Attackers are beginning to host their malicious domains and drive-by download sites, and most recently researchers have discovered a number of domains on Amazon’s cloud platform that are being used to install malware as part of a spam and phishing campaign designed to steal banking credentials and other sensitive data.
The current attack sites are installing a variety of malicious files on victims’ machines, including a component that acts as a rootkit and attempts to disable installed anti-malware applications. Other components that are downloaded during the attack include one that tries to steal login information from a list of nine banks in Brazil and two other international banks, another that steals digital certificates from eTokens stored on the machine and one that collects unique data about the PC itself, which is used by some banks as part of an authentication routine.
Researchers say that the attacks likely originated in Brazil and are targeting users in Brazil, specifically. The domains that are being used in this attack have now been removed by Amazon, according to Kaspersky Lab researcher Dmitry Bestuzhev, who discovered the malicious domains.
“As of yesterday (June 6), all malicious links have been taken
down by Amazon Web Services and are no longer active. Brazilian cyber criminals intentionally launched the attack on Friday
night. They know that usually it takes more time to detect and
neutralize threats launched during the weekend. The same technique has
been widely used by phishers for a while,” he wrote.
The attacks begin as spam/phishing campaigns in which users are sent spoofed emails with links that take them to one of the malicious domains, exactly the same sort of attack scenario that’s been used in normal phishing campaigns for the better part of a decade now. The only difference is that instead of hosting the malicious site on a bulletproof hosting service or a compromised domain, they’re using domains hosted by Amazon. It’s simply a new twist on an old attack.
Attackers have been using compromised legitimate domains as launching pads for drive-by downloads for years now, and they also will utilize the services of hosting providers who actively ignore the presence of malicious domains on their servers. Some of these co-called bulletproof hosting providers will remove malicious domains when notified by researchers, but others will simply ignore those requests.
The advent of commodity cloud computing platforms gives attackers one more venue in which to host their attack domains, but the attacks themselves are quite similar to what users have been seeing for years.