“Hello friends. I am ready to sell you a botnet.” So begins the description of a link found in Google when searching for information about today’s exploits.

These are highly evolved keyloggers – programs that lie in wait on a computer system until the user accesses an online banking web site. URLZone, a recent exploit reported by Finjan, transfers money out of the victim’s bank account and hijacks just enough of the banking web page to display innocent-looking transaction details online.

That’s just the tip of the iceberg. You see, URLZone not only steals money – it steals precise amounts at intervals calculated to evade current anti-money laundering systems. And there are thousands of infected computers, a true botnet army, prepared to defend itself if attacked by law enforcement. Here’s how it works:

Step 1: Crimeware Available Online

Gone are the days when crimeware was the hand-coded concoction of a warped cyber genius. Today’s crimeware is available in online hacking forums for $100 – $300. Pay up, select your crime ‘parameters’ and sit back while the money flows your way. According to one research company, URLZone attacks have netted as much as $30,000 in one day.

Step 2: Corrupting Web Sites

Before URLZone can log a single keystroke on an end user’s computer, it has to be installed. The criminals used another exploit – LuckySploit – for this stage of the crime. LuckySploit corrupts legitimate websites with code that attempts to install another exploit on end-user computers. LuckySploit itself requires vulnerable web servers to do its dirty work. If web server operators kept their software up to date, LuckySploit and URLZone would be much harder to spread.

Step 3: Infecting the Victims

Web pages corrupted by LuckySploit attempt to install URLZone on end users’ computers. Relying on vulnerabilities in unpatched versions of Internet Explorer, Firefox and Opera, LuckySploit infected one in 15 computers that visited the corrupted pages with the URLZone key-logging virus. Similar to step 2 above, keeping home and office computers up to date with the latest software patches is the best protection against infections.

Step 4: Entering the URLZone

Most of the time, URLZone does little more than watch key strokes on the infected computer. This behavior changes once the user accesses an online banking web site. URLZone sends encrypted messages to a computer controlled by the cyber criminal. This computer instructs the victim’s machine to transfer an exact amount of money from the victim’s account to a third party ‘mule’ account. The infected computer also takes a screenshot of the victim’s online banking screen to help hide the theft (see Step 6 below).

Step 5: Money Mules

The mule account owner receives the stolen money and passes it, minus a ‘commission,’ to the criminal. Mules are often innocent account holders who have been duped into thinking they are performing a legitimate service from their homes. To avoid detection by the bank’s anti-fraud systems, mule accounts are used sparingly. The mule arrangement helps obscure the link between the criminal and his victim.

Step 6: Obscuring the Online Record

If account holders pay any attention to their bank accounts, they tend to look online. URLZone has this angle covered, too. Remember the screenshot taken of the victim’s online banking screen back in Step 4? URLZone uses it to present an altered view of the victim’s bank account, but only on the victim’s compromised computer.

It works so well because very few people check their bank transactions from other computers. And hardly anyone examines their printed statements. It’s been months since I opened mine!

We could so easily thwart the URLZone exploit. But doing so would require vigilance on the part of customers as well as the web server companies. That’s not popular in today’s convenience-driven consumer culture.

But if we want a safe Internet banking channel, our attitude toward vigilance and convenience may have to change. If not, the cyber criminals will only get better at beating us at our own game.