Security researchers discovered a new banking trojan called ATMZombie, which has been targeting banks in Izrael.
Originally, ATMZombie trojan was detected last November, and it uses the classic proxy-changing method of sniffing out Web traffic to banking portals. After that, it requires the cooperation of the person behind the threat and a series of money mules which retrieve the money from ATMs.
The so called “proxy-changing method” is an old trick for malware creators. This method revolves around modifying browser proxy configuration files by replacing the browser’s default PAC (Proxy Auto-Config) files.
What the malicious PAC files do, is to redirect all the browser’s traffic through an intermediary node controlled by the attackers, who will log all the details. Also, in order to break encrypted HTTPS traffic, ATMZombie installs its own signed certificates on infected virtual machines.
As soon as the information is acquired, the attack enters a “manual mode” stage, which is specific only to Israeli banks, due to a local service which lets the bank account owner send money to people without bank accounts or credit cards.
By using the stolen credentials, the hacker logs into the account of a victim and sends small payments to their money mules. The attacker uses an SMS transaction feature to do so, that is specific only to Israeli banks.
After that, the mule receives an SMS on their phone, they go to any bank ATM, enters the details and authorization code from the message, and the ATM pulls money from the victim’s account, giving it to the money mule.
The security researchers say that multiple Israeli banks were hit this way, and the criminal gang have already made hundreds of victims. Fortunately, this method does not allow big sum withdrawals, and no payment went above $750.
Considering all the above-mentioned, one can conclude that the people behind this malware campaign are local crooks, due to the fact that they know the subtle intricacies of the local banking scene. Also, they use and supervise local ATM money mules, which the international hackers usually try to avoid.