E-Commerce’s Worst Nightmare- Dual BotNets- Stolen Bank Accounts

I have continually harped on the dangers of adware and spyware and the often dubious means criminals or unscrupulous affiliates use to spread this software contagion. Taking it one step further is the use of “botnets”, and in this case, large botnets to steal consumer data- credit card data, personal information, passwords, etc. What makes it more alarming is that this social engineering attack via the IM vector can easily be passed by a trusted source. IM is increasingly becoming a choice vector of attack like a ripe apple on a tree.

So why the concern for marketers and merchants? Really why should you care?

Large scale and sophisticated attacks like this have the potential to have a “chilling effect” on shopping, buying and banking online and in general eroding the very e-commerce infrastructure that merchants, affiliates, networks and customers take for granted.

Special thanks to Team Copperhead at FaceTime who spent painstaking hours in the research of this complex incident…and more details are yet to come.

Also a most grateful thanks to the tipster, Rince, who came forward with vital details to help crack the case. Proving once again that single individuals can make a big difference on the seemingly vast Internet.

Find below a segment of the press release from FaceTime Security Labs, the research arm of Facetime Communications.

Acting on an anonymous tip, researchers have uncovered two “botnet” networks that collectively represent up to 150,000 compromised computers, one of which is being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location.

Instant messaging applications and protocols are an increasingly popular vector to distribute malicious files and executables. With this new threat, FaceTime has identified more than 40 unique files – many designed to take advantage of social engineering techniques, stored passwords, auto-complete data and vulnerable payment systems. Relevant files and information on a large number of “at risk” credit card accounts have been provided to federal authorities.

Who is affected: Users of unsecured instant messaging IM clients or Internet Explorer browsers.

Threat Type: IM Social Exploit

Risk Level: High

Additional Information:
If an end user clicks on a malicious link passed to them via Instant Messaging, Remote Administration Server, a commercially available application produced by Famtech, is automatically installed via a “beh.exe”. The install is designed to hide the application in the systray with no interaction from the end user. Once this application is installed, the end user’s computer is compromised and can be accessed remotely, at which point additional malware applications are installed on the desktop.

One application of note is “Carder,” a perl script designed specifically to uncover exploits in several shopping cart applications including Comersus Cart, CactuShop, CCBill and others that are used by many popular ecommerce sites. If a vulnerability is identified by this file, the backend database containing credit card and account information (e.g. credit card numbers, home addresses, usernames and passwords) may be stolen off the ecommerce site. Personal information may also be stolen from the infected PC itself through Protected Storage PassView from NirSoft, another application that may be remotely loaded onto infected PCs.

For more details read the full release here at Yahoo! or check out this brief article on the incident at SpywareGuide.com..and yes there is more to come- the real nitty gritty…

ADDENDUM: For more on the BotNet Chaos and Rince Revelation see my colleague’s blog at VitalSecurity.org.

About Wayne Porter

Wayne Porter is one of the original founders of ReveNews.com, and served as the CEO and founder of XBlock Systems a specialized research firm on greynets and malware research before being acquired by unified communications security leader, Factime Security Labs. His work includes serving as a panlist at the Federal Trade Commission to shape legislation on software and the creation of two patent-pending technologies for corporate networks. Wayne is a frequent speaker at e-commerce & business events including CJU, ASW and RSA and frequently cited in the press. He has been designated a Microsoft Security MVP three times and is recognized on Google’s Responsible Security Disclosure page- in addition to receiving the first Summit Legend Award. Wayne currently works as a Security Consultant on Social Media and operates a consultancy on digital worlds. His hobbies include reading science fiction, playing chess, fishing, writing, collecting shiny digital gadgets, playing racquetball and studying memetic engineering. He maintains a personal weblog at WaynePorter.com detailing his explorations in security, web 2.0, and virtual worlds.
You can follow Wayne on Twitter: @wporter.

Website: http://www.wayneporter.com