RSA Report: 500,000 Banking ID's StolenThe RSA Fraud Action Research Team says it has found a single Trojan that it believes to be behind the theft of more than 500,000 online bank account credentials, credit cards and many other resources.
The security vendor's team revealed its findings late last week and says the gang behind the Trojan may have been operating for as long as three years.
No specific bank names were revealed by RSA, "as it is critical to protect their privacy and security, as well as that of their customers," a spokesperson says.
The research team says its findings are "startling." Based on its tracking and research of the Sinowal Trojan, (also known as Torpig and Mebroot) the team indicates that this may "be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters."
The researchers say that the Sinowal Trojan may have been working back as early as February 2006 to compromise and steal login credentials from about 300,000 online bank accounts and a similar amount of credit and debit cards. The hackers also compromised email, FTP accounts from many websites. RSA researchers add that this particular Trojan, Sinowal, was the subject of much rumor and speculative talk, and that little is known of its source. It had strong ties earlier in its life to the now infamous Russian Business Network (RBN).
The researchers warn that Sinowal is one of the most serious threats to anyone with an Internet connection. Why? "Simply put, Sinowal infects victims' computers without even an inkling of a trace." RSA says those behind the Trojan "have not only created highly-advanced and malicious crimeware, but have also maintained one of the most hidden and reliable communication infrastructures. This infrastructure has been designed to keep Sinowal collecting and transmitting information for almost three years." Along with this record is the fact that the online gang was able to take the stolen data and methodically organize it within a single repository. The Sinowal Trojan has also capable of evolving and has been doing so at a dramatic uptick, the RSA researchers saw its rate of attack spiking upward from March through September, 2008.
The compromised data belongs to customers of hundreds of financial institutions within many regions of the world. The team found affected financial institutions within North America (both the United States and Canada), Europe (United Kingdom, France, Spain, Germany, the Netherlands, Italy and others), Asia Pacific (Australia, China, Malaysia, and others) as well as some countries in Latin America. However, the research team found that no Russian accounts were compromised by Sinowal, leading them to suspect that the online gang is operating in Russia. RSA has contacted several law enforcement agencies to inform them of the findings.
For any financial institution that may think it is a target, RSA recommends a layered approach that increases online security and provides a necessary defense-in-depth strategy. This strategy can be executed through the combination of external threat protection, login authentication and risk-based transaction. More specifically, RSA says, organizations can use services that provide real-time protection against external threats such as phishing, pharming and Trojan attacks through:
- 24x7 monitoring and detection,
- Real-time alerts and reporting,
- Forensics and countermeasures,
- Site blocking and shutdown.