Trend Micro researchers traced a SpyEye malware campaign originating from Russia and they estimated the cyber-criminal had stolen $3.2 million so far in 2011.
Cyber-crime is a lucrative business which offers criminals
very high returns in exchange for very low risk. Trend Micro researchers showed
just how profitable in their analysis of a recently uncovered Russian cyber-crime
The researchers found this operation amassed $3.2 million in
just over a six month period, Loucif Kharouni, a senior threat researcher at
Trend Micro, wrote on the Malware Blog
on Sept. 14. The researchers calculated the amount based on the activity generated by this SpyEye campaign. Trend Micro described the individual who ran
the operation as a "young man in his early 20s who resides in Russia" and
went by the name "Soldier" on underground forums.
Soldier used various toolkits, including SpyEye and Zeus
crimeware and exploit kits that used black hat search engine optimization
methods to poison search results and send visitors to his sites, according to
Trend Micro. Soldier used SpyEye, money mules and an accomplice allegedly
living in Hollywood to steal over $3 million between January and June of this
"Compromise on such a mass scale is not that unusual
for criminals using toolkits like SpyEye but the amounts stolen and the number
of large organizations potentially impacted are causes for serious concern,"
Trend Micro researchers had uncovered the SpyEye
command-and-control server Soldier was using and analyzed the IP addresses
belonging to the victims that the server had recorded. Researchers were able to
determine that a "wide variety of large organizations and U.S.
multinational corporations" had been compromised, including state, local
and federal government agencies, branches of the military, education and
research institutions, banks, airports and other major corporations.
Soldier's botnet compromised approximately 25,394 systems
between April 19 and June 29, Trend Micro said.
The campaign wasn't just about infecting user computers to
steal compromised accounts; malware also intercepted login information to
several well-known Web services, such as Facebook, Yahoo, Google and MSN Live.
Many large organizations were compromised as employees' security credentials for
e-mail and FTP servers were stolen, according to Kharouni.
The SpyEye kit being used specifically targeted Windows
systems, and 57 percent of the compromised computers were running Windows XP,
Trend Micro found. Nearly 4,500 Windows 7 computers were also part of the
Soldier also "bought" traffic, or computers that
had been compromised by other criminals, Trend Micro found. It was not likely
that Soldier intentionally targeted the corporations. Researchers felt the
organizations were compromised afterwards because the end-user's computer was
infected. In many cases, the corporate systems were among the bots Soldier had
purchased from other criminals, according to Kharouni.
"Bots (infected victims' systems) are routinely sold to
other criminals who perform other data-stealing activities, thereby making
these networks vulnerable to further compromise and possible fraud,"
The amount of money Soldier stole in such a short period of
time is par for the course considering the size of the industry. The yearly
cost of cyber-crime may have surpassed that brought in by the illegal trades in
marijuana, cocaine and heroin combined, Symantec said in a report released
early September. Annual losses resulting from cyber-crime are valued at $388
billion, which includes both $114 billion in direct cash losses and $274
billion in the time lost responding to attacks, Symantec found. Illicit sales
of marijuana, heroin and cocaine industry are an estimated $288 billion.
online crime because there's less chance of getting caught because it is easy
to hide where the attacks are originating from. It's also easy to cover the
money trail by using mules to carry the case and by transferring money through
a chain of accounts, according to Trend Micro.
Soldier mainly targeted victims in the United States, but a
handful of victims were scattered across 90 other countries, including the
United Kingdom, Brazil, Mexico, India and Canada.