A Banking Cyber Attack Using 500,000 PCs?

October, 10, 2014 Franklyn Jones

Did you hear about this - a botnet of nearly half-a-million PCs, all carefully infected and focused on attacking banking web sites across the US and Europe. It's true, and thoroughly documented in a fascinating new report published by Proofpoint.

This brilliantly orchestrated attack – referred to as the Qbot attack – apparently started with Russian cyber criminals compromising a number of WordPress web sites, which were then used to launch targeted attacks to build a powerful mult-national bot network. To accomplish their goals, the attackers built a complex traffic distribution system (TDS) with lots of moving parts, which are described in detail in the report.

PCs that were affected by this attack merely had to visit one of these WordPress sites. There was no need to click on any links – just showing up at the compromised WordPress site was enough. And while visitors were there, the hackers implemented a process to first identify the profile of each PC and ensure the incoming browsers or browser plug-ins would be good targets for exploitation and infection. Apparently 500,000 PCs met their stringent requirements for being bots in their attack network.

The malware was carefully constructed to avoid all detection technologies and, after setting up shop on each PC, it established communications back to centralized command-and-control servers. But wait, there's more. Once installed on PCs, the malware was so stealthy that it could hook into encrypted web sessions (typically used for online banking) without being noticed, and thus gain access to banking networks.

The good news is that this attack is apparently behind us now. The bad news is that there is very likely a new attack underway right now, which no one has yet discovered. And the common problem with all of this is that these complex, browser-borne malware attacks are becoming increasingly undetectable. So what do you do?

In this case, adding yet another layer of advanced detection technology would only add to cost and complexity, and unlikely solve the problem. The better solution is to stop detecting and start isolating. Specifically, isolate the web browser outside the network to ensure no malware can come inside the network.

This is where the AirGap browser isolation system from Spikes Security is helping businesses today. It's time to think differently about network security and introduce isolation technology as a solution to a problem that will only get worse.

Franklyn Jones, CMO, Spikes Security

 

Keep informed.