MalwareMustDie: A cybercrime gang launched a mass worldwide (Italy included) credential harvesting process from major websites leveraging an IoT botnet. The malicious hackers steal info from weak ones, like Adult and live camera, then target finance payment portals

Cybercrime launched a mass credential and credit card numbers harvesting process from major websites all around the world (Italy included), leveraging on an IoT botnet. It has been discovered by MalwareMustDie (MMD) cyber security experts, who found that the malicious hackers are using SSH TCP direct forward attack technique. According to an interview by Pierluigi Paganini for Infosec Institute, the goal is to make money with “Strudels attack”. MMD explained that “the bad actors are exploiting weak sites, which are having the flaw in their web system and gather all usernames and passwords, along with the email addresses. Adult websites and live camera sites are a privileged target due to the lack of security. They then also targeted finance payment portal sites like PayPal, but not targeting the front-end security on the website directly.” They use the API on URI that allows some mobile device to access these payment sites. 

The confirmed Italian victims of the credential harvesting campaign

As for Italy, there are 140 victims of the credential theft campaign, ascertained by MalwareMustDie. Paganini explained that MMD and Odisseus helped him to compile the list and that this includes many mail servers. This was, of course, sent to the police forces of our country and to the “Team Digitale” of the government, which is already working on the case. However, among the entities affected by cybercrime there are Alma Mater Studiorum University of Bologna, Siae, Ansaldo S.p.A. WAN, Telecom Italia S.p.A., University of Milan, FAO (Food and Agriculture Organization), Bankadati Servizi Informatici Soc. Cons. p. A., Intesa Sanpaolo Group Services S.c.p.A., Cedecra Informatica Bancaria SRL, DADAnet Italy, BANCA CARIGE SpA, Italiaonline S.p.A., Tiscali SpA, Fincantieri Cantieri Navali Italiani, Server Plan S.r.l., Banca Popolare di Milano, Telecom Italia and FastWeb.

The cyber security experts: Bad actors exploits the gathered email addresses of these sites to get more financial data of users and see if they can be logged with the same passwords. They also try to access social networks an online banking sites to steal further financial data

The cybercrime hackers are “‘pumping’ the gathered email addresses of these sites to get more financial data of users…see if they can be logged in with the same passwords. The process is not stopping in here. They continue to hack using specific URLs to access other sites (i.e. Game sites like battlefield, PlayStation, Mojang, etc.) and check if they can log in with the same credentials.” – MalwareMustDie added – “The crooks are going further attempting to access social network platforms like LinkedIn, Google accounts, Yahoo, Facebook, and many international portals too like Yandex, Rambler, or Mail. RU… at this point they also aim the access to several email addresses to see the data inside (if possible). Lastly, they access some sites of Banking, online sell, in each specific country using specific email addresses from that country, to get the credential that can be used to hack further financial data.”

How the cybercrime group is working

According to MMD cyber security experts, the cybercrime “hackers check the email servers in each related country of the email addresses previously collected, and first they scan where the servers are, then they check whether the email servers has IMAP or POP protocol. For IMAP servers they try to hack with the credential collected via HTTP attack again, for the POP they try to access directly to the POP protocol and SMTP protocol in the attempt to get the direct access to the mailbox. This happens to the overall email address data collected around the world, This means that we are facing with a large-scale operation for mass stealing credential, I believe that main goal is to steal credit card data”.

Who are those malicious actors? State-sponsored hackers or cyber criminals?

But who are those malicious hackers? A classic cybercrime gang or a state-sponsored group? MalwareMustDie cyber security experts believe that “this is a large-scale operation; it is the work of professionals. Continuing the investigation on the collector and working on the bad actors database we have collected over the years, we have compared the hacking scheme of this group with the ones of other threat actors. We have found a positive match for a group of crooks that we thought many of them have been arrested, but the recent harvesting campaign suggests some of them are not. Some members of the gang are still out there. They are selling credit cards on their special website. Realizing, the actors behind these carding websites are the same that launched the harvesting campaign, we contacted the law enforcement providing it this information; the police are investigating the case”.