ATMZombie is the First Trojan Targeting Israeli Banks

ATMZombie was detected in November 2015, uses the method of classic proxy-changing for sniffing out Web traffic to portals of banks, and then in the second stage, it needs the support of the individual behind this risk and a chain of money mules recovering the cash from ATMs.

Ido Naor, an Israeli cyber-security expert, led GReAT (Global Research and Analysis Team) of Kaspersky in detecting the attack, known as ATM-Zombie attack; and informed authorities and helped to stop spreading of the same. He said that it is important to note that financial institutions in Israel are well-known for their ability to fend off intimidating activity.

Kaspersky began an investigation on one exceptionally sophisticated attack on Israeli bank accounts, which started by taking advantage of a loophole in the portal of the online banking and finished with 'zombies' or cash mules being used to take out cash from ATMs. This trojan was named as ATMZombie by Kaspersky labs. Check-and-secure.com posted on March 1st, 2016, stating that Israeli account holders were attacked with particular and definite emails that influence the account holders to download an executable file consisting the trojan stores its own certificates in common browsers, removes every other certificates, installs a PAC (Proxy Auto Configurator), and afterward waits for log in of the user again.

These malicious PAC files will redirect the whole traffic of the browser via an intermediary node that is under attacker's control, and the attacker's will then log each and every details. Signed certificates of ATMZombie are further installed on infected computers to crack encrypted HTTPS traffic.

Once the information is obtained, the attack go into a stage of "manual mode", focusing only on Israeli banks due to a local service that permits the owner of the bank account to send funds (money) to individuals without credit cards or bank accounts.

Attacker will enter into the victim's account with the help of stolen credentials, and then send smaller payments to their money mules. The attacker make use of an SMS transaction feature to do this, particularly only to Israeli banks.

The usual conclusion is local criminals are behind this attack, since they know each and every details of the local banking system, and also as they use and administer local ATM money mules, something which international criminal gangs try to avoid.

» SPAMfighter News - 3/9/2016