Skip to main content

Russian Cybercrime Network Targets US Bank Customers

Credit: John David Bigl III/Shutterstock

(Image credit: John David Bigl III/Shutterstock)

Researchers have discovered a Russian-speaking cybercrimine group that harvests login credentials for U.S. and European banks. The group has used a botnet to steal information from more than 800,000 online-banking transactions, more than half of which pertained to five of the largest U.S. banks.

The findings, from Sunnyvale, California-based security company Proofpoint, Inc., expose the inner workings of a typical modern cybercriminal operation.

MORE: Mobile Banking: 8 Tips to Protect Yourself

The group's operations revolve around seizing control of WordPress-based websites and rigging them with a browser exploit kit. Visitors to these WordPress sites would then often become infected with the multipurpose Qbot, or Qakbot, information stealer and botnet creator. Some compromised WordPress sites also ran email newsletters, which were hijacked to lure more potential victims to the compromised sites.

The group compromised WordPress sites by buying lists of default WordPress administrator login credentials in online cybercrime markets. The affected WordPress sites were also rigged with an obfuscation tool, called a Traffic Distribution Service (TDS). If the TDS detects that the visitor to the compromised WordPress site is a security firm's scanner, it will prevent the site from "dropping" malware onto the visitor's browser and avoid detection. 

Once Qbot is on a user's computer, it sniffs Web traffic and sends any banking-specific data it finds back to its command-and-control servers. Proofpoint said that the criminal group in question allegedly ran a botnet of more than 500,000 PCs, which it sometimes rented out to other groups.

"The service turns infected PCs into an illicit 'private cloud,'" Proofpoint wrote in its report.

About 52 percent of the compromised computers were running Windows XP, Proofpoint said. Windows XP is a 13-year-old operating system no longer supported by Microsoft, and no longer considered secure, that runs on about 25 percent of PCs worldwide.

WordPress site administrators can protect sites from being compromised by changing admin passwords from defaults, and regularly changing them from then on.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.