Paris-Based Cybersecurity Researcher Uncovers Banking Trojan

After the recent wave of ransomware attacks that spread all over Europe, targeting businesses and financial institutions, cybersecurity researchers looking for signs of further attacks or dormant malware. According to a security researcher based in Paris who goes by the handle Benkow, one such investigation led him to a hidden cache of millions of sets of stolen personal information used to further propagate a banking trojan virus.

Researcher Uncovers Largest Set of Compromised Data to Date

According to ComputerWeekly, at the end of August Benkow revealed that he had come across a Dutch server that hosted more than 700 million email addresses and passwords – 711,477,622, to be exact – that were used by a spambot to bypass email credential filters. The spambot has been active since at least 2016 and was used to launch attacks that spread a banking Trojan virus named Ursnif, also known as Gozi. The researcher also estimates that the spambot would have a pattern with regard to its targets, opting for specific countries or a specific type of business, like hotels.

As per the same source and the owner of the HaveIBeenPwned website, where online users can discover whether their email account has been compromised in any data breaches, this is the largest set of compromised email credentials discovered to date – surpassing for example the record of more than 390 million accounts that were hacked from River City Media. Not all compromised email accounts on this list are new, though, as many come from previous leaks. As he writes on his blog, Benkow himself has encountered​ Ursnif before and believes some of the personal data may have come from the public Badoo or LinkedIn leaks or credential-stealing malware such as SQL injection scanners. SQL injection is a type of attack that inserts malicious data into a database’s SQL engine, tricking it into executing the malicious commands and thus granting the hacker unauthorized access to view or process restricted data. It can be used to modify or even delete datasets, compromising data integrity.

Banking Trojan Especially Relevant to Financial Institutions

Ursnif allows cybercriminals to steal browsing data including banking information and credit card credentials, as well as obtain passwords through keylogging and screenshots, manipulate and send unintended second payloads, spreading the infection to connected machines and through peer-to-peer communication with other Ursnif occurrences within the same network. In particular, the spambot would first try out each of the stolen email accounts to ensure that it is still valid and then send out “fingerprinting spam” emails that allowed the attacker to know the time, location, and actual device on which the email was opened.

Financial institutions in particular that handle large sets of banking and financial personal data are especially sensitive to similar attacks; being affected by the Ursnif malware could have grave effects for individuals, but when it comes to larger fintech firms, the consequences could be devastating. Incidents like the stolen accounts cache discovered by Benkow highlight the importance of an efficient and proactive cybersecurity strategy, especially for financial firms engaged in fields that deal with investment in novel products, such as cryptocurrencies.

Join the discussion