Predator Pain and Limitless: Behind the Fraud

ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason. It has continued to evolve, is very successful in hijacking online banking credentials, and added a variety of features designed to counter various solutions that are supposed to mitigate it. It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception.

Zeus was designed to automate most of the information stealing behavior, and was specifically built to steal online baking credentials. However, we are seeing a type of under-the-radar online fraud carried out by simple, off-the-shelf keyloggers like Predator Pain and Limitless that are being used to perform corporate email fraud.

The scale of this fraud is significant – the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone. Consider: this means that cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present.

Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.

This simplicity belies the cunning of the operators behind these keyloggers. Experienced in 419 scams, the operators have the time and determination to target corporations, capture webmail accounts, monitor on-going business transactions, and, when the time is right, hijack the transaction to redirect payments to accounts they control.

The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.

Our paper titled Predator Pain and Limitless: When Cybercrime Turns into Cyberspying discusses our findings about these tools, as well as what we know about the attacks that are being carried out with them.

The following graphs show the distribution of the victims that we observed, both by country and by industry:

Figure 1. Predator Pain/Limitless Victims by Country

Note that the country distribution graph is biased towards Malaysia because one of the actors involved targets South East Asian countries, with a bias towards Malaysia.