Technical Report: "Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones"
Thursday, December 18. 2008
In the last few months, we analyzed quite a few malware samples that are related to stealing of banking credentials. These keyloggers are used by attackers to harvest sensitive information like credit cards numbers, username/password combinations and similar data from an infected machine. We developed some techniques to automatically find the dropzones, i.e., the server that is used by the bad guys to send the stolen information to. The following picture illustrates the attack process:
The basic idea of our approach is to use honeypots to automatically collect malware samples, perform dynamic analysis with the help of CWSandbox and a user simulation, and use the observed data to find the dropzone in an automated way. Using these techniques, we were able to find more than 300 dropzones and we were also able to fully access more than 70 dropzones. We found stolen information from more than 170,000 victims (33 GB of data) and also analyzed this data: Within the dropzone data, we found more than 10,000 bank accounts with full information, more than 140,000 e-mail passwords for large portals and some other interesting infos.
Today we published a technical report that summarizes our findings.
Abstract: We study an active underground economy that trades stolen digital credentials.We present a method with which it is possible to directly analyze the amount of data harvested through these types of attacks in a highly automated fashion. We exemplify this method by applying it to keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present the first empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. This helps us better understand the nature and size of these quickly emerging underground marketplaces.
The basic idea of our approach is to use honeypots to automatically collect malware samples, perform dynamic analysis with the help of CWSandbox and a user simulation, and use the observed data to find the dropzone in an automated way. Using these techniques, we were able to find more than 300 dropzones and we were also able to fully access more than 70 dropzones. We found stolen information from more than 170,000 victims (33 GB of data) and also analyzed this data: Within the dropzone data, we found more than 10,000 bank accounts with full information, more than 140,000 e-mail passwords for large portals and some other interesting infos.
Today we published a technical report that summarizes our findings.
Abstract: We study an active underground economy that trades stolen digital credentials.We present a method with which it is possible to directly analyze the amount of data harvested through these types of attacks in a highly automated fashion. We exemplify this method by applying it to keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present the first empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. This helps us better understand the nature and size of these quickly emerging underground marketplaces.
