1 Trojan + 3 years = 500,000 online financial accounts

RSA discovers a half-million bank and credit card accounts compromised by the Sinowal Trojan that sneaks onto machines from Web sites and steals information.

RSA FraudAction Research Lab has discovered log-in information for about 300,000 online bank accounts and 250,000 credit and debit card accounts that have been gathered by a cybercrime gang over the past three years using the Sinowal Trojan.

"This may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," according to a blog entry posted Friday from RSA, EMC's security unit.

The Sinowal Trojan infects computers without the owner knowing it by surrepticiously planting itself onto the computer while the owner is Web surfing in an attack dubbed a "drive-by download."

The malicious code is typically hidden on an unfamiliar Web site, often related to porn or gambling, but can also be found lurking on legitimate Web sites, says Sean Brady, manager of identity protection at RSA.

The Trojan is programmed to execute when the victim visits a particular banking or financial Web site; it is triggered by more than 2,700 specific URLs, according to RSA. The malware then inserts additional fields into the victim's browser prompting the victim to type in information such as PIN and Social Security number, which the Web site itself does not ask for.

This chart shows the rate at which the Sinowal Trojan has been compromising online bank accounts since early 2006. RSA
The account information has been stolen since at least February 2006, uninterrupted, and includes e-mail and FTP accounts, according to RSA.

The company has alerted law enforcement and has provided the compromised account information to the financial institutions involved, Sean Brady, manager of identity protection at RSA, said in an interview on Thursday.

"This could be a wake up call for institutions and end users who have ignored the fact that Trojans are out there," he said.

The Sinowal Trojan has had ties to the identity theft organization known as Russian Business Network, but the hosting facilities of the malware appear to no longer be connected to that group, according to RSA.

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006," the blog post says. "And in addition to its longevity, Sinowal has also been evolving at a dramatic pace - its rate of attacks spiked upwards from March through September of this year."

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments