Instant Messaging E-Commerce Exploits- Judgement Day
by Chris Boyd, Wayne Porter
Acting on an anonymous tip, FaceTime Security Labs researchers have uncovered two "botnet" networks that collectively represent up to 150,000 compromised computers, one of which is being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location.
In addition, after systematic research of the various groups involved, we have uncovered a number of websites where up to forty (40) or more files are being shared around this community, and reworked for individual Botnets to push the problem even further. Commercially available remote admin tools (similar to the ones employed here) are used to gain complete access of the end-user's PC - files can be uploaded, downloaded, or whatever the Botmaster feels like doing with the machine.
However, what the Botnet master really feels like doing, is downloading the payment database application to your PC, then scanning for misconfigured shopping carts using you as the fall guy.
Let us explain further...if an end user clicks on a malicious link passed to them via Instant Messaging, Remote Administration Server, a commercially available application produced by Famtech, is automatically installed via a "beh.exe". The install is designed to hide the application in the systray with no interaction from the end user. Once this application is installed, the end user's computer is compromised and can be accessed remotely with additional malware applications installed on the desktop.
The application that then attempts to do the real damage is "Carder" a PERL script designed specifically to uncover exploits in several shopping cart applications including Comersus Cart, CactuShop, CCBill and others that are used by many popular ecommerce sites. If a vulnerability is identified by this file, the backend database containing credit card and account information (e.g. usernames and passwords to specific accounts including PayPal) may be stolen off the ecommerce site.
The last big splash in Instant Messaging was the Rootkit Powered Botnet, some months ago. This new tactic is another step up in terms of maliciousness, severity and ingenuity. Using already infected PCs to attempt to crack backend payment databases with custom built files puts both the end-user and the personal information of the users stored in the targetted database at risk. Of course, this method also allows the attacker to remain in stealth mode- it would be madness to run such a file from their own PC, even allowing for proxies and anonymity tools. And the sad fact is, the easiest (and more importantly, fastest) way to push an exploit like this is Instant Messaging. The problem is further compounded by the fact that IM is a primary staple of children who are easy targets for social engineering attacks.
This is yet another example of why you should think, before ever clicking that link - even when the source is 100% trusted. After all - you never really know for sure if the person at the other end has had a bad IM day. More information on this can be seen here, in the official FaceTime press release.
Coming soon: Part 2...An in-depth discussion with Rince, the tipster who brought this intricate scam to our attention. If you liked this article, feel free to vote for it on Digg.com!
Unless otherwise noted this article is Copyright © 2014 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.
Read other articles (back to full list)