Russian Cybercriminals Aim At U.S. Bank Accounts; Malware Infects ATMs

An organized cybercriminal campaign has taken control of thousands of accounts from at least five of the largest U.S. banks and a threat to ATMs has spread to locations in the U.S., according to two new threat reports issued this week.

Solution providers tell CRN that the latest threat reports from Sunnyvale Calif.-based Proofpoint and Russian antivirus vendor Kaspersky Lab illustrate the unrelenting attacks against the infrastructure and back-end systems supporting banks and other financial industry businesses and their customers. The level of sophistication behind the attacks and the measures being used to foil digital forensics investigators and law enforcement trying to trace attacks to their source also demonstrate the increasing wherewithal behind organized cybercriminal gangs in Eastern Europe and Russia.

Analysis of the Qbot botnet conducted by Proofpoint uncovered at least 500,000 infected PCs and a sustained campaign believed to be conducted by a Russian organized cybercriminal gang, according to Wayne Huang, a noted threat researcher and vice president of engineering at Proofpoint.

[Related: Gameover Zeus Investigators Detail Malware Attack At Plastics Manufacturer]

Sponsored post

Huang and his team said the attacks have been successful in obtaining the account credentials of as many as 800,000 online banking accounts. The attackers also purchased email and other personally identifiable information on victims in underground cybercriminal forums to support their campaign, according to his report. The attacks are highly automated but infect victims using exploits that target vulnerabilities that are four years old or more in Microsoft Internet Explorer, Java, Adobe Flash and Reader.

"Best practices have expanded so that simply detecting and blocking known malware and known malicious URLs are no longer sufficient," Huang said in the report (.PDF).

The attackers set up attack platforms by hijacking legitimate websites, compromising WordPress sites using stolen admin passwords. Visitors to the sites would have their systems scanned for vulnerabilities and exploited, giving the attackers an initial entry point to take control of the PC.

"[The attack chain] is designed to establish a foothold on the system so that any number of different pieces of malicious software can be downloaded in order to carry out criminal activities ranging from banking account theft to secret communications and transfers, to distributed denial of service (DDoS), to ransomware and any other activity that represents an opportunity to monetize that infected system," Huang said in the report.

The U.S. financial industry has been roiled in recent months with a barrage of credit and debit card breaches at large retailers. Last week, JPMorgan Chase revealed that its breach impacted 76 million households and 7 million businesses. While the attackers didn't gain account credentials or bank account information, solution providers say the data can be used in social engineering attacks. Thousands of Florida users were targeted this week in a campaign that uses SMS text messages to direct victims to a phony JPMorgan Chase website with a username and password prompt, according to Adaptive Mobile.

The attackers are gaining aptitude quickly, said Chris Camejo, director of consulting and professional services at NTT Com Security. Stolen administrator account credentials could have been used to gain access to the JPMorgan Chase data and, if true, the breach validates that businesses need to gain control of employee privileges, he said.

"Even through the results of this breach don’t appear catastrophic, it shows that this is a realistic risk vector," Camejo said. "I also wouldn’t be surprised if another announcement comes out in the future revealing that more information was accessed on another system; that’s often how these things go. Reconstructing a breach can take time."

NEXT: Tyupkin Malware Threatens ATMs, Spreads To U.S. Locations

The Russian criminal group documented by Proofpoint also used a criminal toolkit called SocksFabric, which enables attackers to establish encrypted communications and transfer stolen data, according to the Proofpoint report issued Tuesday. The proxying service was established and strengthened by the Qbot botnet and rented out as a "private cloud" to other criminal groups, Huang said.

"Attackers have the financial and technical means to infect an almost unlimited number of legitimate websites, above and beyond the more easily identifiable malicious or suspicious sites that traditional defenses are designed to detect and block," according to the report.

Three-quarters of the websites targeted by the group were in the U.S. and many of them were being supported by outdated operating systems and poorly patched content management system components, according to the Proofpoint report. Windows XP clients comprised 52 percent of infected systems in the crime group's Qbot botnet, Proofpoint said.

Meanwhile, Kaspersky Lab conducted further research into the Tyupkin malware being used in a wave of attacks initially targeting ATMs in Eastern Europe. Only 50 ATMs have been targeted worldwide, according to Kaspersky Lab, but the list of locations is spreading from Eastern Europe and Russia to China, India and ATMs at five locations in the U.S.

"The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure," according to the Kaspersky Lab report. "The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently."

The Tyupkin attacks require direct access to the ATM and work against a major manufacturer of ATMs running an embedded version of Microsoft Windows. If successful, the attacker can hijack the system and siphon cash directly from the machine, according to the Kaspersky Lab report issued Tuesday.

Both attacks demonstrate the need to keep systems maintained with security updates and other patches, say solution providers. Microsoft discontinued support of Windows XP in April. End users also need to establish strong passwords for business and personal accounts and establish two-factor authentication for online services that support it.

With many breaches there usually is more than a single event that occurs with an advanced attack, said Brad Taylor, CEO of Irvine, Calif.-based managed security services provider Proficio. Financially motivated attacks are beginning to take shape in an advanced way, using targeting social engineering, multiple stages and different pathways to get access to the lucrative information, Taylor said.

"What we've seen in the industry is that most PCI auditors are taking a forward stance and telling retailers to install configuration-level monitoring at workstations and computers," Taylor said. "They also need to have a firewall at every retail store."