Security researchers from Russian cybercrime investigations company Groub-IB have recently identified a new piece of malware designed to steal login credentials from specialized software used to trade stocks and other securities online.
The malware targets Internet trading software called QUIK and FOCUS IVonline from Russian software development firms ARQA Technologies and EGAR Technology, respectively, Group-IB researchers said Wednesday in a blog post.
The software can be used to trade on the Moscow Exchange (MICEX), the Saint Petersburg Exchange, the Ukrainian Exchange and other exchanges. It’s also used by other brokerage firms like BrokerCreditService in Cyprus, Otkritie in the U.K. and Russia, InstaForex, as well as by large banks like Sberbank, Alfa-Bank and Promsvyazbank, Group-IB said.
Once installed on a computer, the malware checks for the presence of the targeted applications and begins to monitor how the user interacts with them by taking screen shots. It also steals the log-in credentials and uploads the data to a command and control server, the Group-IB researchers said.
Customers should have standard malware protection installed on their computers like antivirus programs and firewalls if they use financial software, Vladimir Kurlyandchik, head of business development at ARQA Technologies, said Thursday via email. “This is our standard recommendation.”
Customers who suspect that their accounts might have been accessed without authorization should immediately change their access keys, he said.
According to Kurlyandchik, the QUIK software supports several mechanisms that can prevent account hijacking. This includes the ability to restrict access only to certain IP (Internet Protocol) addresses, as well as two-step authentication via SMS or RSA SecureID tokens.
Clients and brokers can choose the best option suited for their situation, Kurlyandchik said. The brokerage firms can also use some tools to monitor activity and block access to suspicious IP addresses, he said.
However, even if such security features are available it doesn’t necessarily mean that everyone is using them. There are many ways to extract funds from online trading accounts because of poor anti-fraud protection on the server side, said Andrey Komarov, the head of international projects at Group-IB.
For example, FOCUS IVonline is normally used through an encrypted VPN (Virtual Private Network) channel provided by a Russian security product, but this is not enough and hackers can still easily abuse the software, Komarov said. The malware can use remote access tools like VNC or RDP to allow attackers to connect through the victim’s computer.
Most of these specialized trading applications are well designed and have good security, but they are installed in untrusted environments, so it’s hard to protect them, Komarov said. The customer’s PC security is the main issue, he said.
There have been previous reports of hackers compromising online brokerage accounts. Those attacks primarily used form grabbers and Web injects like those seen in online banking malware, Komarov said.
Targeting online trading accounts is part of a big and growing trend for cybercriminals, he said.