An intricate network of servers operated by Chinese criminals has moved into the void created when the notorious Russian Business Network (RBN) shut down, according to a report from anti-crimeware vendor Finjan.
December's "Malicious Page of the Month" report from Finjan's Malicious Code Research Center (MCRC) notes that the RBN “has suddenly picked up from its St. Petersburg digs and diversified…spreading its activity to new chunks of IP addresses, with RBN-like activity almost immediately appearing on newly registered blocks of Chinese and Taiwanese IP addresses."
Istach Amit, director of security for the MCRC, told SCMagazineUS.com that the Chinese group's activity is “an evolution of the Russian Business Network."
“All of the criminal activity over the internet has financial gain behind it, and if you shut down one part of the system, it's bound to bounce back because of market forces,” he said.
The report also noted that MI5, the United Kingdom's counter-intelligence agency, warned 300 U.K. chief executives and security experts of an increased risk from Chinese hackers following an attack on government servers.
Amit said Chinese cybercriminals scan the internet searching for vulnerable U.S. and European hosts at universities and government offices. The hackers then take advantage of misconfigured or unpatched systems, infecting them with IFRAME
code, Amit said. The victim is then redirected to a series of sites containing IFRAMEs, including those belonging to the Chinese network.
Other trojans are then downloaded to the victim's compromised PC and another IFRAME sends personal data, such as banking authentication credentials, to the network of Chinese servers. That information is used for tracking and statistics, as well as online transactions, without user knowledge, said Amit.
"It's very sophisticated," he said. "They are able to circumvent many of the security measures the banks have taken."