Massive Botnet Stealing Banking Info


According to Reston, Va.-based iDefense, multiple variants of a Trojan dubbed "MetaFisher," a.k.a. "Spy-Agent," has been spreading for months under the proverbial radar.

"MetaFisher has compromised hundreds of thousands if not millions of accounts for financial fraud," said Ken Dunham, the director of iDefense's rapid response team.

The Trojan's pitched the usual way -- via spammed e-mail that includes a link -- and uses the long-patched Windows Metafile (WMF) vulnerability to silently install via a drive-by download on machines whose users simply surf to these malicious sites.

Once on a machine, the malware turns the PC into yet another "bot," or remotely-controlled computer. But Dunham, who called MetaFisher "the most sophisticated bot to date," said it has several unique technical tricks up its sleeves.

Sponsored post

MetaFisher uses HTML injection techniques to phish information from victims after they've logged into a targeted bank account, said Dunham, which lets attackers steal legitimate TAN numbers (one-time PINs used by some banks overseas) and passwords without having to draw them onto phony sites.

Currently, MetaFisher is targeting Spanish, British, and German banks, and their customers.

iDefense, said Dunham, broke the encryption used to disguise the traffic between bots and their controllers, and has monitored that back-and-forth for several weeks. It's passed along the information to its parent company VeriSign, which has been working on taking down the sites used to drive-by-download the Trojan.

Increasingly, bots are being used by criminals to steal personal financial information using covert code and keyloggers. Last week, FaceTime, a Foster City, Calif. security company, disclosed details of a bot network, or botnet, that was exploiting vulnerabilities in back-end e-commerce shopping cart software to rip off consumers.