The Russian hacker gang using a Microsoft administration tool to steal passwords has cashed in big time for years, the researcher who has tracked the group's crimes said today.
A sampling of 11% of the stolen accounts found in one directory on the gang's command-and-control server found more than a quarter-million dollars at risk, said Joe Stewart, director of malware research at Atlanta-based SecureWorks Inc.
Stewart laid out that and more on Thursday as he detailed the inner workings of a cybercrime gang using the Coreflood Trojan horse to infect massive numbers of PCs, then sift through the machines for confidential information, including bank account numbers and passwords.
"The one thing that they're looking for is larger accounts that they can clean out," said Stewart. "They haven't automated the money transfer part of the process, so they're looking for the biggest accounts to get the most money the quickest."
Stewart has been releasing research on the group for more than a month as he works his way through more than 50GB of data he snatched from a server that the gang had been using as a data repository. In July, for instance, Stewart disclosed how they use a Microsoft program called PsExec to spread their password-stealing Trojan from a single infected PC to every Windows system on a company network.
In his most recent findings, Stewart spelled out how much money the group has had access to, as well as the number of users whose information was hijacked. As before, Stewart culled the information from a Coreflood command-and-control server he had helped shut down earlier this year.
Among the mountains of evidence on the server were the results of automated scripts that checked the validity of bank accounts, and in the process obtained the account balances. Of the 79 accounts the cybercrooks tested -- from among 740 stolen accounts on file in a single directory -- the highest balance was $147,000, while the averages were $4,553 for each savings account and $2,096 for each checking account.
The total exposed in the 79 accounts for which the hackers had usernames and passwords was $281,000. "And that's a conservative estimate of what they could get," said Stewart. "This was only a fraction of the accounts they had stolen."
The group has been stealing with apparent impunity for years, said Stewart; the server he accessed had been in continuous operation since 2005, for example. And they've done well, since he found approximately 463,000 usernames and passwords on the server. More than 8,400 of those were bank or credit union account usernames and passwords, while 3,200 gave access to users' credit card accounts. Stewart also found 416 online stock trading account usernames and passwords, 869 to online payment processors and 553 to payroll processors.
The gang has not been caught.
"The fact that they've been in operation for over six years shows there's not a whole lot of risk to them," said Stewart, who has reported his discoveries to law enforcement officials. The evidence led to a city in the south of Russia; Stewart declined to name it, however.
U.S. agencies, he added, "are on the case," but he was less optimistic about their Russian counterparts. "I don't know," he said when asked whether authorities in Russia were pursuing the gang. "But we need a lot more effort and cooperation to do anything about this."
The gang continues to fly under the radar. "The Coreflood botnet isn't as big as some of the bigger botnets, but all they need to do is clean out a large account every couple of weeks to make a good living," he said.
Stewart has posted some of his findings on the SecureWorks site.