Connect with us

Hi, what are you looking for?



Researchers Analyze Massive Botnet Targeting Banking Customers in U.S., Europe

Researchers at Proofpoint have released an analysis of a 500,000-strong botnet used by a cybercrime ring to target banking customers in the United States and Europe. 

Researchers at Proofpoint have released an analysis of a 500,000-strong botnet used by a cybercrime ring to target banking customers in the United States and Europe. 

According to Proofpoint, the botnet has stolen online banking credentials for as many as 800,000 accounts, some 59 percent of which were at five of the largest banks in the U.S.

“Based on information gleaned from the attacker’s control panels, such as language preferences and the language of the server names and documentation, as well as from further research, the attackers behind this operation appear to be a Russian cybercrime group whose primary motivation is financial,” according to the report. “While the primary targets appear to be financial accounts and online banking information, the group also has a range of options for further monetization of the infected computers.”

The attackers compromised WordPress sites using purchased lists of administrator logins. They used those logins to upload malware to legitimate sites in order to then infect clients that visited these sites. Many of these sites also run newsletters that the attackers leverage to distribute legitimate – but infected – content.

The compromised sites contain or link to a Traffic Direction System (TDS) filter, which checks to ensure the victim’s browser is a target. If it is, the TDS will merge in content from an exploit server. Otherwise the TDS will be silent.

Advertisement. Scroll to continue reading.

Next, the attackers exploit a browser or plugin vulnerability and infect the user with the malware dropper Qbot, which generates an unique identifier for each infection and drops additional malware.

More than half of the infected systems are Windows XP machines, while 39 percent run Windows 7.

“When end users browse the web sites compromised by the attackers, the scripts that the attackers added to the compromised site’s page will cause the visiting browsers to ultimately load and run unwanted software in a manner that is completely transparent to the end user,” according to the report.

The cybercrime group used compromised PCs to offer a sophisticated, paid proxying service for other organized crime groups that turns infected PCs into a ‘private cloud’ as well as infiltration points into corporate networks.

“The operations of this Russian cybercrime group exemplify both the sophisticated attack chain and the key challenges of modern threats,” according to the report. “While attackers rely on a variety of means to connect with potential victims, compromised web sites are a critical component in the attack chain. Attackers have the financial and technical means to infect an almost unlimited number of legitimate web sites, above and beyond the more easily identifiable malicious or suspicious sites that traditional defenses are designed to detect and block.”

“Moreover, the attack chain does not simply deliver a single piece of malware onto an infected system and stop at that,” the report continues. “Instead, it is designed to establish a foothold on the system so that any number of different pieces of malicious software can be downloaded in order to carry out criminal activities ranging from banking account theft to secret communications and transfers, to distributed denial of service (DDoS), to ransomware and any other activity that represents an opportunity to monetize that infected system.”

The report can be viewed here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...