Cybercriminals are implementing techniques in their banking password stealers to further cover their tracks. Not that they were having an extremely difficult time with this already, as pointed out by Guillaume Lovet’s Virus Bulletin paper on fighting cybercrime. But the technical and forensic challenges are now stepped up another level. We have been tracking the growth of the Urlzone/Bebloh family since February of this year, and other groups have been finding accelerated sophistication in the fraudulent activity.
The first, larger waves we saw in February targeted German users, protected within the ThreatFire community from the menace. As more european banks and countries were hit, we continued to monitor for more of a global presence, as the malware package becomes even more popular among multinational banking cyberthieves. Distribution servers have been appearing on American providers’ networks, the next logical step is to find American banks targeted as well. We will be monitoring the situation closely.
The stealer is being spread by attacking the usual client side vulnerabilities in browsers and third party plugins.