Albert Gonzales
Albert Gonzales may be taking the majority of the heat (and rightly so), and the full force of U.S. Law Enforcement prosecution, but he is only the tip of the proverbial iceberg.
There is an entire Eastern European organized criminal operation that is further along in this food chain.
In case you haven’t heard, Gonzales and his co-conspirators are responsible for hacking into TJX, Heartland Payment Systems, Dave & Buster’s, and other retailers and payment processors, to steal credit & debit card account numbers.
As Kim Zetter reports on the Wired “Threat Level” Blog, there are multiple Eastern European connections to known organized criminal operations in Russia, The Ukraine, and Latvia (and elsewhere), some of which Trend Micro threat researchers have been tracking for several years now.
Besides these direct hacks of businesses and credit card processors, we have seen a very robust growth in malware which directly targets banking institutions, banking login credentials, malware that piggy-backs banking sessions, etc., ad nauseum, in an effort to steal money. Period.
In fact, the largest growth of malware that we have seen in 2009 has virtually all been geared towards stealing credentials of one sort or another.
This is organized cyber crime at it’s most base form, and it is actually getting worse.
There is a rather long, and twisted history here — especially involving Gonzales and other individual involved in similar crimes, but the real interesting connections lead back to Eastern Europe, especially Russia and The Ukraine.
While I’m not trying to make this incident any more shocking than it already is, the real issues are not being discussed in the mainstream media — luckily, Wired has dug into the background of these issues a bit, and so has Brian Krebs at The Washington Post.
Make no mistake, these issues are very complicated — all “good” criminals make sure that they are hard to track. But not all tracks are invisible.
Trend Micro researchers, including myself, have been tracking this specific criminal activity in Eastern Europe for several years now, and we intend to first, protect our customers, and secondly, try to work with law enforcement and others to identify the criminals.
Trend Micro researchers are hard on the trails of these malicious activities, and when we identify sites that are designed to victimize you, we ensure that they get blocked by the Trend Smart Protection Network.
Trend Micro researchers not only ensure that our customers are protected, but we also actively work work with International Law Enforcement to identify the criminal actors behind these crimes.
Don’t be victimized.
“Fergie” a.k.a Paul Ferguson, Threat Research
We, at Trend Micro Research, recently produced a short blog series on the Pushdo botnet, a botnet which excelled at staying under the radar for a considerable period of time. Pushdo is not alone in this regard however – enter Ilomo.
Ilomo has also being active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries.
Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session – transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine – ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware.
Ilomo ‘s second source of revenue is selling “anonymity as a service”. Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals identity this proxy network is very useful for defeating another defense built into many banking sites – namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection.
We’ve only touched on some of the high level details of Ilomo in this article, If you want to look at Ilomo in even more detail (and find out about the technical aspects we did not have time to discuss), check out our white paper:
