam.
The coordinated actions that led to the arrests conclude an investigation started in mid-2012, when SI-CERT started receiving reports regarding attacks that involved the malware.
The danger of spoofed messages
The bust shows how damaging clicking on links that appear in spoofed messages can be. Those purportedly sent from our own banks are particularly effective, given how attuned we are to protecting our e-banking accounts and therefore more inclined to react.
When in doubt, don’t click. Educate your non-security-blog-reading friends and family about avoiding suspicious emails and links – even if they appear genuine.
Tell them they should try to use a trusted external method of verification when possible.
Whether it’s zombie software like Gozi, tricking victims into revealing personal information by means of which criminals can later raid their bank accounts, or Citadel malware injecting code into webpages so victims enter PIN numbers and answers to secret questions, it’s far too easy for crooks to trick us into giving them access to our accounts.
Instead of clicking on links in phishy emails, recipients should go to their bank’s official website and/or call the bank’s number, listed on the site or on billing statements.