Researchers find malware targeting online stock trading software

The malware is the result of a growing trend of cybercriminals targeting online brokerage accounts, Group-IB researchers say

Security researchers from Russian cybercrime investigations company Groub-IB have recently identified a new piece of malware designed to steal login credentials from specialized software used to trade stocks and other securities online.

The malware targets Internet trading software called QUIK and FOCUS IVonline from Russian software development firms ARQA Technologies and EGAR Technology, respectively, Group-IB researchers said Wednesday in a blog post.

The software can be used to trade on the Moscow Exchange (MICEX), the Saint Petersburg Exchange, the Ukrainian Exchange and other exchanges. It's also used by other brokerage firms like BrokerCreditService in Cyprus, Otkritie in the U.K. and Russia, InstaForex, as well as by large banks like Sberbank, Alfa-Bank and Promsvyazbank, Group-IB said.

Once installed on a computer, the malware checks for the presence of the targeted applications and begins to monitor how the user interacts with them by taking screen shots. It also steals the log-in credentials and uploads the data to a command and control server, the Group-IB researchers said.

Customers should have standard malware protection installed on their computers like antivirus programs and firewalls if they use financial software, Vladimir Kurlyandchik, head of business development at ARQA Technologies, said Thursday via email. "This is our standard recommendation."

Customers who suspect that their accounts might have been accessed without authorization should immediately change their access keys, he said.

According to Kurlyandchik, the QUIK software supports several mechanisms that can prevent account hijacking. This includes the ability to restrict access only to certain IP (Internet Protocol) addresses, as well as two-step authentication via SMS or RSA SecureID tokens.

Clients and brokers can choose the best option suited for their situation, Kurlyandchik said. The brokerage firms can also use some tools to monitor activity and block access to suspicious IP addresses, he said.

However, even if such security features are available it doesn't necessarily mean that everyone is using them. There are many ways to extract funds from online trading accounts because of poor anti-fraud protection on the server side, said Andrey Komarov, the head of international projects at Group-IB.

For example, FOCUS IVonline is normally used through an encrypted VPN (Virtual Private Network) channel provided by a Russian security product, but this is not enough and hackers can still easily abuse the software, Komarov said. The malware can use remote access tools like VNC or RDP to allow attackers to connect through the victim's computer.

Most of these specialized trading applications are well designed and have good security, but they are installed in untrusted environments, so it's hard to protect them, Komarov said. The customer's PC security is the main issue, he said.

There have been previous reports of hackers compromising online brokerage accounts. Those attacks primarily used form grabbers and Web injects like those seen in online banking malware, Komarov said.

Targeting online trading accounts is part of a big and growing trend for cybercriminals, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Group-IBsecurityAccess control and authenticationDesktop securityspywareARQA TechnologiesEGAR Technologymalwarefraud

More about AlfaRSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place