Carbon Copy

February saw The Big Carbon Robbery. I explained about this unorthodox cash out method here; it’s quite simple really. Every EU country has a carbon emission quota; every polluting manufacturer within that country buys carbon emission licenses in a trading platform. These licenses are expensive, and if you just steal the user name and password for accessing these accounts, you can sell the license and get away with the money.

Now it seems like some confidential trader data was exposed online, which will give the cybercriminals an excellent target list as it provides them with the carbon allowances trade volumes. They can also learn about trade patterns so they can hide their own transactions within innocent trades.

I guess that most companies who fell for the Phishing attack in February have warned the relevant employees about the risks of responding to such Phishing emails, and reported to their senior management they have contained the situation.

They haven’t.

That’s because RSA now sees Trojans configured to be triggered whenever someone accesses any of the EU trading platforms, record the access credentials, and send them to the Trojan mothership.

Meet the Nimkey Trojan (aka Chilkat), which is believed to be authored and maintained by an East European crime ring. Nimkey targets a wide range of financial institutions, but there’s a very interesting section in the trigger list that caught our attention.

The trigger list tells the Trojan which websites are more interesting than others; when the Trojan is triggered, it will record all communications with the website.

So when we saw a bunch of non-financial targets triggered by Nimkey we checked them out, and they all turn out to be the  trading platform website of one of the EU countries. In fact we talk about EVERY country in Europe, with the exception of Lichtenstein (hey, what’s wrong with Lichtenstein carbon?)

What does this mean?

It means the Nimkey operators have a way to monetize these accounts, and plan to do so. If you get infected with Nimkey and you happen to work for one of the companies involved in the trading, you’re basically a walking pot of gold – and the Nimkey folks are very interested in your access credentials.

So it’s not just online banking, p2p payments and credit cards the Cybercriminals can monetize. Stocks are a target as well, and auction sites, and telco companies, and insurance website credentials, and carbon emission licenses, and the list will grow as time goes by.

Anyone cares to add some non trivial target they came across?