The crackdown came after the search of 12 houses and a long investigation into a series of targeted attacks on accounting personnel, which started in mid-2012. The campaign originated with emails – in this case spoofed messages that looked like they came from financial institutions.
“The content usually warned of a late payment and was constructed in a way that gave the impression of coming from a local bank (in one case even pretended to be coming from the state tax authority and warned about the fictitious change of legislation that would have financial consequences for the targeted victim),” said SI-CERT (the Slovenian national Computer Emergency Response Team), in its posting on the attacks.
The emails contained a trojan horse which, once installed, logged passwords and installed remote administration tool (RAT) components for unauthorized remote access, which allowed the attackers to observe activity on the infected system.
This allowed the criminal gang to steal credentials and prop open the doors to the company's bank accounts. In one case, they were able to take advantage of a victim not removing the smart card containing a bank-issued security certificate from a PC after use – leaving the gate wide open. Then, the money mules would get to work. They were recruited through a work-at-home scam in the name of a nonexistent British insurance company, SI-CERT noted.
“The attacks usually happened on Fridays or the day before national holidays,” SI-CERT said. “This left enough time for the attackers to queue bank transfer orders unobserved during weekends and holidays, provided that the victim did not shut down the computer or remove the smart card from the reader.”
Slovenian police coordinated the investigation lasting several months with the help of SI-CERT and The Office for Money Laundering Prevention.
“Whether it's zombie software like Gozi, tricking victims into revealing personal information by means of which criminals can later raid their bank accounts, or Citadel malware injecting code into webpages so victims enter PIN numbers and answers to secret questions, it's far too easy for crooks to trick us into giving them access to our accounts,” said Lisa Vaas at Sophos Naked Security, in a blog post.
She advised, “Instead of clicking on links in phishy emails, recipients should go to their bank's official website and/or call the bank's number, listed on the site or on billing statements.”