A recent report analyzing cybercrime that infected over 500,000 PCs pointed out that while “the primary targets appear to be financial accounts and online banking information, the group also has a range of options for further monetization of the infected computers.”  The Proofpoint October 2014 report entitled the “Analysis of a Cybercrime Infrastructure” concludes that “the recent targeting online banking credentials for banks in the United States and Europe “appear to be a Russian cybercrime group whose primary motivation is financial.”

Here are some of the key facts from the Proofpoint analysis:

  • Russian-speaking cybercrime group targeted primarily US-based systems and online banking accounts.
  • Qbot (aka Qakbot) botnet of 500,000 infected systems sniffed ‘conversations’ – including account credentials – for 800,000 online banking transactions, with 59% of the sniffed sessions representing accounts at five of the largest US banks.
  • The attackers compromised WordPress sites using purchased lists of administrator logins, with which they were able to upload malware to legitimate sites in order to then infect clients that visited these sites. Many of these WordPress sites also run newsletters, which the attackers leverage to distribute legitimate but infected content.
  • Windows XP clients comprised 52% of the infected systems in the cybercrime group’s botnet, even though recent estimates place the Windows XP install base at  20-30% of business and consumer personal computers. Microsoft ended patch and update support for Windows XP in April 2014.
  • The cybercrime group used compromised PCs to offer a sophisticated, paid proxying service for other organized crime groups. The service turns infected PCs into an illicit ‘private cloud’ as well as infiltration points into corporate networks.

Given recent $2+ billion valuation of cybercrime I hope that Proofpoint’s report is a wakeup call!