Russian hacker gang steals with impunity, says researcher

Top Stories

Related

• Clues point to Jan. 13 release of Windows 7 beta
• Microsoft releases Vista SP2 beta
• Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
• IBM wants info from Apple execs in Papermaster case
• Report: Former AOL chief exec tries to raise funds to buy Yahoo
• U.S. report sees major terror attack by 2013, ignores cyberattack risk

• Hosting firm takedown bags 500,000 bots
• Small attack triggered Microsoft's emergency patch, says researcher
• Crooks can make $5M a year shilling fake security software
• Security breach at Web host leaves sites at risk
• Call out a phisher, get attacked by malware

Zone

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

August 7, 2008 (Computerworld) The Russian hacker gang using a Microsoft administration tool to steal passwords has cashed in big time for years, the researcher who has tracked the group's crimes said today.

A sampling of 11% of the stolen accounts found in one directory on the gang's command-and-control server found more than a quarter-million dollars at risk, said Joe Stewart, director of malware research at Atlanta-based SecureWorks Inc.

Stewart laid out that and more on Thursday as he detailed the inner workings of a cybercrime gang using the Coreflood Trojan horse to infect massive numbers of PCs, then sift through the machines for confidential information, including bank account numbers and passwords.

"The one thing that they're looking for is larger accounts that they can clean out," said Stewart. "They haven't automated the money transfer part of the process, so they're looking for the biggest accounts to get the most money the quickest."

Stewart has been releasing research on the group for more than a month as he works his way through more than 50GB of data he snatched from a server that the gang had been using as a data repository. In July, for instance, Stewart disclosed how they use a Microsoft program called PsExec to spread their password-stealing Trojan from a single infected PC to every Windows system on a company network.

In his most recent findings, Stewart spelled out how much money the group has had access to, as well as the number of users whose information was hijacked. As before, Stewart culled the information from a Coreflood command-and-control server he had helped shut down earlier this year.

Among the mountains of evidence on the server were the results of automated scripts that checked the validity of bank accounts, and in the process obtained the account balances. Of the 79 accounts the cybercrooks tested -- from among 740 stolen accounts on file in a single directory -- the highest balance was $147,000, while the averages were $4,553 for each savings account and $2,096 for each checking account.

The total exposed in the 79 accounts for which the hackers had usernames and passwords was $281,000. "And that's a conservative estimate of what they could get," said Stewart. "This was only a fraction of the accounts they had stolen."

The group has been stealing with apparent impunity for years, said Stewart; the server he accessed had been in continuous operation since 2005, for example. And they've done well, since he found approximately 463,000 usernames and passwords on the server. More than 8,400 of those were bank or credit union account usernames and passwords, while 3,200 gave access to users' credit card accounts. Stewart also found 416 online stock trading account usernames and passwords, 869 to online payment processors and 553 to payroll processors.