How criminals make money from compromised websites
Posted by Maxim Weinstein
A couple weeks ago, I wrote about a trend of websites being compromised because the webmaster’s computer had a Trojan that was stealing FTP credentials for the site. The folks at Finjan recently released a report detailing the operations of a criminal enterprise, Golden Cash, that uses this approach as an integral part of its operations. From the report (emphasis added):
How does Golden Cash operate?
- A potential victim visits a legitimate compromised website.
- The compromised website contains a malicious Iframe, causing the victim‟s browser to pull an exploit code from the attacker website that is armed with the exploit toolkit.
- Upon successful exploitation, a special version of a Trojan, which was especially created for the attacker, is being pulled from the Golden Cash server.
- Once installed, the Trojan reports back to its “master”, the Golden Cash server.
- The attacker’s account at Golden Cash is credited with payment for the job done.
- The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP grabber to steal FTP credentials.
- The victim’s machine is now in a pool of infected machines controlled by Golden Cash.
- The infected machines are being offered to other cybercriminals using a dedicated website.
- The selling prices depend on the location of the infected machines.
- After purchase, the victim’s machine gets instructions from the buyer to install additional malware on his/her behalf.
- The Trojan on the victim’s machine reports back to Golden Cash on successful installation of the buyer’s malware.
- The buyer‟s account is charged by Golden Cash for the service rendered.
- The victim‟s machine goes back in the “available for more infections” pool for more purchases.