RSA Uncovers New POS Malware Operation Stealing Payment Card & Personal Information

In a recent investigation, RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia. While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems.

HoT_Greeting Screen

RSA Peeks into the Bits of New Linux-based Trojan Hand of Thief #INTH3WILD

Although the malware has not been traced in the wild yet, the RSA FraudAction team has obtained its builder and created Hand of Thief binaries, testing its actual functionality, exposing the operational features, as well as revealing the bugs that can prevent it from stealing data from Linux users. RSA’s research and analysis shows that, in reality, the Hand of Thief Trojan’s grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan.

Got an Extra $40,000 Lying Around? Carberp is Back on the Market!

In a surprising move that came about earlier this week, team Carberp decided to offer their Trojan to cybercriminals for monthly usage fees ranging from $2,000 to $10,000 per month depending on the number of modules and plugins desired. Those wishing to purchase the Trojan can opt to invest a whopping $40,000 for a full kit, including the malware’s builder and an improved bootkit version. At no point in cybercrime history has any developer asked such price for a banking Trojan.

Cyber Gang Seeks Botmasters to Wage Massive Wave of Trojan Attacks Against U.S. Banks

In one of the most interesting cases of organized cybercrime this year, a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date.

New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3

The RSA Research Lab has analyzed one of the most recent SpyEye v1.3 variants and has determined beyond doubt that the new hybrid Trojan is in fact already active in the wild. RSA’s researchers were able to reverse engineer the code and assert that it does indeed contain an exact code piece that has long been part of the Zeus Trojan’s sophisticated HTML injection mechanism. Snapshots of the assembly code are included below (See Figure 1 and Figure 2), courtesy of the RSA Research Lab.

Fraud News Flash: Bogus Ad for Zeus-SpyEye Hybrid Trojan published in Underground Forum

On Friday, January 14, 2011, McAfee posted a blog entry titled “Combined Zeus/SpyEye Toolkit Announced”, based on a fraud forum post by “Hardersell”, in which this individual supposedly offers the much-anticipated SpyEye-Zeus hybrid Trojan for sale. Hardersell’s comments were published in an open, low-grade Russian-speaking hacking/carding forum, making its credibility lower than the more prestigious, exclusive, closed Russian-speaking forums.

Follow the Money, and Go for the Mules!

…focusing on mules and mule herders is a relatively new, necessary direction. Mules should get the attention not only from law enforcement, but from the banking and security industries as well. We all have to remember that no mules = no cash.