Two large botnets that control 150,000 compromised computers are hacking into users' online shopping carts to steal credit card numbers, bank account details, and log-on passwords, a security company said Friday.
The botnets, said Foster City, Calif.-based FaceTime, were discovered, probed, and disclosed to authorities with the help of an insider who tipped off the company's security researchers and showed them the inner workings of the bot underground.
According to Chris Boyd, the security research manager for FaceTime, the bots, or hacked PCs, were accumulated by seeding Trojan horses via instant messaging networks. Recipients naive enough to click on the IMs' embedded link ended up with remote access applications secretly installed on their PCs; the attacker then used that software to install as many as 40 additional pieces of malware.
"They're using the kitchen sink approach times one hundred," said Boyd. Among the installs by the botnet's herder, or controller, Boyd found adware, keyloggers, and much more sophisticated applications.
One, dubbed "Carder," is a customizable Perl script designed to sniff out exploits in several e-commerce shopping cart applications. If Carder identifies a vulnerability, both personal data can be snatched from the individual PC, and database information -- including large numbers of credit card account number, usernames, passwords, home addresses, and the like -- can be hijacked from the e-tailer's back-end systems.
"If you can't trust the payment systems [on e-commerce retailers], you'll think twice about using the Internet," said Boyd.
Part of the problem is that it's impossible to know exactly what shopping cart vulnerabilities are under attack at any given moment since Carder is so customizable. "They're working on the fly, and messing around with the [Perl] code to change the types of data it goes after," said Boyd. "They're always looking for the latest vulnerability, which makes it difficult to tackle."
Boyd was turned on to the botnets by a former hacker, now gone straight, who uses the screen name "RinCe." With RinCe's help, Boyd was able to monitor the botnet operators, get a feel for how they were organized, and understand the pecking order.
"There's a small percentage pulling the strings," Boyd said as he outlined the botnet hierarchy. "They're trading bot code right and left," he said, "but the people who run these [trading sites] are usually putting their own backdoors in the code they share, so they end up with the data."
It's a very regimented and organized structure, said Boyd, much more so than last year, with new hackers having to prove their worth by offering up code of their own or an unknown vulnerability or even compromised PayPal accounts. One account that Boyd saw displayed by a kowtowing hacker had an $11,000 balance.
"The hacking world is one big market place, trading stuff for stuff like the black market," said RinCe in an IM interview with Boyd that was posted to the SpywareGuide Web site. "If you get your hands on something amazing, like a new IE exploit, you’re a god in the hacker world - you could ask for anything, or any price."
The turn toward cashing out by botnet herders is relatively new, said Boyd, and comes on the heels of them reducing their reliance on adware installations for their income. "They've moved away from standard adware installs," said Boyd, "as well as ActiveX kits. ActiveX is too easy to spot." An additional motivator, he said, was the Microsoft's next browser, Internet Explorer 7, will block most ActiveX controls right off the bat. Hackers may be looking ahead, he said, and changing tactics now.
"Frankly, this is such a large scam with so many elements to it, that it’s hard to pin down," Boyd said. "It's so complex with so many money-making elements to it, it's hard to know where to start."
With the informer's help, however, Boyd thinks that there's a better-than-average chance of apprehending these botnet operators.
"This guy was invaluable, and we got some really really good information to pass along to the federal authorities."