Online Crime Gang Stole Millions
LAS VEGAS, NEV. -- To gain a grasp of just how badly organized cyber-crime groups are fleecing American banks and consumers, it may be instructive to look at the details released this week about the operations of a single online crime gang, that is responsible for undoubtedly the largest cache of stolen data ever uncovered.
The info comes from Joe Stewart, a researcher with Atlanta based SecureWorks who has been studying the operations of a group responsible for distributing "Coreflood," a remote-access Trojan that the bad guys are using to hide their activities online and steal data from infected systems.
By gaining access to an online server used to control the CoreFlood network, Stewart was able to gain a rare glimpse inside the operations of an operation that compromised more than 378,000 systems over the past 16 months. He found more than 500 gigabytes of stolen banking credentials and other sensitive data. To put this in perspective, Stewart said, if that data was printed on paper, it would fill 500 pickup trucks. Yet, the thieves periodically download and wipe their database of older stolen information, so Stewart estimates that the group likely has swiped more than four times that amount of data over the past several years.
Analysis by the Secret Service shows that this is the same Trojan used in 2004 to steal $90,000 from Joe Lopez, a Florida businessman who filed a landmark lawsuit against Bank of America after the company refused to reimburse his business for the loss (Bank of America later settled the suit but Lopez said he is forbidden to discuss the terms of that settlement).
Using the malware, the fraudsters behind CoreFlood set up an automated process that would report to their server the balances of any stolen online bank accounts, with the details from the victim accounts organized by financial institution.
One victim had more than $147,000 in their savings account. In just one of these directories, Stewart found 40 distinct, compromised accounts totaling more than $2.5 million.
Stewart said while the bad guys behind this attack seem to be interested primarily in banking data, they easily could monetize tons of other purloined data, such as the 463,582 stolen user names and passwords to more than 35,000 domains.
The group distributes its Trojan through "drive-by downloads," exploiting flaws in Web browser software and associated plug-ins. Stewart said he has traced the network to a group operating out of Russia. He said the CoreFlood crooks have been operating with impunity since at least 2002.
Stewart said the only thing saving many of the victims is that they don't have enough money in their accounts to warrant stealing, as the CoreFlood scammers appear to be targeting people with many thousands of dollars in their accounts.
"These guys just have access to more accounts than they can possibly even go after," Stewart said.
-- Brian Krebs
Posted by: Nick | August 7, 2008 6:52 PM | Report abuse
Posted by: Benjamin Wright | August 7, 2008 11:25 PM | Report abuse
Posted by: Nick | August 8, 2008 12:30 PM | Report abuse
Posted by: Linda | August 8, 2008 1:25 PM | Report abuse
Posted by: Rick | August 9, 2008 5:28 PM | Report abuse
The comments to this entry are closed.