SpyEye Campaign Nets Criminal $3.2 Million in Six Months

Trend Micro researchers traced a SpyEye malware campaign originating from Russia and they estimated the cyber-criminal had stolen $3.2 million so far in 2011.

Cyber-crime is a lucrative business which offers criminals very high returns in exchange for very low risk. Trend Micro researchers showed just how profitable in their analysis of a recently uncovered Russian cyber-crime operation.

The researchers found this operation amassed $3.2 million in just over a six month period, Loucif Kharouni, a senior threat researcher at Trend Micro, wrote on the Malware Blog on Sept. 14. The researchers calculated the amount based on the activity generated by this SpyEye campaign. Trend Micro described the individual who ran the operation as a "young man in his early 20s who resides in Russia" and went by the name "Soldier" on underground forums.

Soldier used various toolkits, including SpyEye and Zeus crimeware and exploit kits that used black hat search engine optimization methods to poison search results and send visitors to his sites, according to Trend Micro. Soldier used SpyEye, money mules and an accomplice allegedly living in Hollywood to steal over $3 million between January and June of this year.

"Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye but the amounts stolen and the number of large organizations potentially impacted are causes for serious concern," Kharouni wrote.

Trend Micro researchers had uncovered the SpyEye command-and-control server Soldier was using and analyzed the IP addresses belonging to the victims that the server had recorded. Researchers were able to determine that a "wide variety of large organizations and U.S. multinational corporations" had been compromised, including state, local and federal government agencies, branches of the military, education and research institutions, banks, airports and other major corporations.

Soldier's botnet compromised approximately 25,394 systems between April 19 and June 29, Trend Micro said.

The campaign wasn't just about infecting user computers to steal compromised accounts; malware also intercepted login information to several well-known Web services, such as Facebook, Yahoo, Google and MSN Live. Many large organizations were compromised as employees' security credentials for e-mail and FTP servers were stolen, according to Kharouni.

The SpyEye kit being used specifically targeted Windows systems, and 57 percent of the compromised computers were running Windows XP, Trend Micro found. Nearly 4,500 Windows 7 computers were also part of the victim population.

Soldier also "bought" traffic, or computers that had been compromised by other criminals, Trend Micro found. It was not likely that Soldier intentionally targeted the corporations. Researchers felt the organizations were compromised afterwards because the end-user's computer was infected. In many cases, the corporate systems were among the bots Soldier had purchased from other criminals, according to Kharouni.

"Bots (infected victims' systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud," Kharouni wrote.

The amount of money Soldier stole in such a short period of time is par for the course considering the size of the industry. The yearly cost of cyber-crime may have surpassed that brought in by the illegal trades in marijuana, cocaine and heroin combined, Symantec said in a report released early September. Annual losses resulting from cyber-crime are valued at $388 billion, which includes both $114 billion in direct cash losses and $274 billion in the time lost responding to attacks, Symantec found. Illicit sales of marijuana, heroin and cocaine industry are an estimated $288 billion.

Criminals like online crime because there's less chance of getting caught because it is easy to hide where the attacks are originating from. It's also easy to cover the money trail by using mules to carry the case and by transferring money through a chain of accounts, according to Trend Micro.

Soldier mainly targeted victims in the United States, but a handful of victims were scattered across 90 other countries, including the United Kingdom, Brazil, Mexico, India and Canada.