According to the Belgian newspaper De Tijd, malware has been used to compromise the online share portfolios of investors in Belgium, using a botnet to pump share prices - and, says the paper, raking in more than 100 000 euros in the process.
Reporting on the saga, Rik Ferguson, Trend Micro's senior security advisor, said that the investigation has remained a secret until last Friday.
In his security blog posting, Ferguson says that the federal prosecutor and the computer crimes unit of the national Belgian police investigated the scam, which apparently took place in 2007.
During April and May of that year, cybercriminals infected the PCs of customers of online share-dealing accounts of three Belgian banks, stealing their user names and passwords in the process.
According to Ferguson's countermeasures blog, "the [newspaper] article goes on to detail what appears to be a highly targeted, custom written attack that was able to automate stock trades across the botnet."
"Of course the criminals behind the enterprise went on to profit from the sharp changes in stock price of the penny stocks that were being manipulated by buying and selling their own shares at exactly the right moments in classic pump-and-dump tactics", he said.
The Belgian paper reportedly quotes a spokesperson for Belgium's Banking, Finance and Insurance Commission (the CBFA) as saying that, following the hack in July 2007, no further (and similar) incidents occurred.
The spokesperson added that, in April 2009, the CBFA sent a circular about an improvement in the security standards of Belgian banks, which have been enhanced to protect against similar scams.
Ferguson says that, in a conversation with a local journalist about the saga, "it seems that many Belgian banks (in fact most banks globally) are still only offering classical two-factor authentication aimed at authenticating the user rather than the transaction."
"While this kind of technology would certainly thwart this bot in its current form, it is not impossible to defeat. As I have previously blogged, banking malware has already evolved to the stage where it can overcome multiple factor user authentication", he said.
"With this in mind it is vital that any improvement in online banking security should verify individual transactions rather than simply authenticate the user", he added.
According to the Trend Micro security expert, the authentication token itself must be capable of accepting direct input relating to the content or the value of the transaction.
"This can then be verified by both parties and cannot be modified by a malicious `man in the browser' [attack]", he explained.