Anthem Hack: Is the Healthcare Industry the Next Big Target?

Anthem Inc., the second largest health insurer in the US, has suffered a security breach to its databases. According to media reports, the breached database contains information from approximately 80 million individuals. Although medical records appear not to be in danger, names, birthdays, social security numbers, email addresses, employment information and more have been compromised.

Anthem described the hacking as a “very sophisticated attack,” and the company  reported it to the FBI and even hired a cyber security firm to help with the investigations. However, the extent of the stolen data is still being determined. In addition, there is no concrete information regarding the perpetrators and the modus operandi (MO) of this cyber-attack.

In February 2014 we wrote that cyber criminals are shifting their focus from the financial industry to the healthcare industry, which has become an easier target. Healthcare records contain a wealth of valuable information for criminals, such as social security numbers and personal information. This information can sometimes prove more valuable than credit card numbers, which the financial industry is working hard to protect.

In 2013, at least twice as many individuals were affected by healthcare data breaches than in the previous year, owing to a handful of mega-breaches in the industry. According to a cyber security forecast, published at the end of 2013, the healthcare industry was likely to make the most breach headlines in 2014. However, it appears that 2014 was the year in which American retailers suffered massive data breaches (Home Deopt, Staples, Kmart, and of course Target at the end of 2013).

We should consider the Anthem hack as a warning sign for all of us – the healthcare industry might be the prime target for cyber criminals in 2015. We already know that PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on black markets continue to rise. Such underground marketplaces are being used as a one-stop shop for identity theft and fraud. Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Here at SenseCy, we monitor on a daily basis the usage of breached medical information on Underground forums and the Darknet platforms.

We believe that this industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Spotlight on the Russian Underground Infrastructure

The media is in an uproar at present, reporting on one cyber incident after another. Adobe, Target, Neiman Marcus, Home Depot, JP Morgan – these breaches are just the tip of the iceberg in the cybercrime arena. The Russian underground forums serve as fertile ground for planning cybercrime-motivated breaches worldwide – programming the malicious software, distributing it and sharing knowledge about the most profitable usage, selling the stolen data (such as credentials, etc.). Let us take a deeper look at the internal structure of these forums and the norms of behavior there.

Registration

While many forums have free registration, others require payment (Cybercriminals will never miss an opportunity to profitJ). Some of the forums that ask for registration fees do not contain useful information, and the fee is merely a farce, while for others, the fee is a means to keep poor or noob hackers away from the “big guy discussions.” Some of the forums ask potential candidates to fill out a detailed registration form, clarifying exact capabilities/programming languages they know, while others go one step further and send different hacking tasks to the applicants, demanding proof of their professional level. Many forums have strict policies about filtering out the registrants and very few people are accepted.

Registration page in one of the underground forums
Registration page in one of the underground forums

Communication

When it comes to personal contacts between the seller and buyer, the first choice is the Jabber messenger. Sometimes, one of the sides will request an OTR (Off-the-Record, allowing private conversation using encryption and elimination of all traces of the conversation) protocol for Jabber. Besides, exchanging messages via PM (private message) – the private mailbox on each forum is another popular means of communication. Users wishing to connect via Jabber are sometimes asked to authenticate themselves via private message beforehand – indicating the high level of confidentiality and security concerns.

ICQ is also used, although it is not very common and is perceived as a communication method for less experienced hackers.

Payment

On the underground, you will never see any payment method that would somehow enable identification of the parties in the transaction. Naturally, no credit cards, PayPal accounts or money transactions are accepted – only virtual currencies are used. BTC is rather popular, as well as PM (Perfect Money), LTC (Light Coins), WM (Web Money) and other virtual currencies.

Escrow System

Most of the forums maintain a well-established system of escrow services provided by an official forum member appointed by the administrator. In exchange for a reward, usually a percentage of the transaction value, he mediates between the buyer and the seller, keeping the money until the goods are supplied. He also checks that the product offered matches its description.

Reputation Score

The reputation of the members is one of the pillars of Russian underground forums. Despite the fact that each forum has its own scoring system, all have a common principle: forum members rate each other, based on the threads they post. For instance, by providing useful advice or uploading malware, the author will receive more points. Another reputation booster is the number of posts, as well as seniority on the forum that defines the status of the user: beginner, intermediate, specialist, etc. Certain threads are available only to members with a minimum numbers of posts.

Furthermore, some forums ask for monetary deposits that are displayed next to the user’s name, indicating his reliability. If monetary conflict arises, the sales thread will often be suspended until the issue is clarified. If no solution is found, the seller incurs a “ripper” status, thus losing the chance to sell anything ever again on the forum, unless he changes his nickname.

Member's profile in one of the underground forums
Member’s profile in one of the underground forums

After the Russian Yandex and Mail.ru, Gmail Accounts are Leaked. Who will be Tomorrow’s Target?

This morning cyber security sources informed us for the third time this week about email addresses and passwords being leaked from a large mail provider. After the Russian services Yandex.ru (one million leaked emails) and Mail.ru (4.5 million leaked emails), came Gmail’s turn – around five million emails were posted on a Russian platform.

According to publications about the Gmail leak, the data was published on a Russian forum that focuses on bitcoin issues – Bitcoin Security. The forum member who uploaded the database is nicknamed tvskit, and he was the first one to publish the data online in all three of the cases.

A short search on the above nickname on social networks revealed a 34-year old man by the name of Ivan Bragin, from the Perm administrative center in Russia. His VK and Twitter pages contain plenty of information regarding crypto-currencies, in addition to a tweet about the Gmail leak linked to the BTC forum. From his posts, it seems that he did not directly connect himself to the leaks, nor did he take credit for stealing the data. Moreover, the story he tells is about running into these email lists on the web, then deleting the passwords and publishing them ‘for the greater good’. It is a strange coincidence that all three lists were found by the same person.

Based on the fact that tvskit‘s real identity was so easy to find (no attempts to hide it from his side), combined with the fact that initially the account list was published without the passwords (“just in order for people to check if their address was on the list”), makes us doubt that he stole the data.

According to several cyber security sources that analyzed the database, some of the compromised mail accounts were either automatically registered or were not active in the past. Nevertheless, some users of the above providers did confirm the authenticity of the logins and passwords.

Yandex and Mail.ru denied any kind of breach of their databases, so the leading hypothesis of the accounts origin is that all three lists were collected over a long period of time, from different sources, maybe along with other, less “attractive” data, that was later sorted by email providers and published online. In addition, we should also consider that at least some of the addresses are fictitious or not valid. At this moment, it is difficult to specify the exact number of addresses with a valid password.

Relying on the information above, we believe that all three lists were obtained by the same person (not necessarily tvskit), who managed to get hold of some valid logins and passwords and then mixed them with non-valid or automatically created addresses to intensify the scale of the leak.

A forum thread Bitcoin Security forum, which cointians the leaked Gmail database on
A forum thread from Bitcoin Security forum, which cointains the leaked Gmail database
Ivan Bragin's Twit linked to the forum post about Gmail leak
Ivan Bragin’s tweet linked to the forum post about the Gmail leak

MacroExp – a Combined Social Engineering and Exploit Attack

Combining an executable, usually malicious file with a standard Word or Excel file, unbeknownst to the user, has always been an aspiration for cyber-criminals. With such an asset, they could make the victim unwittingly install the malware, without raising his suspicions or AV vendor alerts when running an executable file. For this reason, requests for such services are frequently posted on underground forums, as cyber criminals search for easy ways to spread their malware files. Occasionally, this demand meets a supply, usually highly priced due to the opportunities it provides.

On this occasion, while monitoring Russian underground forums, we came across an advertisement for an exploit that targets Microsoft Office Word via Visual Basic Scripting for Applications feature. The exploit, referred to as MacroExp v 1.0.5 by the seller, first appeared for sale two days ago (on August 11), for $1,000. The price includes the exploit builder, as well as further updates and technical support.

According to the description on the forum, the exploit binds an executable file with a .doc file, making the .exe invisible to the victim. It is compatible with all Microsoft Office Word versions (2000-2013), as well as Windows OS x86 and x64. Since the presence of the executable file is invisible, it is not detected by AV and IPS systems, or firewalls.

The disadvantage of the method, as described by the seller, is the pop-up of a macro-enabling alert required for the actual running of the executable file. He suggests overcoming this obstacle by using social engineering methods.

A week ago, CISCO reported this attack vector, detected by its researchers, in the wild. It was used in spear-phishing attacks in such industries as banking, oil, television and jewelry. The starting point involved sending a Word file written specifically for the recipient. When clicking on the document, a macro alert popped up. Once enabled, it led to the download of an executable malicious file and launched it on the victim’s computer.

It is difficult to say if the same perpetrators are behind the both attacks, or it is just the same vector that is used in the both cases. On the one hand, one of the CnC domains discovered by CISCO was registered seven years ago, which may indicate that the threat actor has been in operation since at least 2007. On the other hand, the seller connected himself to the CISCO report, claiming that the described attack is his project. Moreover, he mentioned that more than 20 clients were already using the exploit, and that this was not the first version since its release. The matter will become clearer as more cases are identified in the wild, combined with more feedback from buyers on the forum.

Screenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the seller

Financial Scams Involving POS Devices

POS attacks appear to have become both more frequent and detrimental. These systems are considered “easy prey” for scammers because they are vulnerable in two respects: The first is the software aspect – POS terminals are based on popular operation systems and are connected to the Internet, thus serving as a target for infection by Trojans dedicated to data theft. The second is the physical nature of these kinds of systems – they are usually located in public places and are accessible to many people, facilitating the installation of malicious programs and components directly onto the POS terminals.

Russian-speaking platforms located on the web (forums) are known to be supporting grounds for the creation and development of a great deal of cybercrime the world over, and POS-related crime is no exception. This sphere of activity is included in the “real carding” forum topic that also deals with hacking ATM machines, installing skimming devices, hacking into ATM cameras for the purpose of recording PIN codes, etc. Below we summarized the main trends regarding POS systems that were discussed in the Russian forums in the last months.

Trade of Malware Targeting POS Terminals : While 2013 was a year of large-scale breaches via remote access to POS systems, since the beginning of 2014, we have not witnessed an inordinate number of discussions about the remote infection of POS devices, as a large part of them deal with the physical modification of POS devices. Nevertheless, we identified a sale of one new tool in May 2014, referred to by the seller simply as Dump Grabber.

Installing Firmware Components on POS Terminals: The sale of firmware components for different models of POS terminals is very popular on the underground, as is the sale of the complete terminal (ready for installation) already containing the firmware. The average price for a complete terminal is approximately $2,000, while firmware alone will cost around $700. The firmware collects track 1, track 2 and PIN code data while regular transactions are performed on the terminal, and then sends it to a specified destination.

An offer for the sale of a VeriFone POS terminal with installed firmware
An offer for the sale of a VeriFone POS terminal with installed firmware

Technical Discussions: It appears that since the infamous mega-breaches that occurred over the last year, this sphere has attracted a lot of cyber criminals, but some of them lack the technical skills necessary for success. They heard about the easy profits available in the area of POS terminals and are trying to familiarize themselves with the expertise required to make a profit via dedicated online platforms.

The two main issues recently discussed on the forums are obtaining PIN codes and bypassing the demand for chip identification. The energetic discussions that developed on these subjects may point to the difficulties they are facing in the area of POS-related cybercrime.

A forum member asks how to add a PIN requirement in POS transactions
A forum member asks how to add a PIN requirement in POS transactions

Business Models of POS-Related Scams: It is extremely difficult for a single scammer to commit a financial crime exploiting POS terminals. These scams are usually performed by small groups of cyber criminals. If the modus operandi of the scam is the remote infection of POS devices, there is a high probability that the attack group will include three types of perpetrators: the malware coders, the malware spreaders and the purchasers of the dumps.

In case of a physical infection of the POS terminals, of the kind that requires the installation of firmware components or the replacement of the terminal itself, the cooperation of someone at the business point (a shop or a supermarket) will also be required.

A forum member offers a fake POS terminal for rent, in return for 50% of the profit
A forum member offers a fake POS terminal for rent, in return for 50% of the profit

 

Protect your Mobile, or else – You Will Have to Pay Ransom for the Right to Use it Again!

Over the last couple of months, two major threats to the constantly evolving cybercrime world are becoming more and more prominent. Cybercriminals are seeking new sources of profit, as the old ones become harder to exploit over time. Lately, we have noticed a new developing trend, a procreation that combines the two mentioned below.

The first trend on the rise is the targeting of Android systems. Although the subject is not new on underground platforms, and dedicated rooms for discussing vulnerabilities on Android were already opened a couple of years ago, we can definitely say that a big step forward has been made in recent months in this area.

Malware for Android is frequently seen on underground forums and uploaded to file-sharing platforms. Since the beginning of 2014 alone, we have monitored approximately ten malware tools for infecting Android devices, for example Dendroid, AndroRAT, iDroid (targeting both iOS and Android systems), Stoned Cat, etc. The modus operandi can be different, but the final target is always the same: monetary theft, as opposed to stealing credentials for mobile banking applications, sending premium SMS messages, or some other method. The infection technique also varies. It usually happens when the victim installs a new application that is actually the virus itself, obviously well-disguised as something harmless. Another infection vector is binding a malicious code to a legitimate application. Finally, there are the good old emails and SMS messages containing a link that initiates the download of malware.

Dendroid's Admin Panel
Dendroid’s Admin Panel
IDroid's Admin Panel
IDroid’s Admin Panel

The second trend is the growing number of ransomware viruses that lock the user’s computer and/or encrypt his files, then demand remuneration for restoring the computer to its initial state. The most infamous malware of this kind is Cryptolocker, but there are some more that we wrote about in the past.

If these two methods are profitable, why not combine them and increase the odds of earning more easy money? We recently noticed the sale of two “ransomware for mobile” products on the Russian underground. The first is called Block Android Mobile – offered alongside additional products by the same seller, such as Syslocker and BrowBlock. The seller and his services appeared on one of the closed Russian forums in February 2014, but the mobile ransomware was offered as a new function in April 2014. According to the seller, there are two APIs for this malware – the first redirects traffic to a lending page, where an automatic downloading of a malicious file occurs. The victim then has to run the APK file later. The second API injects the APK file, directly by the cybercriminal, wherever he desires. A deeper analysis of this malware was provided in the Malware don’t need coffee blog, as he came across its files in action.

Another ransomware for mobile is Tor Android Cryptolocker. This was offered for sale for US$5,000 about two weeks ago. Once installed on the mobile device, the malware blocks the screen, thus preventing its deletion. At the same time, it encrypts all the files of a defined format that are found on the SD card and in the phone’s memory (including music, photos, videos, etc.). The victim is asked to pay a certain amount of WebMoney, and then his phone is unblocked. The author was offering only three copies for sale. According to our last check, two were already sold. This probably means that we will soon see this malware in action.

The blocking message sent by Tor Android Cryptolocker
The blocking message sent by Tor Android Cryptolocker

Taking into account the important role that mobile phones play in our lives, this can be a very profitable means of money extortion. Buying a new phone may not always be cheaper than paying hundreds of dollars to get the old one back. And there are also all those pics and videos (of extremely high emotional value) that we do not always backup, although it is widely known that we should. Cyber criminals can be good psychologists sometimes, and they can hurt us in the most painful places.

Where Does All the Data Go?

Written by Gal Landesman

We have recently learned of numerous data breaches targeting the healthcare industry that have exposed electronic personal healthcare information (ePHI). Just this month, a Chicago doctor’s email account, holding information on 1,200 patients, was accessed; a stolen laptop and flash drive jeopardized 2,500 patients’ data in Michigan; the investigation of the California Sutherland Healthcare Services data breach revealed that data pertaining to 338,700 individuals has been compromised; and La Palma Inter-community Hospital announced an old case of data breach involving one of their employees who accessed personal information without permission.

We are hearing about such incidents on an almost daily basis. Symantec even named 2013 the year of “Mega Breach”, with more than 552 million identities exposed this year. According to Symantec, the healthcare sector suffered the largest number of disclosed data breaches in 2013. They blame it on the large amount of personal information that healthcare organizations store and the high regulation standards requiring them to disclose data breaches. Still, the healthcare industry is one of the most impacted by data breaches this year.

Targeted data includes health insurance information, personal details and social security numbers. What could really happen if a patient’s personal data falls into the wrong hands?

Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Attackers could make fraudulent insurance claims, obtain free medical treatment or addictive prescription drugs for personal use or resale.

Cyber criminals are definitely eyeing medical records. These records can fetch about $60 apiece on the black market, according to Norse-Sans that published a detailed report on the issue this February, claiming that such records are even more valuable than credit card information because they present criminals with greater opportunities for exploitation, such as insurance and prescription fraud. Norse-Sans identified a large volume of malicious traffic in their analysis of healthcare organization traffic.

Another example of interest was published by the Wall Street Journal, days before the Norse-Sans report, featuring valuable network information of healthcare facilities that was dumped on 4shared.com (a file-sharing site), including firewall brand, networking switch, Internet addresses of wireless access points, blueprints of the facilities, locations of PCs and printers and encryption keys, usernames and passwords that could be used for network access.

Here at SenseCy, we successfully traced the usage of breached medical information on Underground forums and the DarkNet. The following are some examples of prescription drugs for sale on the Underground:

Someone is offering Clonazepam (Klonopin), which affects chemicals in the brain, for sale:

Clonazepam

Another vendor offers different drugs, including ADDERALL-IR, a psychostimulant pharmaceutical drug, and Percocet, a narcotic pain reliever (containing opioid):

ADDERALL-IR

Information for sale:

Info_for_Sale

Info_for_Sale_2

Original prescriptions for sale:

Prescriptions

Prescriptions_2

 

 

Exploiting the World of WebMoney

The appearance of virtual money has played in favor of cyber criminals. The level of anonymity provided by crypto currencies is significantly higher than in real money transactions, and leaves much more space for performing illegal activities.

The first and most obvious way to exploit WebMoney and earn an easy profit is to mine virtual currencies via botnets specifically created for the purpose. The underground is awash with different mining bots, miners and mining Trojans for sale (downloads are also available), all of which are designated to infects PCs of naive users and exploit their PC CPU/GPU resources to mine the precious coins. The price range varies widely, starting at $50-$100 for a build of a simple Bitcoin/Litecoin miner, to $400-$500 for more sophisticated malware capable of mining a wider variety of virtual currencies (such as Namecoins, Dogecoins, QuarkCoins, etc.) and reaching $1,000-$1,500 for complete mining kits that can mine coins on processor or video cards, contain UAC bypass and web panel for statistical management of the bots, are signed with a digital certificate, and more.

Litecoin mining Bot
Litecoin mining Bot
"Diamond Axe" - another mining bot
“Diamond Axe” – another mining bot

The abundance of different mining platforms identified over the past year has created some difficulties for those making a living in this area. Prices dropped due to the increase in supply, while in parallel, the miners became more detectable by AV vendors, as a large number of them operate by the same mechanism. We identified forums threads from members looking for alternative methods of money-making, stressing their preference for malware capable of virtual money theft.

This can perhaps shed some light on the shift in the activities of cybercriminals in this area – from creating mining botnets, to stealing coins from web wallets. Indeed, in the last month alone, we identified three different stealers of Bitcoin wallets: *coin Grabber, Stealer coins and Wallet Stealer. While the tools are not very sophisticated, they can cause a great deal of damage. *coin Grabber is designed to steal data (files and passwords) from Bitcoin-QT, MultiBit, Armory and Electrum wallets during the transaction process, and costs $500. Stealer Coins is supposed to search for and steal Bitcoin wallet files and send them to FTP, and is sold for $250. The Wallet Stealer is capable of stealing different kinds of WebMoney (not only Bitcoins) from Armory and MultiBit wallets and bypass UAC, and it costs $600.

The Administration Panel of *coin Grabber
The Administration Panel of *coin Grabber

In conclusion, we should mention again the three injection codes for Bitcoin exchanges that were found on one of the Russian underground forums (we wrote about this in detail about a week ago). This code replaces the values of the send-to-address, send-value and the send button elements, thus exploiting vulnerability on the exchange website.
As time goes by, we are witnessing the evolution of more and more cybercrime tools aimed at the relatively young but very profitable area of web currencies. The simple, easy methods are being abandoned for more complicated ones and new trends are popping up, like in other spheres of the dynamic cyber crime world.