Hackers Using Jabber IM for Sending & Receiving Stolen User Credentials

The RSA Fraud Action Research Lab, which conducted an investigation in a number of attacks with Zeus Trojan during May-July 2009, discovered and traced down a fresh technique of Internet attack with which criminals speedily delivered hacked credentials.

The investigation by RSA of a number of variants of Zeus showed that some cyber crooks had begun utilizing the Jabber IM (instant messaging) service to leverage compromised user details.

By employing Jabber, online criminals were able to receive stolen information immediately as it was gathered from a Zeus infected computer.

The security researchers state that the components of Jabber IM, which had been put inside the Zeus variants, were programmed in such a way that they extracted the credentials of users from the database of the Zeus' "drop" server, and instantly transmitted the same to the remotely-situated criminals.

Nevertheless, online criminals might not necessarily get the hacked credentials, which are contained in the Trojan "drop" server, in real-time. The hackers might be sitting other side of the globe or might not be having an uninterrupted link with the server.

Therefore, crooks are employing the Jabber IM for automated dispatch and receipt of hacked credentials that immediately follow their collection. As for the current instance, the cyber criminals utilize twin Jabber accounts, one that transmits targeted compromised details from the database of the infected server and another that receives those details.

Commenting on the point, the researchers stated that the incident indicated scammers' increasing focus on immediacy as they made efforts to beat measures implemented for identification and avoidance of banking scams.

Sean Brady, Senior Manager for Identity Verification and Safeguard at RSA, said - a definite change, which had occurred recently, was that there was a decline in the delay of using stolen credentials, as reported by TheRegister on August 27, 2009. Brady added that the fraudsters surely acted urgently to exploit the credentials.

Meanwhile, RSA found that the first Jabber crime that the company traced extracted hacked user details from only one financial institution that was based in the USA, suggesting a targeted Zeus assault related to IM.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 9/10/2009