2012
05.31

Tinba is a small data stealing trojan-banker. It hooks into browsers and steals login data and sniffs on network traffic. As several sophisticated banker-trojan it also uses Man in The Browser (MiTB) tricks and webinjects in order to change the look and feel of curtain webpages with the purpose of circumventing Two factor Authentification (2FA) or tricking the infected user to give anyway additional sensitive data such as credit card data or TANs.
[…]
The code is approx 20KB in size (including config and webinjects) and comes simple and clear without any packing or advanced encryption. Antivirus detection of the analyzed samples is low.
[…]
As observed in several other Trojan-bankers and advanced malwares, Tinba utilizes a RC4 encryption algorithm when communication with its Command & Control (C&C) servers. Tinba uses four hardcoded domains for its C&C communication. This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain. Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If C&C server survives certain checks, then the before mentioned files are downloaded and executed on the infected host. C&C communication is illustrated below.
[…]

tina

CSIS: Say hello to Tinba: World’s smallest trojan-banker.

2012
05.25

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it’s currently unavailable because the site is offline.

via ZeuS Ransomware Feature: win_unlock – F-Secure Weblog : News from the Lab.

2012
05.16

A new fraudulent scheme of Tatanga has been recently spotted by Trustee:

The victim is then presented with a fake insurance account that claims to cover the total amount of funds in their bank account. This fake insurance account is actually a real bank account that belongs to a money mule. The victim is told that they will be protected against any losses from online fraud by this insurance coverage. In the final step, the victim is prompted to authorize a transaction that they believe is to activate the insurance coverage. In all likelihood, the victim does not expect any funds will be transferred out of their account.

To approve the transaction the victim enters a one-time SMS password that is sent to their mobile device. Unfortunately, the victim is actually approving a transfer of funds from their account to the fraudster’s money mule account.

via A New Twist: Fraudulent Fraud Insurance | Trusteer.