MPack Banking Crimeware Infects 500,000 Computers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

MPack Banking Crimeware Infects 500,000 Computers

The hacking toolkit has been going for $1,000 on the Russian underground and researchers say it's now in the hands of 58 cybercriminals.

A hacking tool for sale in the Russian underground is in the hands of 58 criminals who have infected more than 500,000 users, according to a security research firm.

The MPack toolkit is a powerful exploitation tool that launches attacks against Web browsers. Ken Dunham, a senior engineer with VeriSign-iDefense reported this summer that the toolkit leverages multiple exploits -- including the Windows ANI bug and a QuickTime overflow bug -- to compromise computers.

Finjan Software, Inc., a security company, reported this week that the malware being used within MPack is going after users' bank account information, such as user names, passwords, credit card numbers and Social Security numbers. And it's a highly successful tool, with an infection ratio of 16% of 3.1 million infection attempts.

"The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind," Finjan researchers reported in an advisory. "Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection. Users whose machines were infected by this crimeware will not notice any change to their normal PC and online browsing experience. The rootkit nature of the crimeware leaves no sign and does not impact the end-user experience."

To make matters even worse for users and IT managers, the malware downloaded by the MPack toolkit is still not detected by the majority of popular security products, according to Finjan. And that makes it very effective in infecting PCs.

"This form of attack is more dangerous than previous forms of Phishing, which relied on fraudulent Web sites," said Yuval Ben-Itzhak, Finjan's CTO, in a written statement. "Because this attack happens on the customers' own PC and is encrypted, it makes it extremely difficult to detect. After the customer fills in the login form on their Web site and clicks on the 'Log In' button, the crimeware, running on the infected user machine, intercepts the communication. The crimeware sends the intercepted UserID and password to the criminal's server, instead of sending to bank's server. The customer thinks they are still on the bank's Web site but they are actually sending data to the criminal's server over an encrypted connection."

Ben-Itzhak explained that the crimeware takes over the browser and creates a copy of the real banking page in real-time so the user is further tricked into thinking they're at a legitimate site. For each financial institution, the crimeware sends a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service.

The crimeware is spread by compromised, legitimate sites that have malicious code embedded in them.

Dunham had reported that $ash is the primary Russian group or individual selling MPack on the underground, asking for $1,000 for the complete toolkit. The author claims that attacks are 45% to 50% successful and can take advantage of the animated cursor exploit along with MS06-014, MS06-006, MS06-044 and WinZip ActiveX Overflow.

VeriSign-iDefense also reported that attacks from MPack date back to October 2006.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll