Russian Cybercriminals Aim At U.S. Bank Accounts; Malware Infects ATMs

Printer-friendly version Email this CRN article

An organized cybercriminal campaign has taken control of thousands of accounts from at least five of the largest U.S. banks and a threat to ATMs has spread to locations in the U.S., according to two new threat reports issued this week.

Solution providers tell CRN that the latest threat reports from Sunnyvale Calif.-based Proofpoint and Russian antivirus vendor Kaspersky Lab illustrate the unrelenting attacks against the infrastructure and back-end systems supporting banks and other financial industry businesses and their customers. The level of sophistication behind the attacks and the measures being used to foil digital forensics investigators and law enforcement trying to trace attacks to their source also demonstrate the increasing wherewithal behind organized cybercriminal gangs in Eastern Europe and Russia.

Analysis of the Qbot botnet conducted by Proofpoint uncovered at least 500,000 infected PCs and a sustained campaign believed to be conducted by a Russian organized cybercriminal gang, according to Wayne Huang, a noted threat researcher and vice president of engineering at Proofpoint.

[Related: Gameover Zeus Investigators Detail Malware Attack At Plastics Manufacturer]

Huang and his team said the attacks have been successful in obtaining the account credentials of as many as 800,000 online banking accounts. The attackers also purchased email and other personally identifiable information on victims in underground cybercriminal forums to support their campaign, according to his report. The attacks are highly automated but infect victims using exploits that target vulnerabilities that are four years old or more in Microsoft Internet Explorer, Java, Adobe Flash and Reader.

"Best practices have expanded so that simply detecting and blocking known malware and known malicious URLs are no longer sufficient," Huang said in the report (.PDF).

The attackers set up attack platforms by hijacking legitimate websites, compromising WordPress sites using stolen admin passwords. Visitors to the sites would have their systems scanned for vulnerabilities and exploited, giving the attackers an initial entry point to take control of the PC.

"[The attack chain] is designed to establish a foothold on the system so that any number of different pieces of malicious software can be downloaded in order to carry out criminal activities ranging from banking account theft to secret communications and transfers, to distributed denial of service (DDoS), to ransomware and any other activity that represents an opportunity to monetize that infected system," Huang said in the report.

The U.S. financial industry has been roiled in recent months with a barrage of credit and debit card breaches at large retailers. Last week, JPMorgan Chase revealed that its breach impacted 76 million households and 7 million businesses. While the attackers didn't gain account credentials or bank account information, solution providers say the data can be used in social engineering attacks.  Thousands of Florida users were targeted this week in a campaign that uses SMS text messages to direct victims to a phony JPMorgan Chase website with a username and password prompt, according to Adaptive Mobile.

The attackers are gaining aptitude quickly, said Chris Camejo, director of consulting and professional services at NTT Com Security. Stolen administrator account credentials could have been used to gain access to the JPMorgan Chase data and, if true, the breach validates that businesses need to gain control of employee privileges, he said.

"Even through the results of this breach don’t appear catastrophic, it shows that this is a realistic risk vector," Camejo said. "I also wouldn’t be surprised if another announcement comes out in the future revealing that more information was accessed on another system; that’s often how these things go. Reconstructing a breach can take time."

NEXT: Tyupkin Malware Threatens ATMs, Spreads To U.S. Locations

Printer-friendly version Email this CRN article