Financial theft is one of the most lucrative forms of cybercrime. Malware authors continue to deliver sophisticated tools and techniques to unlock online bank accounts. Attackers design and develop botnets to perform financial fraud, targeting banks and other institutions for profit. These botnets traditionally have monitored victims’ Internet activities and intercepted banking transactions to extract account credentials and send them to their control servers. Recent botnets are armed with more advanced capabilities, yet traditional methods continue to be the most effective way to steal money.
Recently I came across an underground Russian forum in which an author was actively selling botnet logs with account-login details from one targeted bank.
These botnet logs were from the Citadel botnet Version 220.127.116.11 (Extreme Edition). Citadel is a variant of the popular Zeus botnet and has been widely seen since late 2012. This botnet has already been covered in blogs and by McAfee Labs.
Here is an image of server code for extracting bank account information.
Next we see what Citadel can do. I tried log in to several bank accounts using the posted credentials and was surprised to find that most of the accounts mentioned were active. I could log in to them successfully.
Our research has revealed that Citadel is one of the most active botnets in the world, spanning several locations across Europe. One of the major reasons for its common use is that the botnet setup services are fairly cheap via the underground community. Here is an advertisement for the Citadel setup service.
The same user offers the setup services on another forum:
Many cybercriminals avoid transferring money to their own accounts due to the risk of prosecution, but selling the account information and making the money from the sale is an effective way of preserving anonymity. Thus the attacker can’t be held accountable for the transfers made from a stolen account.
As the precautionary measure, we should look out for accounts being accessed or transactions made to/from different geographical locations. Banks place limits on the amount of money that can be transferred in one day or in a single transaction. Spotting small, unauthorized transactions made from an account should be noticeable and prevent major financial losses.