Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

Instant Messaging E-Commerce Exploits- Judgement Day

by Chris Boyd, Wayne Porter

Acting on an anonymous tip, FaceTime Security Labs researchers have uncovered two "botnet" networks that collectively represent up to 150,000 compromised computers, one of which is being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location.

In addition, after systematic research of the various groups involved, we have uncovered a number of websites where up to forty (40) or more files are being shared around this community, and reworked for individual Botnets to push the problem even further. Commercially available remote admin tools (similar to the ones employed here) are used to gain complete access of the end-user's PC - files can be uploaded, downloaded, or whatever the Botmaster feels like doing with the machine.

pqnelhleyy c063aa13 5399e3bf

However, what the Botnet master really feels like doing, is downloading the payment database application to your PC, then scanning for misconfigured shopping carts using you as the fall guy.

Let us explain further...if an end user clicks on a malicious link passed to them via Instant Messaging, Remote Administration Server, a commercially available application produced by Famtech, is automatically installed via a "beh.exe". The install is designed to hide the application in the systray with no interaction from the end user. Once this application is installed, the end user's computer is compromised and can be accessed remotely with additional malware applications installed on the desktop.

The application that then attempts to do the real damage is "Carder" a PERL script designed specifically to uncover exploits in several shopping cart applications including Comersus Cart, CactuShop, CCBill and others that are used by many popular ecommerce sites. If a vulnerability is identified by this file, the backend database containing credit card and account information (e.g. usernames and passwords to specific accounts including PayPal) may be stolen off the ecommerce site.

The last big splash in Instant Messaging was the Rootkit Powered Botnet, some months ago. This new tactic is another step up in terms of maliciousness, severity and ingenuity. Using already infected PCs to attempt to crack backend payment databases with custom built files puts both the end-user and the personal information of the users stored in the targetted database at risk. Of course, this method also allows the attacker to remain in stealth mode- it would be madness to run such a file from their own PC, even allowing for proxies and anonymity tools. And the sad fact is, the easiest (and more importantly, fastest) way to push an exploit like this is Instant Messaging. The problem is further compounded by the fact that IM is a primary staple of children who are easy targets for social engineering attacks.

This is yet another example of why you should think, before ever clicking that link - even when the source is 100% trusted. After all - you never really know for sure if the person at the other end has had a bad IM day. More information on this can be seen here, in the official FaceTime press release.

Coming soon: Part 2...An in-depth discussion with Rince, the tipster who brought this intricate scam to our attention. If you liked this article, feel free to vote for it on Digg.com!

Unless otherwise noted this article is Copyright © 2014 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Related Articles

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts

There was an error communicating with the requested site.

Recent Modifications
2013-7-20  Date Manager
2013-4-10  BeeBus
2012-12-18  JT.Moonwalk
2012-12-18  Sadbiz
2012-12-18  Troj.GoogleBot
2012-12-18  W32.Licat Worm
2012-11-16  CoolWebSearch
2012-6-21  AntiSpywareXP
2012-6-21  Bget
2012-6-21  Dloader.cao.1
 

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

© Copyright 2007, FaceTime Communications, Inc. All rights reserved.