Mid-June 2007, cert-lexsi teams updated on a fraud implicating a massive theft of banking credentials. This fraud, which began at the end of 2005, is quite representative of what today's banking malware may present in terms of potential risks.

Having been monitoring the activity of thousands of fraudulent servers to which some of the toughest malicious programs are connecting, it so happened that an error committed by the fraudsters’ administration team revealed –for a few hours only- free access to the contents of these servers. Our monitoring infrastructure immediately took a detailed snapshot of what was revealed as the fraudsters’ mothership server – the machine they use to keep track of the malicious activity of several dozen of malware versions, and centralize and deposit all the stolen data.

cert-lexsi was thus able to recover the stolen data files, pertaining to 300.000 malware victims throughout the world. We immediately took necessary action and contacted the most targeted financial institutions in order to block access to 90%+ of compromised accounts and stolen means of electronic payment, contributing to prevent potential fraud of hundreds of millions €.

Our second step was to study the network behind these fraudulent activities. 300.000 active infections were carried out by several dozen individuals, “customers� of a structured criminal group managing the whole malware value chain, including the development of the malware, its hosting and data-processing. This Russian-speaking group offers professional support services via a centralized ticket-feedback management platform. Each of the group’s customers has a unique version of malware, issued to his name, and encrypted with his unique key. The malware updates are regular and frequent, which allows each given malware version to remain undetectable by major antivirus programs. Several new executables are produced on a daily basis in order to feed the needs of the criminal ring.

Despite the fantastic potential income driven in by this malware fraud, several customers of this criminal network continue to maintain adjacent much less profitable criminal activities, such as, for instance, traditional phishing.

Infrastructure-wise, RBN, Lug Link and Neva Con are the three main networks directly involved in malware proliferation and adjacent hosting services linked to this fraud.