ZeuS attackers set up honeypot for researchers

Every criminal that wants to keep being successful must know his opponents and hide details of his actions well, so it is no wonder that online criminals are resorting to planting honeypots and fake information for security researchers and competitors to find.

Investigation into the latest spam campaign notifying potential victims that their tax payment was rejected due to an error with the Electronic Federal Tax Payment System has revealed that these ZeuS-peddling criminals used an exploit toolkit that had a fake administration panel.

Now, usually every exploit toolkit has an admin interface, but not a lot of them have a bogus one which functions as a honeypot that documents details of every attempt to access it or hack it.

“The fake login system conveniently accepts default/easily guessed credentials and common SQL injection strings,” says security researcher Brett Stone-Gross. “After the researcher/hacker is ‘authenticated’, they are shown random exploit statistics.”

It seems legitimate enough at first glance, but one look at the source code reveals that the numbers are chosen at random from predefined intervals.

Stone-Gross also revealed to DarkReading that further probing into the source code revealed the existence of a directory called “fake admin” where all the IP addresses from which access to the console was attempted were stored – along with some remarks in Russian. The information collected this way could allow the criminals to blacklist researchers or mount attacks against them in the future if they feel threatened.