Mass attack by “Soldier” ensnares major U.S. corporations in its net, steals US$3.2 million in six months, causes organizations and individuals to be vulnerable to future attacks; 90+ other countries hit by shrapnel.
For some time now, we’ve been investigating the operation of a certain cybercriminal—a young man in his early 20s who resides in Russia. During our investigation, we discovered that the attacker uses various criminal toolkits, including SpyEye and ZeuS for crimeware, as well as exploit kits such as those for driving blackhat SEO to propagate his SpyEye/ZeuS binaries.
Using the SpyEye criminal toolkit, money mules, and an accomplice believed to reside in Hollywood, U.S.A., “Soldier,” as he’s known in the criminal underground, stole over US$3.2 million in six months starting January 2011, which equates to approximately US$533,000 per month, or US$17,000 dollars a day!
“Soldier” mainly targeted U.S. users and to increase the number of successful infections achieved in the country, he even bought U.S. traffic from other cybercriminals. Besides using malware to steal money from compromised accounts, he also steals users’ security credentials.
Using the IP addresses of the victims that were recorded by the SpyEye command-and-control server, we were able to determine the network to which the IP address was assigned. We found that a wide variety of large organizations and U.S. multinational corporations in a variety of sectors were represented in the victim population.
We do not believe these large organizations and U.S. multinational corporations were originally the intended target, we instead believe that they were impacted following end-user compromise. Bots (infected victims’ systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.
The victims’ IP addresses that were identified in the compromise included those belonging to the following types of organizations:
- U.S. government (local, state federal)
- U.S. military
- Educational and research institutions
- Other companies (automobile, media, technology)
His botnet was able to compromise approximately 25,394 systems between April 19 and June 29, 2011. And while nearly all of the victims were located in the United States, there were a handful of victims spread across 90 other countries.
In addition, SpyEye was built specifically for Windows systems and Windows XP led the way, making up 57 percent of the compromised computers. Despite its improvements in security, nearly 4,500 Windows 7 computers were compromised.
While SpyEye is known as a “banking Trojan,” it is quite capable of stealing all forms of credentials. We processed the data for well-known services and found that many credentials, especially for Facebook, have been stolen.
We are currently working on informing the victims of our findings.
The SpyEye variant that was used for the above-mentioned operation is detected as TSPY_SPYEYE.EXEI. We’ve also blocked access to related remote sites using our Web reputation technology.
Such information gives us a clearer view of what goes on within a botnet as prominent as those created with SpyEye. Our continuous effort to obtain more information on how cybercriminals do business, their targets, and what kind of information they seek will hopefully lead us to discover how to dismantle these operations and prevent them from stealing a users’ hard-earned money.
Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye but the amounts stolen and the number of large organizations potentially impacted are causes for serious concern.
Hat tip also goes out to Kevin Stevens and Nart Villeneuve for additional intelligence found regarding this campaign.
Update as of October 4, 2011: We recently released the white paper, From Russia To Hollywood: Turning the Tables on a SpyEye Cybercrime Ring, which documents our investigation on this attack.