New Malware Steals $4 Million at U.S., Canada Banks

Malware uses email to target bank customers with business accounts, IBM cybersecurity researchers say

Cybersecurity researchers at IBM Corp. said Thursday they have discovered a new type of malicious software that has been used to attack customers of 22 U.S. banks and two in Canada.

The attacks have resulted in the theft of roughly $4 million dollars in the first few days of April, the researchers said.

The malware is targeting bank customers with business accounts, mostly at banks in the U.S., according to a blog posting on IBM X-Force, which is part of IBM’s security business. The malware also focuses on credit unions and “popular” e-commerce platforms.

IBM Security didn’t identify the institutions, but said they have been alerted to the incidents and have taken measures to stop the attacks.

Unlike other recent attacks that are aimed at the bank directly or its employees, the latest incidents use email to target account holders, said Etay Maor, executive security adviser at IBM Security. The malware is installed when the account holder clicks on an email link or attachment and remains dormant until the victim logs onto his bank account.

The malware can then access information in multiple ways, recording keystrokes or even taking pictures of the bank account screen.

“It all happens without the user seeing anything,” Mr. Maor said. The malware can also send the victim emails that appear to come from the bank.

The malware, called GozNym, is a hybrid of two other types of malware “that takes the best of both,” according to the blog post. It combines two techniques that are used to infect devices and steal data, making it easier for criminals to attack.

The attackers are believed to originate from a criminal organization in Eastern Europe, Mr. Maor said.