This is the fifth and the last part of this series of blogs. The prior blogs described an attack which was executed by a well-organized cybercriminal group and how they managed to steal a large amount of money from innocent people.
In this blog we will summarize the scale of the cyber-attack and the achievements this group managed to accomplish.
In the past year, the cybercrime gang has developed and perfected the infrastructure of this widespread attack. From July until mid-November, the gang managed to infect approximately 30,000 machines, primarily based in the U.K.
Figure 1 pinpoints the geographic location of the victims. Every group of IPs that share the same geographical coordinates is represented by a marker. On average, every marker represents approximately 40 to 50 infected machines. You will notice that only a few infected computers are located outside of the U.K.. Those computers are suspected to be Trojan test machines, or possibly users roaming outside of the U.K. During this timeframe, the cybercriminals, operating primarily in the U.K, managed to steal hundreds of thousands of Euro from innocent people.
Figure 2 shows the geographic location of the IP addresses whitelisted by the manager of the system, so they stay protected from infection spread by this attack. We believe that these computers belong to the affiliates/collaborators.
According to the data we have collected, approximately €1 million have been stolen over a period of four months, from June to November 2011. With amounts that large, it goes without saying that the manager of this attack takes great pains to cover his or her tracks. The manager consistently removes the logs and money transactions to ensure that if caught, it will be much harder to prove the total amounts actually stolen.
Some information about this scam is still missing. For example, the cybercriminals operate two Trojan bankers (one is currently not active) that report to the following domains:
Interestingly, less than a year ago, users complained that while accessing bank websites, the browser also accessed the following websites:
The second server is still online and serving the malicious Java scripts that were injected into Web pages of some of the banking websites.
Trustwave SpiderLabs researchers believe that we have uncovered only a small part of this cybercrime gang’s operation. We expect to see much more in the future.
Protection by the Trustwave Secure Web Gateway
The Trustwave Secure Web Gateway (SWG) helps protect users against this attack. It blocks access to Web pages with injected content by the Blackhole exploit kit. In addition, the file with JPG extension, which is part of this attack and is actually the configuration file of the Trojan, will be blocked as spoofed content. Lastly, the Trustwave SWG would block the Trojan because it is not digitally signed.
Once again, we witness a large cybercriminal attack that is attributed to the same cybercrime gang responsible for the August 2010 Zeus Trojan that we reported in “Cybercriminals Target Online Banking Customers”. These cybercriminals continually seek new techniques for spreading malware, and eventually they succeed. They have managed to bypass every security layer on both the user’s PC and the banking fraud detection system.
The Trustwave Security Web Gateway protects clients from being exploited by these cybercriminals by blocking the malicious Web pages presented in this scenario.
1. Fake Facebook Friend Request Leads to ZeuS via BlackHole Exploit Kit, StopMalvertising.com, Aug. 22, 2011