Researchers say that criminals are moving their malware heavy lifting from end-user PCs to servers in the cloud.
The same flexibility and freedom that companies get from having their software and services hosted in the cloud is enabling cybercriminals to conduct highly automated online banking theft — without doing much of the necessary information processing on their victims' own computers.
Security and privacy experts have long worried that criminals would launch attacks on the servers storing the data in cloud environments. But a report released last week from McAfee and Guardian Analytics (PDF) shows that criminals are now using the cloud infrastructure itself to get more capability out of their campaigns.
"They are leveraging the cloud," Brian Contos, senior director of emerging markets at McAfee, said in an interview. "This is the first time we've ever seen this."
Basically, what researchers uncovered was a series of highly sophisticated campaigns designed to siphon money out of high-balance bank accounts in Europe, the US and South America through automated transfers. Like most online consumer bank fraud, the attacks started off with a phishing email, typically pretending to be from a victim's bank and urging the recipient to click a link to change the account password. Once the link was clicked, a trojan — in this case Zeus or SpyEye — was downloaded onto the victim's computer in early versions of the attacks. In later versions, the malware was operating from a server.
When the victim goes to log in to the bank site, the malware would use a so-called web-inject technique to overlay what looks like the bank web page on the victim's browser. However, behind the scenes, and totally invisible to the victim, something entirely different was happening. While the victim thought that he or she was transferring money from a savings account into a checking account, for instance, the malware would actually transfer any amount of money that the criminals specified into their own account.
Traditionally, banking malware like this will handle the processing from the victim's PC. But in this case, the heavy lifting of the malware was being done on the server in the cloud, according to Contos. In the operations that McAfee and Guardian Analytics uncovered, the servers were located in eastern European countries, he said. The servers were located mostly at "bullet-proof" ISPs that have lax policies and are relocated frequently to avoid discovery.
"The servers are sitting within ISPs that are designed specifically to take part in fraud," he said, adding that the criminals in these campaigns even managed to bypass two-factor authentication systems commonly used in European online consumer banking. For instance, not only does a consumer type in a username and password to a site, but they also swipe a card into a special card reader attached to the PC that provides additional data proof that the legitimate user is accessing the account.
The log-in or authentication "information is taken from the malware (on the PC) and redirected to the server in real time," Contos said. "That server takes that data, and authenticates against the victim's bank account, all within seconds."
The servers — at least 60 were used in these operations — provided the criminals with the ability to fully automate the attacks, so less manual intervention was needed on the part of the attacker to do things like adjust the amount to steal so that it would be below fraud-detection levels.
"The server is the brains that does all the transactions in the bank account," he said. Rather than having the malware reside on the victim's computer, and take charge of the attack functions, like stealing the data and sending it off somewhere, the attack itself was performed by the server.
"All the intelligence is sitting on the server side that they are putting in the cloud," he said. "The criminals don't have to change anything on the end-user side. They can make modifications on the server side. They still have malware on the user's machine, but it can be smaller and much less intelligent than in the past."
The malware on the victim's computer can stay simple, and doesn't need to be updated to change the functionality of the attack; that can be done on the server side."It's all designed to make [the attack] scalable and agile," Contos said. "This also allows criminals to keep attacks alive as long as possible", because there would be less activity on the end-user's computer that can be detected.
Contos predicts that this is the future of malware operations, as many online business operations have moved to the cloud to save time and resources for companies. Once the malware is on an end-user's computer, criminals can use those computers for a multitude of operations and attacks.
"We will see people repurposing malware for this purpose," he said. "They will use the install base (of an existing botnet, for example) and ride that wave and set up their own servers" to use the victims' computers for theft.