Akamai Diversity

The Akamai Blog

Yummba Webinject Tools Used for Banking Fraud

Attackers are using Yummba webinject tools to target banks and other enterprises, Akamai's Prolexic Security Engineering & Response Team (PLXsert) warned in an advisory this morning.

Zeus crimeware has a history of being used to build botnets, steal banking credentials and launch DDoS attacks -- targeting platform-as-a-service (PaaS) and software-as-a-service (SaaS) infrastructures.

The added capabilities of Yummba custom webinjects make the malware even more dangerous, the advisory said. Webinject attacks available for sale in the wild vary in sophistication, from simple attacks that report account information and credential theft to highly advanced webinjects that utilize ATSEngine for automated fund transfers to attacker-controlled accounts. Portions of these attacks might also be used in cross-site scripting (XSS), phishing, and drive-by download attacks.

From the advisory:

Open source intelligence sources (OSINT) indicate the creator of the Yummba webinjects tool is located in Russia, having been previously identified by other researchers.1 The author appears to specialize in writing webinjects that target financial entities. Yummba is fairly active in the carding community, sometimes giving advice to other developers, but most of his activity relates to identifying stolen and leaked versions of his products and blacklisting the parties responsible.

The toolkit author's personal server displays the jabber ID where he can be contacted (yummba@mybro.cc), which has also been posted in forums and appears on the mybro.cc domain.

The Whois information for mybro.cc shows contact information and an address located in Russia. Of course, OSINT information about an online persona and domain may be inaccurate, because malicious actors try to conceal their true identities.

Some advanced webinjects, such as those that support the ATSEngine, automate the process of wiring a victim's funds to a third-party account. The victim's active, authenticated session is hijacked to perform these unwanted actions.

The custom Yummba webinjects are intended to be used with the ATSEngine, an add-on component for popular crimeware and botnet software that allows malicious actors to inject dynamic content into a website and then automatically transfer funds from the victim's compromised online banking accounts. The engine allows malicious actors to update their configurations easily, without having to recompile or reinfect their victims. The JavaScript code is packed using a common obfuscator.

The advisory offers a step-by-step account of how the attack proceeds from there.

What to do about this threat? PLXsert suggested the following actions:

  • User awareness: Because end-users are the target of these attacks, training and education are needed to help them identify suspected phishing attacks. Red flags are generic salutations, grammatical errors in URLs, unexpected attachments, and attachments sent from unknown entities. In general, clicking unfamiliar links in emails should be discouraged. Users should not respond with sensitive information to email requests and should contact their financial institutions with questions about suspicious banking emails. It's a good idea to browse directly to a financial institution instead of clicking a link.
  • System hardening: Group-Policy objects (GPOs), Software Restriction Policies (SRP) and commercial endpoint security products, can help mitigate this type of threat. In addition, using antivirus software and other signature-based measures can help, although there may be very low levels of detection for some threats.
  • Deep packet inspection: Monitoring via deep packet inspection can help to mitigate these threats with a recognizable traffic signature. Some illegitimate URLs served during these attacks can be spotted and blocked for outbound traffic.
  • Community cleanup: Projects such as Shadowserver,4 MalwareMustDie,5 and ZeuS Tracker6 help the commercial sector and law enforcement to verify and take down malicious hosts serving attacks. Remediation and takedown is needed to stop further infestation and damage.