Network News

X My Profile
View More Activity

Online Crime Gang Stole Millions

LAS VEGAS, NEV. -- To gain a grasp of just how badly organized cyber-crime groups are fleecing American banks and consumers, it may be instructive to look at the details released this week about the operations of a single online crime gang, that is responsible for undoubtedly the largest cache of stolen data ever uncovered.

The info comes from Joe Stewart, a researcher with Atlanta based SecureWorks who has been studying the operations of a group responsible for distributing "Coreflood," a remote-access Trojan that the bad guys are using to hide their activities online and steal data from infected systems.

By gaining access to an online server used to control the CoreFlood network, Stewart was able to gain a rare glimpse inside the operations of an operation that compromised more than 378,000 systems over the past 16 months. He found more than 500 gigabytes of stolen banking credentials and other sensitive data. To put this in perspective, Stewart said, if that data was printed on paper, it would fill 500 pickup trucks. Yet, the thieves periodically download and wipe their database of older stolen information, so Stewart estimates that the group likely has swiped more than four times that amount of data over the past several years.

Analysis by the Secret Service shows that this is the same Trojan used in 2004 to steal $90,000 from Joe Lopez, a Florida businessman who filed a landmark lawsuit against Bank of America after the company refused to reimburse his business for the loss (Bank of America later settled the suit but Lopez said he is forbidden to discuss the terms of that settlement).

Using the malware, the fraudsters behind CoreFlood set up an automated process that would report to their server the balances of any stolen online bank accounts, with the details from the victim accounts organized by financial institution.

One victim had more than $147,000 in their savings account. In just one of these directories, Stewart found 40 distinct, compromised accounts totaling more than $2.5 million.

Stewart said while the bad guys behind this attack seem to be interested primarily in banking data, they easily could monetize tons of other purloined data, such as the 463,582 stolen user names and passwords to more than 35,000 domains.

The group distributes its Trojan through "drive-by downloads," exploiting flaws in Web browser software and associated plug-ins. Stewart said he has traced the network to a group operating out of Russia. He said the CoreFlood crooks have been operating with impunity since at least 2002.

Stewart said the only thing saving many of the victims is that they don't have enough money in their accounts to warrant stealing, as the CoreFlood scammers appear to be targeting people with many thousands of dollars in their accounts.

"These guys just have access to more accounts than they can possibly even go after," Stewart said.

-- Brian Krebs

By Editors  |  August 7, 2008; 3:05 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Kaminsky Details DNS Flaw at Black Hat Talk
Next: Researchers Warn of Social Networking Scams


"Stewart said he has traced the network to a group operating out of Russia. He said the CoreFlood crooks have been operating with impunity since at least 2002."

Well, sure, there's no downside as far as the Russian government is concerned. These guys are probably not stealing from Russians. And when it's time for another cyber-war, they'll be all ready!

Posted by: Nick | August 7, 2008 6:52 PM | Report abuse

Brian: Cybercrime losses are serious. But in big cases like TJX, our reactions are out of proportion to the actual magnitude of loss. TJX is paying banks $65 million for the cost of cancelling credit cards, whereas the actual booty the TJX criminals were able to realize was only about $1 million. See analysis at --Ben

Posted by: Benjamin Wright | August 7, 2008 11:25 PM | Report abuse

This confirmed what I have been thinking for a while.

The only thing that is stopping the wholesale looting of millions of bank accounts is the fact that the bad guys simply have too much stolen data on their hands.

I mean, just how many back accounts can you empty in one day?

What a bizarre state of affairs we find ourselves in!

Posted by: Nick | August 8, 2008 12:30 PM | Report abuse

I got hit for many thousands of dollars two weeks ago today. After investigating the abilities of these online bad-guys, I'm going back to the 20th century. grandma's mattress and paper checks for me. Your money is not safe if you bank online. (the investigators on my case also gave me quite an education!)

Posted by: Linda | August 8, 2008 1:25 PM | Report abuse

Somebody please put Microsoft out of business.

Posted by: Rick | August 9, 2008 5:28 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company