How Cyberthieves Were Able To Steal 500,000 Bank Credentials

More bad bank security news. It seems that a group of “Russian-speaking attackers” stole a wide range of bank security credentials using Qbot malware that was installed on some 500,000 bank PCs, according to a report in Bank Info Security, which cites a reported from cloud security vendor Proofpoint.

“Proofpoint is warning consumers and financial institutions that 59 percent of the stolen credentials are tied to accounts at the five largest U.S. financial services firms: JPMorgan Chase, Bank of America, Citigroup, Wells Fargo and Bank of New York Mellon. About half of the infected PCs that comprise the botnet run Windows XP. Proofpoint also notes that some of the compromised PCs are inside financial institutions’ networks, meaning attackers could potentially launch APT attacks against businesses from inside their own firewalls,” the story said.

The story quoted Wayne Huang, Proofpoint’s vice president of engineering, saying, “They’re buying large amounts of cPanel, FTP passwords and SSH passwords – and they have a script that automatically verifies which credentials work.” The next move is to inject “a PHP-based web shell, which functions like a backdoor Trojan or remote-access tool, onto the site, and then alerts the attackers to the successful infection via a dedicated ICQ chat channel. Attackers’ scripts regularly submit a copy of the Web shell to the Scan4You.net site, Huang says, watching to see if the code is recognized as malware by any of the 35 anti-virus engines running on the site. Once Scan4You reports that five anti-virus engines classify the code as malware, the script informs attackers via the ICQ channel, then automatically re-obfuscates the attack code – to evade anti-virus scanner detection – and sends it to the infected nodes, instructing them to install the new code and delete the previous version. Then the whole process begins again.”

Although the attackers do a good job at hiding their tracks, Huang said they do leave plenty of clues, if you look carefully enough. “”But if you pay attention to – and dig into – your access logs, HTTP logs, then there’s a good chance you’ll find it, because you’ll find [attackers] accessing really strange locations in your Web app. You’ll say: ‘Why are people from Russia accessing a strangely named PHP file somewhere?’ So that’s something we always look at, when we do incident response.””