Study of banking malware analyzes underground economy

Article

Study of banking malware analyzes underground economy

Marcia Savage, Features Editor Information Security magazine

A recent study of keyloggers and banking Trojans provides a view into the underground economy of stolen bank account credentials, passwords and credit card numbers.

    Requires Free Membership to View

    Login

    SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchFinancialSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchFinancialSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SearchFinancialSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The study, published earlier this month by Thorsten Holz, Markus Engelberth and Felix Freiling at the University of Mannheim in Germany, analyzed malware designed to steal sensitive information from infected machines. The researchers developed techniques for studying the "dropzones" -- servers that are used by attackers to store stolen information.

Over a seven-month period, they were able to access more than 70 unique dropzones and found about 33GB of stolen data from more than 170,000 compromised machines. Among the stolen data, the researchers found more than 10,700 stolen online bank account credentials, about 149,000 stolen email passwords, and 5,600 full credit card details.

Using a Symantec Corp. study, the researchers estimated the potential value of the stolen credentials at several millions of dollars. Symantec released a report in November on the value of stolen data.

"The results of analyzing the potential income of an attacker indicate that an attacker can earn several hundred dollars per day based on impersonation attacks with keyloggers -- a seemingly lucrative business." Holz, one of the founders of the German Honeynet Project, wrote in the Honeyblog.

SearchSecurity radio:

The analysis also showed that nearly one-third of the infected machines are located in either Russia or the U.S.

Researchers looked in detail at two pieces of malware -- ZeuS/Wsnpoem and Limbo/Nethell -- that fall into a class of attacks they call impersonation attacks, where criminals want to steal a credential in order to impersonate a victim at a banking or other website. The attack channel for the ZeuS/Wsnpoem family of malware is spam that contains a keylogger as an attachment, while Limbo/Nethell malware often lures victims to malicious websites, according to the study.

Due to the sensitive nature of the data collected in the study, the research team gave it to AusCERT, the national Computer Emergency Response Team for Australia, Holz noted in his blog posting.

He also said the best ways to protect against the threats described in the study are patching, not clicking on all links and attachments, and using two-factor authentication when conducting bank transactions.