Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Botnet Security The Almighty Buck IT

SpyEye Botnet Nets Fraudster $3.2M In Six Months 99

wiredmikey writes "The SpyEye Trojan has a well-earned place of respect in the cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research provides yet another reminder of why. According to security researchers, a hacker in his early 20s known by the alias 'Soldier' led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits. Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies."
This discussion has been archived. No new comments can be posted.

SpyEye Botnet Nets Fraudster $3.2M In Six Months

Comments Filter:
  • by Anonymous Coward

    Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.

    This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start ho

    • OK, so when are we going to hold Microsoft and other software makers for making insecure software? Nice DMV comment...so true. "Waddaya mean I need insurance to register my vehicle?!" Yes, I heard that once before...
      • by ge7 ( 2194648 )
        You want to hold all the Linux contributors responsible too? Especially when the malware usually comes via user stupidity, not insecure software.
        • So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software? Or how about the malware spreading by exploiting other system flaws? Yes, some is user stupidity by installing some random program or clicking through popups and going to (compromised sites that exploit system flaws) but not ALL of it is caused by the end user.
          • by ge7 ( 2194648 )

            So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software?

            Yep, it was years ago. On that note UNIX and Linux used to have lots of worms that spread remotely too, and there's still lots of bugs and sometimes even remote exploits. Firefox and Chrome patch hundreds of bugs per year.

            If software vendors were being held responsible for every bug that might have slipped through, what you think would happen? Open source contributors would stop contributing software, because they would risk losing their personal money in the process. On the other hand, Microsoft has the

            • I agree. We are on the same side :)
              I should have made it more clear in my first post that I was being sarcastic to the OP. The AC claiming that we should go after the people who are installing malware and to go after them. Like you stating that not every little bug can be perceived, nor can every computer user realize what they are installing is NOT malware, which the AC claims they should know what they are installing. Then I was sarcastically stating then why not go one step further and go after the p
          • Don't forget all the bug hunters/security people who released the vulnerabilities before it was fixed. They are more responsible then the criminals themselves in my book.
    • by Anonymous Coward

      A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.

      What? You don't manually check your brake lines every time you drive? You don't even know where to look? But that's YOUR RESPONSIBILITY!

      Do you count your knives each night to know no one has stolen them to stab someone?

      Personal responsibility means taking reasonable steps to make sure you don't harm others. It doesn't mean becoming an expert in every single aspect of tec

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        "Personal responsibility means taking reasonable steps to make sure you don't harm others"

        Yes, and people DON'T DO THAT. I've seen people get spyware, right in front of my eyes. They absolutely do not take reasonable steps to avoid so doing. They'll cheerfully run ANYTHING. That is not a reasonable behavior, on what is fundamentally a Turing machine.

        So yes, let's hold them responsible when they don't take reasonable steps towards safe computing.

        • by ge7 ( 2194648 )
          What are they being responsible for? Just running piece of software isn't illegal. Even FBI or whoever it was that cleaned one of the botnets gave computer owners the possibility to opt-out of it, in case they wanted to keep it on their computer.
      • by mpe ( 36238 ) on Saturday September 17, 2011 @02:27PM (#37430252)
        A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.

        But the brakes in a car generally don't fail because someone put the wrong CD in or tuned to the wrong radio station.
      • by Stiletto ( 12066 )

        "A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines."

        But running malware and trojans is not "using a computer in a reasonable manner".

        A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...

        • A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...

          The phrase "a better analogy" in English does not mean "a compltely fucking retarded compairon".

      • A better analogy is leaving your car running while you dash into the store. Which IS against the law in many places. Someone might hijack it and commit a crime. Now, I haven't looked, I don't think you'd be liable for that crime, but if they hit someone else with that car, your insurance is at the least going to drop your ass like the irresponsible assbag that you are.

    • by Beryllium Sphere(tm) ( 193358 ) on Saturday September 17, 2011 @01:54PM (#37430096) Journal

      In a world where picture frames come preinstalled with malware, in a world where simply visiting the wrong website can infect you if Flash has an unpatched vulnerability, that's too simplistic.

      I blame people for running Trojans, I blame people for not doing updates (but come on, what other industry would tolerate having a recall on the second Tuesday of every month), but this is still a world in which drive-by downloads are possible. I run Noscript, of course, but don't expect anyone else to live with the problems it causes.

      • It's quite true. I can't blame users for shitty fucking plugins like Flash. They want to view online content, so are essentially forced to become part of an insecure ecosystem.

        • by Anonymous Coward

          I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's n

          • I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.

            +1 truth

            I'm sick and tired of people who defend the unnecessary use of things like javascript by putting all of the blame for the accompanying reduction in security on the user.

            The car analogy is that it is like demanding that people not wear seat-belts and when they get hurt in a wreck then blaming them for not having the latest air-bag system.

      • ...in a world where simply visiting the wrong website can infect you if Flash has an unpatched vulnerability, that's too simplistic.

        Are you saying that Flash should be limited to Linux, BSD, OpenSolaris, and other operating systems with minimal protections? Better tell Adobe, because they always release new versions of Flash first for Windows. Does that imply Adobe is also complicit with the botmasters?

      • what other industry would tolerate having a recall on the second Tuesday of every month

        Personally, I think we'd be safer if Microsoft didn't create Patch Tuesdays, and actually released patches as soon as they have fixes, instead. It seems that Patch Tuesday in practice just exists to reduce how often Microsoft is seen to release patches. There's a claim that we need a certain date in the month for all sysadmins to know to look for updates, but that's silly. Sysadmins should always be checking for vulnerabilities, and if they really can't be bothered to do it more than once a month they can s

    • by tqk ( 413719 )

      Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.

      Sorry, but no. You may have 35 years under your belt, but my 80+ year old Mom doesn't, and the vast majority of mere users out there are a lot like her. When even highly educated users like doctors and lawyers are stupid around computers, how can you expect my Mom to do any better?

      Case in point: she's on a Mac using Safari, and it drives her up the wall when the history pane doesn't show her favourite sites. I've told her that's not how it's supposed to be used and to use bookmarks instead. She wants to

      • Re: (Score:2, Insightful)

        by Stiletto ( 12066 )

        If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.

        • If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.

          Yes, because only people with Computer Science PhDs should be allowed to use computers, and ideally all computers would be giant mainframesi n universities or large corporations. All this giving computer and internet access to the masses is just plain wrong..

    • I agree, to a point. But it is less simple than you've made it. As an AV industry employee, I get to see firsthand how infections spread. It's actually pretty amazing how much of it is spread by software or operating system vulnerabilities and software companies are slow to address even known vulnerabilities. That being said, it is also true that most people on the information superhighway are simply driving at 700 kmh while texting, eating a donut, and watching a porn video. Click OK or Next now and think
    • by jon3k ( 691256 )
      If your solution is for people to be smarter then you might as well throw in the towel now.
    • "Is that the victims were generally NOT the people who allowed botnets to run on their computers."

      Of course. There is no evolutionary pressure in the ecosystem to detoxify exploited computers. Bubba and Laqueefa don't give a fuck about internet security and WHY SHOULD THEY when there are negligible negative consequences?

      I don't advocate any nonsense like government regulation to (not!) solve the problem.

      It would be better done with destructive malware that disconnects infected PCs from the internet and does

      • and there is no way to solve this problem without causing collateral damage.

        Fuck me, it's Mr Internet Tough Guy on the rampage with military jargon off a cornflakes packet.

    • Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.

      This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.

      If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.

      35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.

      BS. The bad guys are a lot smarter than you think they are. Exploit kits, iframes, obfuscated javascript, etc... they're EVERYWHERE now. Quit blaming the victim already.

    • by durrr ( 1316311 )
      Given that those 3.2 million that was lost most likely originated from some of the 25k compromised machines i'd say that those responsible got what they had coming for them. If a single mother living under minimum wage had her machine compromised, yet no assets stolen via or from her then why slap her with a $120 fine so that the few rich guys that are main targets don't have any incentive to fix their security holes.
    • by drwj01 ( 1695256 )
      People are only be held accountable for things that they or any reasonable person would beheld accountable. Corporate users are taught not to use their 'work' computer for personal use or not to go to unauthorized sites. This is mostly to keep the corporate internet connection from being the source of malicious applications. Some organizations go so far to teach or introduce users to information assurance as part of their right to access the internet. ISPs will continue allowing Darwin Award candidates acce
    • I agree with you, same as a car, you would not just start driving one because you can afford to buy one, you have to take courses and also pass tests.
      Computers in society seem to common place and without accountability. A pilot has to be registered to fly a plane and go through screening....why can not the ISPs enforce such things as well.

      This is where the problem lies, it is more so the ISPs responsibility also to know when an infected computer is within ITS network, and block it off indefinitely until the

    • What about the stinking security people who release vulnerabilities knowing they haven't been fixed yet? Because boohoo they didn't get fixed as fast as they though they should have. I blame them more then i blame the criminals. There is enough blame to go to users but those who do know better are far more responsible for taking advantage of people. Stop blaming users that's a copout
    • Yeah, and isimilarly, people have been dealing with money for thousands of years, but they still let themselves get mugged or burgled. With all that time to have become experts, they have only themselves to blame.
  • Click here to unlock your account [notification.zip].

      I know it's a crime and all, but should we feel sorry for people who get scammed because they're just that gullible? I know plenty of people who are.

    And... when are we going to "fix" the email system to prevent this? It's the same system that was designed when there were 1,000 computers on ARPANET.

    • I agree that there should be an update to the protocol. But you shouldn't blame the victims if they aren't computer-savvy in the least. Some people just don't "get" computers. You and I could probably spot spam and malware at a glance, but if you watch people surf or do things who aren't so knowledgeable about what goes on online, you may be surprised at what they're willing to open. The truth is, inexperienced users open up bad files and links often because they're being deceived by someone who knows who h
    • The problem always is that you have a goal of a mail system where anyone can theoretically send email to anyone, and there are huge advantages to such a system (which is why it has become of the prevalent modes of long-distance communications on the planet). A new protocol is going to have to deal with the same problem and ultimately the solutions will simply be variants on the current solutions, and what's more will have an enormous hill to climb to replace SMTP.

    • when are we going to "fix" the email system to prevent this? It's the same system that was designed when there were 1,000 computers on ARPANET.

      No, it's not, and that's a big part of the problem. You used to only be able to send *text* though email. I can still remember when the idea of "e-mail viruses" was ludricrous--what, were you going to send them source code they'd have to compile and run themselves? Yes, there was uuencode, but that was about as cumbersome as sending source code and it was rarely u

      • Yes, there was uuencode, but that was about as cumbersome as sending source code and it was rarely used in email anyways.

        For fairly large values of "rare", as I recall it. Using uuencode, possibly splitting a tar across several messages (to avoid filters), was common in the 80's because it was much less hassle than setting up an ftp site and sending login details for a one-time exchange. Also, the standard response to spam in the 80's (yes, it actually existed) was to send a few MB of core dump or other random binary in response, because the cretins usually used their own email addresses. That all changed in the 90's, and no

    • It's the same system that was designed when there were 1,000 computers on ARPANET.

      Sometime after that, Netscape decided that HTML would make mail look pretty. The rest is history.

      I remember being on some mailing list when this started. The admins put instructions to disable HTML in the FAQ, and admonished posters who had it enabled. Alas, the windmills won.

      • Mind you, HTML in an email message is in no way more dangerous than plain text; it looks prettier and that's it.
  • by Anonymous Coward

    Capitalism. Gotta love it. Of course, this particular guy is frowned upon because he isn't a megacorporation doing it on much larger scales.

  • If his profits reside in a single account (or many accounts?) all his... Couldn't this be used to potentially track him?
  • Ok, I understand if you comprimise a PayPal account, you could transfer money to another Paypal account and withdraw. And that you can sell the information perhaps... But other than that, how can these people make money from a Botnet? Maybe could apply for credit card with person's info, but that seems slow. The article said what $17,000 a day. And as far as transferring money, seems risky, as someone had to setup the account transferred into.
    • Setup a merchant, possibly in another country, and use those cards on that merchant.
      If you've got those details, transfer via western union, their bank, or similar.

      Beyond that, this does sound like a high number. Though, given how much banking is done online now, if the botnet is setup to sniff their login and password for their bank website, they can use this and the banks website to move whatever money they want.

  • A lot of us are in the wrong business. The world is full of stupid people, and we could simply tell them to hand us money hand over fist.

    • A lot of us are in the wrong business. The world is full of stupid people, and we could simply tell them to hand us money hand over fist.

      If you see nothing morally objectionable in being a con man, go ahead.

  • "...there were a handful of victims in 90 other countries..."


    A handful of victims in 90 countries? What were they victims of, dismemberment?
  • Did anyone else read "Fraudster" and thought it was a new social network?
    • Did anyone else read "Fraudster" and thought it was a new social network?

      I've signed up, it was only a hundred quid for a lifetime's subscription!

      I expect my membership book and badge any time now.

You are always doing something marginal when the boss drops by your desk.

Working...