Organized cyber crooks plunder SMBs with simple, cheap keyloggers

The popularity and pervasiveness of Zeus/Zbot has made it almost a synonym for banking malware, but there are unfortunately many more types of malicious software that allow attackers to steal money from their victims. Some of these, in the “right” hands, can bring in an astounding amount of money.

Take for example Predator Pain and Limitless, two low-priced ($40 or less), off-the-shelf keyloggers/RATs that are able to collect and exfiltrate the following types of information from infected machines:

Wielded by cybercriminals targeting small and medium-sized businesses in Hong Kong, they netted them $75 million in the first half of this year alone, as estimated by the Commercial Crime Bureau of Hong Kong Police Force.

“Consider: this means that cybercriminals in a single city, within six-months, equaled all the losses from Zbot up to the present,” Trend Micro senior threat researcher Ryan Flores pointed out.

“Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved,” he explained.

The attackers have opted for investing more time and effort instead of going for more pricy, automated malware, and they have succeeded.

The attacks would start with the criminals harvesting publicly available corporate email addresses from the companies’ sites, then would send business themed emails with effective social engineering lures aimed at making the recipient download and run the attached malware.

“Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities,” the researchers noted in a whitepaper.

“Successfully stealing online banking credentials can lead to financial theft. Some of the stolen information provide attackers more leverage for subsequent attacks. They can, for instance, get their hands on actual emails and use these to ‘hijack’ ongoing transactions between their chosen victims and their clients. Most of the stolen data can be used for continued monitoring. Attackers can reroute their victims’ incoming emails to their own inbox for later use. Or for quicker gains, attackers can also package and sell the information they stole to cybercriminal peers underground.”

The researchers noted that in some instances, 419 scammers turned to this more lucrative type of attack. The targets were exclusively SMBs, likely because they rarely have dedicated IT security staff.

“SMBs may not be involved in multimillion-dollar deals but they do conduct transactions worth tens to hundreds of thousands of dollars,” the researchers noted. “As the world relies more and more on Web services (e.g., webmail), all it will take to ruin a business is a single compromised online account.”