Hackers have been using a Trojan – whose sophistication would put professional IT departments to shame – to quietly steal bank-account details on hundreds of thousands of computers worldwide.
For weeks, customers of large banks in the UK, Spain and Germany have been duped by phishing emails into installing the MetaFisher Trojan and putting their machines under the control of one of the most sophisticated 'botnets' known so far.
"This is one of those big, under-the-radar threats that we've been concerned about," said Ken Dunham, director of the rapid response team at VeriSign's iDefense unit. "There has been a trend away from big-bang attacks to very targeted and sophisticated attacks that take place right under your nose. This is one of them."
According to Dunham, hackers have been sending out hundreds of thousands of emails prompting users in the three countries mentioned to visit malicious websites that use a WMF (Windows Metafile) exploit to download a Trojan program called MetaFisher on a victim's computer.
The Trojan, which is also known as Spy-Agent and PWS, is then used to collect and send bank-account and personal information from the compromised system to remote servers, where the data is harvested.
What sets MetaFisher apart from the hundreds of other similar Trojan programs is the sophistication of the command-and-control servers used to control it, said Eric Sites, vice-president of research and development at Sunbelt Software.
"We have seen many Trojans with web back ends that collect data and send a few commands back to the bot," Sites said. In contrast, MetaFisher's management interface reveals a level of sophistication usually found only in professional IT departments, he said.
According to Dunham, MetaFisher uses a PHP-based website to track infections by country and to manage variants and scripts. It also includes a query routine to easily filter stolen data and find keylogger and account data for specific keywords, he said.
The command-and-control servers also allow hackers to modify the behavior of the bots based on information gathered from compromised systems, Sites said. For instance, the attack instructions and exploits that get downloaded on a victim's computer might vary based on the operating system.
For the moment, a vast majority of the installed MetaFisher bots are programmed to steal passwords, personal ID numbers and other information from compromised users who visit specific banking websites in the UK, Spain and Germany, Dunham and Sites said.
One of the command-and-control servers collecting stolen data is based in Washington, Sites said. Over a four-day period ending today, about 29,000 infected computers reported back to this website with stolen data 561,857 times, he said.
The ISP that hosts the illegal website has so far refused to respond to requests to shut it down, Sites added.