Mass attack by “Soldier” ensnares major US corporations in its net, steals $3.2 million in 6 months, causes organizations and individuals to be vulnerable to future attack; 90+ other countries hit by shrapnel.
For some time now, we’ve been investigating the operations of a certain cybercriminal: a young man in his early 20s who resides in Russia. During our investigation, we discovered that the attacker uses various criminal toolkits including SpyEye and ZeuS for crimeware, as well as exploit kits such as those for driving blackhat SEO to propagate his SpyEye/ZeuS binaries.
Using the SpyEye criminal toolkit, money mules and an accomplice believed to reside in Hollywood, USA, “Soldier” as he’s known in the criminal underground, stole over $3.2 million US dollars in 6 months starting January 2011, which equates to approximately $533 thousand dollars per month, or $17 thousand dollars a day!
Using the IP addresses of the victims that were recorded by the SpyEye command and control server, we were able to determine the network to which the IP address was assigned. We found that a wide variety of large organizations and US multi-nationals in a variety of sectors were represented in the victim population.
We do not believe these large organizations and US multi-nationals were originally the intended target, we instead believe that they were impacted following end user compromise. Bots (infected victim systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.
The victim IP addresses that were identified in the compromise included those belonging to the following types of organizations:
- US Government (Local, State Federal)
- US Military
- Educational & Research Institutions
- Other Companies (Automobile, Media, Technology)
His botnet was able to compromise approximately 25,394 systems between April 19, 2011 and June 29, 2011. And while nearly all of the victims were located in the US, there were a handful of victims spread across another 90 countries.
While SpyEye is known as a “banking Trojan”, it is quite capable of stealing all forms of credentials. We processed the data for well known services and found that many credentials, especially for Facebook, had been stolen.
The SpyEye variant that was used for the above-mentioned operation is detected as TSPY_SPYEYE.EXEI. We’ve also blocked access to related remote sites using our Web Reputation Service.
Such information gives us a clearer view of what goes on within a botnet as prominent as those created with SpyEye. As we attain more information on how cybercriminals do business, their targets, and what kind of information they seek, hopefully it will lead us to discover how to dismantle these operations and prevent them from stealing a users’ hard-earned money.
Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye, but the amounts stolen and the number of large organizations potentially impacted is cause for serious concern.
Hat tip also goes out to Kevin Stevens and Nart Villeneuve for additional intelligence found regarding this campaign.
Leave a reply