1

akamai’s [state of the internet] /

Yummba Webinject Tools: A Cybersecurity Threat Selected excerpts

Akamai’s Prolexic Security Engineering and Response Team (PLXsert) recently published a Threat Advisory alerting banks and other financial institutions to a new high-risk cybersecurity threat: the use of Yummba webinject tools in the commission of banking fraud. The Yummba Webinject Tools Threat Advisory explains webinject functionality and how they work with co-resident malware, highlights potential targets and risks, and provides key steps for vulnerability mitigation In the fourth quarter of 2014, Akamai Technologies’ Prolexic Security Engineering & Response Team (PLXsert) detected the aggressive promotion and targeted use of new webinject tools by an individual or group using the name Yummba. Open source intelligence sources (OSINT) indicate the creator of the Yummba webinjects tool is located in Russia. A webinject is a framework that allows attackers to lay or embed information in a legitimate webpage that misleads the customer into entering data that will be harvested for malicious purposes, allowing attackers to collect and exploit private information from financial services customers. Webinjects have also been incorporated into malware kits such as Zeus, SpyEye and KINS. Yummba and Zeus: More dangerous together

The Zeus framework is a crimeware kit that is often used to harvest banking credentials. It is used to control compromised hosts (zombies) for many types of cyber crime, including distributed denial of service (DDoS) attacks and attacks customized for specific platform-as-a-service (PaaS) and software-as-a-service (SaaS) infrastructures, including financial institutions.

With the robust capabilities of Yummba custom webinjects, the Zeus malware is even more dangerous; they utilize the Automatic Transfer System (ATSEngine), which enables more complete and dynamic attacks along with a more advanced feature set. Once a user’s

2

akamai’s [state of the internet] /

machine has been infected with a banking Trojan such as Zeus, and the webinjects file is configured, the user’s data is sent directly to the malicious actor’s command and control server (CC or C2) without the user’s knowledge. Other functions attempt to gather account information about the victim’s balances, security and more.

PLXsert identified more than 100 companies with active injects available in the wild. The most likely targeted companies are larger financial institutions in North America and Europe. Attacks-for-sale come with a wide range of features; the most advanced feature set utilizes the ATSEngine for automated wire transfers to an attacker-controlled account. The attack targets included dozens of banking and financial services sites, along with multiple ecommerce sites and social media platforms.

PLXSert predicts that the underground crimeware ecosystem will continue to target financial institutions and streamline illegitimate operations without end users’ knowledge or consent.

Get the full Yummba Threat Advisory at www.stateoftheinternet.com/yummba for a full analysis and mitigation techniques. The Yummba Webinject Tools Threat Advisory includes PLXsert’s analysis and details, including:

• How webinjects work • Co-resident malware, such as Zeus and ATSengine • Potential banking targets • Analysis of the code • Types of data stolen • Vulnerability mitigation tactics, incuding user awareness, system hardening, deep

packet inspection and community cleanup

About stateoftheinternet.com Stateoftheinternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages and cyber-attacks and threats. Visitors to stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to help put context around the ever-changing Internet landscape.