There is an increase in use of complex crimeware that gathers the passwords of online customers at specific banks and automatically transfer funds out of their accounts, according to Akamai's security group.
The surge is being aided by a tool called Yummba webinject, which generates pop-ups injects - during legitimate banking sessions that ask for usernames and passwords, says Akamai's Prolexic Security Engineering & Response Team (PLXsert) in a threat advisory. The phony dialog boxes mimic the look and feel of the genuine bank Web pages with logos, colors and fonts used on the legitimate site.
Yummba webinject is being used in concert with other malware to present the popups, send stolen credentials to command and control servers, steal information about account balances and automatically transfer funds to accounts controlled by criminals, the advisory says. While this type of initial attack is not uncommon, automating the theft of funds represents another level of sophistication, Akamai says.
The Yummba webinjects are meant to be used in tandem with the Automatic Transfer System Engine (ATSEngine), which allows injecting content into Web sites and automatically transferring funds out of compromised accounts. The ATSEngine also easily updates malware configurations without having to reinfect the attacked machines.
PLXsert identified more than 100 companies for which custom versions of this attack have been written and that are being sold on the malware black market. The most targeted companies are larger financial institutions in North America and Europe.
Akamai believes Yummba is written by a Russian individual or group. It has been distributed as elements in larger crimeware packages including Zeus, SpyEye and KINS, PLXsert says.
To lessen the threat of being victimized users can try anti-virus software and deep packet inspection tools that look for malware signatures, although variants of the attacks could slip by, Akamai says.
Blocking outbound URLs known to service the attacks could help mitigate losses. Training users in how to recognize phishing attacks can also reduce the number of machines that these attacks are successful against. Endpoint security such as group policy objects, software restriction policies and Enhanced Mitigation Experience Toolkit for Windows machines can help, too, Akamai says.