It was discovered in early October that a cybercriminal gang based in Russia managed to stay undetected for years while connecting half a million computers to a botnet used to steal banking passwords. The criminal network grew its operations slowly to stay under the radar, but a lapse in its security allowed researcher Wayne Huang to expose the group. Ironically, the group that hacked into hundreds of thousands of computers to steal password information forgot to use password protection on the control panel of their botnet. Huang was able to find the panel's Web address and view all of the gang's operations.
The hackers laid the foundation for their massive botnet by purchasing stolen credentials on the black market. This gave the group access to its first batch of sites from which it built a custom shell. This enabled the gang to have superadmin access to anything on the site while allowing the sites' actual owners to operate as normal, leaving the hackers undetected. While target sites were able to operate as they regularly would, the cybercriminals were injecting malware into the sites' code and infecting users. This made it possible for the gang to monitor its victims' keystrokes and steal any useful information, such as bank account credentials.
"[The attack chain] is designed to establish a foothold on the system so that any number of different pieces of malicious software can be downloaded in order to carry out criminal activities ranging from banking account theft to secret communications and transfers, to distributed denial of service, to ransomware and any other activity that represents an opportunity to monetize that infected system," wrote Huang in a report on the criminal network.
Hundreds of thousands of credentials stolen
The attack campaign, known as the Qbot botnet, was successful in accessing credentials for some 800,000 online bank accounts belonging to customers of at least five of the country's largest banks.
While most of the targeted sites were utilizing antivirus software, the gang would periodically change its attack code in order to stay ahead of virus detection updates. In an interview with The Verge, Huang noted that while the criminal network isn't the largest operation of its kind, it is certainly one of the strongest.
"They rarely do mass injections. They don't do huge campaigns, so they're not on people's radar," said Huang. "But once they're in, they build a really powerful backdoor."
While popular malware and major flaws like Heartbleed get a lot of attention from security experts, slow burning attacks like Qbot can often be more damaging because they are frequently overlooked. Once a cybercriminal creates a backdoor into a website, it could be years before the real owner controls it again. The longevity and sophistication of this attack highlights the severity of the threat landscape the financial services industry is currently faced with.
Data breaches targeting banks and other financial institutions have been rapidly growing more sophisticated in recent years, increasing the risk for organizations storing sensitive financial information. As cybercriminals increasingly employ attacks capable of evading detection by antivirus software, businesses will have to start relying on a different kind of security method. A security information and event management solution provides organizations with around the clock network monitoring, ensuring any suspicious or anomalous behavior will be detected as it happens. SIEM services provide analysis of nefarious activity to enterprises and can be used to create a more robust defense procedure in the future.