A few days ago I wrote about a 60 million Euro cyberheist. I have been digging into this a bit more, as it's the most advanced attack yet. Cybercrime is not revolutionary, it clearly builds upon itself in an evolutionary process. Well, malware has metastasized and moved up into the cloud.
Up to now, malware lived on the PC itself in its entirety. All the code was run locally on the workstation, and it communicated only with the mothership to send stolen data, whether that be keystrokes, files, credit card numbers or any other confidential data.
But now, the bad guys have upped the game and rewrote their malware architecture from the ground up. It's almost like they took a page from the antivirus playbook and cut down their own bloatware to a small, lightweight agent (that the bad guys can hide easily), with the real processing being done on a server in the cloud.
So how this works is as follows. The attacks start off with a phishing email, usually pretending to be from the victim's bank and social engineering them to change their account password which is not that hard. Next, in early versions, the Zeus or SpyEye trojans would be downloaded to the workstation. No more, only a tiny bit of malware is put on the workstation and now the actual attack is coming from the cloud. Yikes.
When the victim logs into their bank site, the malware uses web-inject code to throw up a page that looks just like the victims bank web page. But what happens behind the scenes and invisible to the victim is that the malware server starts transferring money from the victim's account to the criminal's account, with all the work being done on the criminal's cloud server that usually sits at an Internet Service Provider which is owned by the criminal network.
And quite a bit of work is being done. The attack takes the log-in from the PC and redirects it to the server in real-time and does all the transactions in the bank account. It can even circumvent two-factor authentications where the victim has a card they need to swipe to get into the account. Double yikes.
The malware on the workstation is relatively small, simple and does not need to be updated for the next attack, as the updates can happen on the server side. This makes the attack more agile and scalable. Once that new, lightweight malware agent infects the user's workstation, that machine can be used for a multitude of criminal activities.
Note that all this still begins with a phishing attack which makes it all the more important that end-users urgently need to be getting comprehensive Security Awareness Training.