Hackers Grab 800,000 Banking Credentials

Could APT Attacks Be on the Horizon?
Hackers Grab 800,000 Banking Credentials

Malware-wielding attackers have compromised 800,000 banking credentials, predominantly from the five largest U.S. financial services firms, a new study warns. But they may also be preparing to launch APT attacks against financial institutions.

See Also: How to Mitigate Credential Theft by Securing Active Directory

The Russian-speaking attackers stole the credentials via "Qbot" malware that they installed on about 500,000 PCs, according to research published by cloud-based security firm Proofpoint.

To date, it's unclear how many of those stolen credentials have been used to commit fraud. But Proofpoint is warning consumers and financial institutions that 59 percent of the stolen credentials are tied to accounts at five of the largest U.S. financial services firms, which it's declining to name. About half of the infected PCs that comprise the botnet run Windows XP.

Security experts say an online banking credential theft of this magnitude isn't unusual, especially for banks that don't offer two-factor authentication. "I don't have much trouble believing that so many credentials or devices were compromised," says Al Pasucal, a financial fraud expert and lead analyst at consultancy Javelin Strategy & Research. "This is exactly why out-of-band authentication is so crucial, yet only 20 percent of the banks we examined this year offer it."

But Proofpoint also notes that some of the compromised PCs are inside financial institutions' networks, meaning attackers could potentially launch APT attacks against businesses from inside their own firewalls.

Automated Attacks, Updates

Here's how the attackers operate, according to Proofpoint. First, they compromise a large number of websites that run the WordPress content management system, and install malicious code. When a user visits one of the compromised WordPress sites, that code tries to exploit vulnerabilities in their browser or browser plug-ins to install the attacker's customized version of the Qbot malware. If the installation is successful, the malware can be used for a variety of purposes, including stealing data stored on the PC, intercepting online banking credentials, installing more malware, and turning the PC into a proxy server for attackers.

The entire operation is highly automated, beginning with hacking into servers that run WordPress, Wayne Huang, Proofpoint's vice president of engineering, tells Information Security Media Group. "They're buying large amounts of cPanel, FTP passwords and SSH passwords - and they have a script that automatically verifies which credentials work."

If, indeed, the credentials work, the attacker's script next injects a PHP-based web shell, which functions like a backdoor Trojan or remote-access tool, onto the site, and then alerts the attackers to the successful infection via a dedicated ICQ chat channel.

Attackers' scripts regularly submit a copy of the Web shell to the Scan4You.net site, Huang says, watching to see if the code is recognized as malware by any of the 35 anti-virus engines running on the site. Once Scan4You reports that five anti-virus engines classify the code as malware, the script informs attackers via the ICQ channel, then automatically re-obfuscates the attack code - to evade anti-virus scanner detection - and sends it to the infected nodes, instructing them to install the new code and delete the previous version. Then the whole process begins again.

Finding the malicious WordPress code on compromised websites can be difficult, Huang says, because the Web shell will typically be well-hidden. Furthermore, updating the WordPress installation or changing the admin password won't block attackers because of the persistence of the Web shell that's been installed. "But if you pay attention to - and dig into - your access logs, HTTP logs, then there's a good chance you'll find it, because you'll find [attackers] accessing really strange locations in your Web app," he says. "You'll say: 'Why are people from Russia accessing a strangely named PHP file somewhere?' So that's something we always look at, when we do incident response."

Russian Infrastructure

The identity of the attackers isn't known. But Proofpoint says the gang behind the attacks is Russian-speaking, has been in operation since at least 2008, and uses a number of different exploit kits for its attacks, including the Blackhole and Sweet Orange exploit kits, as well as a Qbot software development kit they've built. Proofpoint says all of the gang's code and code comments are written in Russian, and that most of the IP addresses it uses - as well as its proxy service - are based in Russia.

Proofpoint says the Qbot botnet appears to be used, in large part, for intercepting retail banking credentials, in part by sniffing HTTP and HTTPS traffic, and launching man-in-the-middle attacks. The malware also includes Web injection capabilities, allowing attackers to manipulate log-in and other banking pages. Qbot will also steal all the admin passwords it can find, so these passwords can be resold on black-market credential forums.

But attackers can also use the Qbot botnet to push and execute additional types of malware on each infected PC, as well as to turn that PC into a proxy server, via which they can attack other systems connected to the same corporate network, or launch Internet-borne attacks.

The Targets

About 75 percent of the total botnet traffic pertains to U.S. financial institutions, Proofpoint says. Huang says a majority of that traffic likely pertains to "ordinary customers" that are being targeted by attackers stealing their retail online banking credentials.

"Once the bad guy has a foothold, credentials are worthless and the device can no longer be trusted," says Javelin's Pascual. "Any access from the accountholder's device is suspect and device fingerprinting is ineffective when the attacker controls that device. Other solutions such as behaviometrics are a reasonable alternative to out-of-band, but they have yet to gain significant market share."

But the proxy service suggests attackers are trying to steal more than just retail banking credentials. For starters, the attackers can search for network segments, for example, to find out if one of the compromised PCs or servers has an IP address that corresponds with an IP address range for a particular financial institution. "If their node is in there, it means you can pay and proxy thorough this endpoint," Huang says. That means attackers can seize control of that machine, then use it to try and target the financial services network from within - or at least from a corporate PC or server.

"If I'm an APT attacker, these compromised endpoints are invaluable to me," Huang says. "I don't want to steal anybody's banking credentials, because I want to own the bank's database, and I want to target their C-level execs, and it's a lot easier for me to do that once I'm inside the corporate network."

Executive Editor Tracy Kitten contributed to this story.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network