Analysis of Cybercrime Infrastructure
Proofpoint security researchers have published an analysis that exposes the inner workings of a cybercrime operation targeting online banking credentials for banks in the United States and Europe. This Proofpoint research report provides a detailed and rarely seen inside view of the infrastructure, tools and techniques that enabled this cybercrime group to infect over 500,000 PCs.
Key facts from the Proofpoint analysis:
- Qbot (aka Qakbot) botnet of 500,000 infected systems sniffed ‘conversations’ – including account credentials – for 800,000 online banking transactions, with 59% of sniffed sessions representing accounts at five of the largest US banks.
- The attackers compromised WordPress sites using purchased lists of administrator logins, with which they were able to upload malware to legitimate sites in order to then infect clients that visited these sites. Many of these WordPress sites also run newsletters, which the attackers leverage to distribute legitimate but infected content.
- The cybercrime group used compromised PCs to offer a sophisticated, paid proxying service for other organized crime groups. The service turns infected PCs into infiltration points for attackers an illicit ‘private cloud’ as well as infiltration points into corporate networks.