An insider view of a Russian cybercrime infrastructure

How to steal access to over 500,000 bank accounts: The insider view of a Russian cybercrime infrastructure

Proofpoint security researchers have published an analysis that exposes the inner workings of a cybercrime operation targeting online banking credentials for banks in the United States and Europe. This Proofpoint research report provides a detailed and rarely seen inside view of the infrastructure, tools and techniques that enabled this cybercrime group to infect over 500,000 PCs.

Key facts from the Proofpoint analysis:

  • Russian-speaking cybercrime group targeted primarily US-based systems and online banking accounts.
  • Qbot (aka Qakbot) botnet of 500,000 infected systems sniffed ‘conversations’ – including account credentials – for 800,000 online banking transactions, with 59% of sniffed sessions representing accounts at five of the largest US banks.
  • The attackers compromised WordPress sites using purchased lists of administrator logins, with which they were able to upload malware to legitimate sites in order to then infect clients that visited these sites. Many of these WordPress sites also run newsletters, which the attackers leverage to distribute legitimate but infected content.
  • Windows XP clients comprised 52% of the infected systems in the cybercrime group’s botnet, even though recent estimates place the Windows XP install base at 20-30% of business and consumer personal computers. Microsoft ended patch and update support for Windows XP in April 2014.
  • The cybercrime group used compromised PCs to offer a sophisticated, paid proxying service for other organized crime groups. The service turns infected PCs into infiltration points for attackers an illicit ‘private cloud’ as well as infiltration points into corporate networks.

The report also includes details on operating systems most compromised by the attackers, as well as specific guidance to WordPress site owners on how to detect infections and harden their sites against similar attacks.

Download this complimentary report to learn more about this cybercrime operation, including screenshots of the actual architecture, as well as examples of code and techniques that the cybercriminals are using to compromise vulnerable websites and take over the PCs of unsuspecting visitors to legitimate URLs…in a matter of seconds.

Credits: Wayne Huang, Sun Huang, Alex Ruan, G. Mladenov, Jordan Forssman, Martin Chen, Lance Chang, Allan Ku, Jeff Lee, Aryan Chen, Tom Kao, Chris Iezzoni