Phishing Trojan Targets Russian Finance Websites

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090410_russian_banksFor a long time, we’ve heard about phishing attacks originating in Russia or eastern Europe that target western banks. There’s nothing surprising there. Latter-day Willie Suttons typically target big US or European banks because, well, that’s where the money is.

That’s why I was kind of surprised to stumble across a phishing Trojan that targets some of Russia’s largest online financial Web sites, including RBK Money (formerly known as RUPay), Yandex, Moneymail, and OSMP — one of Russia’s Paypal-alternatives. Aside from e-gold, I hadn’t seen this many Russia-specific websites listed as targets within a phishing trojan before.

Is Russia suddenly “where the money is?” According to Forbes, it is. The magazine reported last year that its most recent list of the world’s richest people included 87 Russian billionaires — a year-over-year increase of 64% — and 136,000 millionaires. So, maybe it makes sense for the people who build these malicious tools to target Russian banks and online payment sites.

The trojan belongs to a well documented family called Trojan-Backdoor-Goldun. It’s designed to engage in a man-in-the-middle attack — that is, it sits on the infected machine waiting for the victim to log into one of the targeted websites, then records that information and passes it onward. It also scours the computer’s Protected Storage area — the place where Internet Explorer saves passwords when you click the checkbox to save them — and dumps the contents to a file.


If Russia’s in the phishers’ gunsights, could India be next? The Forbes report says India had the fastest growing population of millionaires in 2007, followed closely by China. Of course, these percentages can be deceptive. The US has slightly over 3 million millionaires.

I guess we’re not out of the woods yet.