Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 AM
Connect Directly
Twitter
RSS
E-Mail

How One Criminal Hacker Group Stole Credentials for 800,000 Bank Accounts

Proofpoint report shows how one Russian-speaking criminal organization hides from security companies.



A closer peek at a Russian-speaking crime group that has lifted credentials for as many as 800,000 online banking accounts, shows more evidence of the growing sophistication of the cybercrime infrastructure. A new report from Proofpoint describes how one organization employed third-party services, used technology and services to dynamically adjust to business challenges, and even created alternate revenue streams for itself.

The attackers began by buying lists of stolen administrator logins for WordPress sites from an underground marketplace. They then uploaded malware to those sites.

[For more on cyber attacks, check out: What Banks Can Learn From the Target Breach.]

The attackers wouldn't serve up malware to just anyone who visited those compromised sites. First, they'd use a traffic distribution system filter (TDS) to check whether or not the incoming browser was a good target -- vulnerable, located in an attractive location, and not run by a security company scanning for nefarious activities. Further, they employed a third-party obfuscation service, Scan4U, to help avoid the notice of security companies.

Once a visiting browser was deemed satisfactory, the attackers would exploit the browser or one of the browser's plug-ins, and infect the client machine with a malware dropper via drive-by download. More clients were infected by distributing malicious content through the sites' email newsletters.

Over 500,000 client machines are infected, according to Proofpoint, but they estimate that as many as 2 million may have been compromised over the attack's full lifecycle.

Once the malware dropper was downloaded onto the client machine, the attackers would push down the actual payload -- usually the Qbot banking Trojan, but attackers could use the dropper to push out multiple pieces of malware to each host...

Read the full story on Dark Reading.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Copyright © 2018 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service