Cybercrime moves to the cloud
Researchers say criminals are moving their malware heavy lifting from end user PCs to servers in the cloud.
same flexibility and freedom companies get from having their software
and services hosted in the cloud is enabling cybercriminals to conduct
highly automated online banking theft -- without doing much of the
necessary information processing on their victims' own computers.
and privacy experts have long worried that criminals would launch
attacks on the servers storing the data in cloud environments. But, a
report released this week from McAfee and Guardian Analytics shows that
criminals are now using the cloud infrastructure itself to get more
capability out of their campaigns.
"They are leveraging
the cloud," Brian Contos, senior director of emerging markets at
McAfee, said in an interview. "This is the first time we've ever seen
Basically, what researchers uncovered was a
series of highly sophisticated campaigns designed to siphon money out of
high balance bank accounts in Europe, the U.S. and South America
through automated transfers. Like most online consumer bank fraud, the
attacks started off with a phishing e-mail, typically pretending to be
from a victim's bank and urging the recipient to click a link to change
the account password. Once the link is clicked, a Trojan -- in this case
Zeus or SpyEye -- was downloaded onto the victim's computer, in early
versions of the attacks. In later versions the malware is operating from
When the victim goes to log into the bank
site, the malware would use a so-called Web inject technique to overlay
what looks like the bank Web page in the victim's browser. However,
behind the scenes and totally transparent to the victim, something
entirely different is happening. While the victim thinks he or she is
transferring money from a savings account into a checking account, for
instance, the malware is actually transferring any amount of money the
criminals specify into their own account.
banking malware like this will handle the processing from the victim's
PC. But in this case, the heavy lifting of the malware is being done on
the server in the cloud, according to Contos. In the operations McAfee
and Guardian Analytics uncovered the servers were located in eastern
European countries, he said. The servers are located mostly at "bullet
proof" ISP that have lax policies and are re-located frequently to avoid
"The servers are sitting within ISPs that
are designed specifically to take part in fraud," he said, adding that
the criminals in these campaigns even managed to bypass two-factor
authentication systems commonly used in European consumer online
banking. For instance, not only does a consumer type in a username and
password to a site, but also swipes a card into a special card reader
attached to the PC that provides additional data proof that the
legitimate user is accessing the account.
The log-in or
authentication "information is taken from the malware (on the PC) and
redirected to the server in real time, Contos said. "That server takes
that data and authenticates against the victim's bank account, all
The servers -- at least 60 were used
in these operations -- provided the criminals with the ability to fully
automate the attacks, so less manual intervention is needed on the part
of the attacker to do things like adjust the amount to steal that will
be below fraud detection levels.
"The server is the
brains that does all the transactions in the bank account," he said.
Rather than having the malware residing on the victim's computer take
charge of the attack functions, like stealing the data and sending it
off somewhere, the attack itself is performed by the server.
the intelligence is sitting on the server side that they are putting in
the cloud," he said. "The criminals don't have to change anything on
the end user side. They can make modifications on the server side. They
still have malware on the user's machine, but it can be smaller and much
less intelligent than in the past."
The malware on the
victim's computer can stay simple and doesn't need to be updated to
change the functionality of the attack; that can be done on the server
side."It's all designed to make (the attack) scalable and agile," Contos
said. "This also allows criminals to keep attacks alive as long as
possible" because there is less activity on the end user's computer that
can be detected.
Contos predicts this is the future of
malware operations, much like many online business operations have
moved to the cloud to save time and resources for companies. Once the
malware is on an end user's computer, criminals can use those computers
for a multitude of operations and attacks.
"We will see
people repurposing malware for this purpose," he said. "They will use
the install base (of an existing botnet, for example) and ride that wave
and set up their own servers" to use the victim computers for theft.
more @ http://news.cnet.com/8301-1009_3-57464177-83/cybercrime-moves-to-the-cloud/?tag=mncol;topStories