Proofpoint Discovers Russian Cyber-Crime Gang, Attacker of Over 500K PCs

Proofpoint the security firm has said that its researchers recently intercepted one cyber-crime gang based in Russia which contaminated over 500,000 computers while seeking to steal online credentials belonging to prominent banks worldwide.

The firm has named the gang 'Northern Gold' because the term was repeatedly emerging during investigation. The firm believes the gang's operation started in 2008.

Vice-President Engineering Wayne Huang of Proofpoint states, Northern Gold seems to have financial motivation, thus reported theregister.co.uk dated October 7, 2014.

Furthermore, the gang employed a malware called Qbot -its other name is Qakbot- for carrying out the contamination, including infecting almost 2m distinct IP addresses. During the process, conversations were intercepted, while account details pertaining to approximately 800K Internet-based banking transactions were stolen, state the researchers.

Nearly 60% of the bank transaction sessions that were intercepted related to accounts of 5 very big banks within USA, while the IP addresses, again within USA, related to 75% of all contaminated PCs. Certain banks operating from Australia too got attacked.

Proofpoint's investigation is still going on; as a result, Huang has declined from disclosing the affected banks' names. Scmagazine.com reported this October 7, 2014.

Attackers, according to the security company, executed their assault from a number of hijacked WordPress websites utilizing the tactics of drive-by-download. It (the gang) expanded its botnet with 52% of contaminated machines which had Windows XP, while 39% had Windows 7. Moreover, computers with active Internet Explorer were estimated to be 82% of effective contaminations with Qbot.

Proofpoint notes that the gang's botnet construction is pretty methodical spanning sufficient time with rather low levels of the campaign so security companies' attention would barely get drawn.

When the attackers started sniffing sessions of individual end-users, exploit kits such as the Blackhole, Phoenix and Sweet Orange were employed. They also utilized different vulnerabilities like in Java, PDF plug-ins, IE and Flash. The exploit kits were pre-bought whenever they became obtainable just as they were also deserted when security patches appeared.

Proofpoint indicates that hackers from Russia are hitting the news given their more severe intrusions like one that lately targeted the American bank, JPMorgan Chase.

» SPAMfighter News - 10/14/2014