Yummba Webinject Tools A Web Security Threat Advisory
Overview: Yummba Webinject Tools • New webinject tool by Russian individual or group using the name Yummba • A webinject is a framework that allows attackers to insert custom elements into web pages • • • •
Appears legitimate to end users Incorporated into malware kits such as Zeus, SpyEye and KINS Used to collect and exploit customer data Stolen credentials allow attackers to bypass security measures
• Webinjects crafted by Yummba are robust • •
Utilizes the Automatic Transfer System (ATSEngine) More complete and dynamic attacks and a more advanced feature set
©2014 AKAMAI | FASTER FORWARDTM
Sample Webinject • A webinject lays or embeds information in a legitimate webpage that misleads the customer into entering data •
Data used for malicious purposes, such as identity theft and banking/credit card fraud.
• Often customized to match a site’s look and feel
©2014 AKAMAI | FASTER FORWARDTM
Webinject Targets • PLXsert identified more than 100 companies with active injects available • The most likely targeted companies are larger financial institutions in North America and Europe • Attacks-for-sale come with a wide range of features • • •
Simple reporting of account information Simple credential theft Automated wire transfers to an attacker-controlled account
• Attack targets include banking and financial services sites, multiple ecommerce sites and social media platforms
©2014 AKAMAI | FASTER FORWARDTM
Code Analysis and the ATSEngine • Custom Yummba webinjects are intended to be used with the ATSEngine •
Allows malicious actors to update their configurations easily
• The code prepares the ATSEngine to scrape and gather user’s banking session information • Hidden iframes are used to exfiltrate the data • Data is sent directly to the malicious actor’s command and control (CC or C2) server without the user’s knowledge • Other functions attempt to gather additional user account information
©2014 AKAMAI | FASTER FORWARDTM
How It Works with Zeus • The Zeus framework is a banking trojan crimeware kit that is often used to harvest banking credentials •
Once a system is compromised by Zeus, malicious actors have access to a variety of remote commands, such as installing webinjects
• Lab simulations used an infected Zeus bot configured with webinjects prior to browsing several websites
During a test in the lab environment, a user submitted fake credentials that were collected by the Yummba webinject tool
©2014 AKAMAI | FASTER FORWARDTM
Vulnerability Mitigation • In most cases, a client computer would have been previously compromised by a Trojan such as the Zeus crimeware kit • Mitigation efforts include • • • • • •
User awareness Antivirus software System hardening Deep packet inspection Community cleanup Get more detail mitigation techniques in the full Yummba Webinjects Tool threat advisory
©2014 AKAMAI | FASTER FORWARDTM
Conclusion • The underground crimeware ecosystem will continue to target financial institutions and streamline illegitimate operations • Malicious actors will continue to develop payloads like these, in addition to DDoS botnet building and monetization • Easy-to-use crimeware kits have simplified the setup of criminal shops that can generate profits very quickly • International cooperation, community cleanup and a preemptive security mindset are needed to prevent the further expansion of this profitable criminal market
©2014 AKAMAI | FASTER FORWARDTM
Threat Advisory: Yummba Webinject Download the Yummba Webinject Tools threat advisory at www.stateoftheinternet.com/yummba • This high risk crimeware threat advisory includes: • • • • • •
How webinjects work Co-resident malware, such as Zeus and ATSengine Potential banking targets Analysis of the code Types of data stolen Vulnerability mitigation
©2014 AKAMAI | FASTER FORWARDTM
About stateoftheinternet.com • StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. • Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
©2014 AKAMAI | FASTER FORWARDTM