As if retailers and merchants didn’t have anything else to worry about, a malware threat called IcedID wants to set itself off as a special type, says a researcher at IBM Corp.
In a blog post released Wednesday, the researcher says the criminal gangs using IcedID—disovered and named by IBM in 2017—tap into the malware’s ability to launch different attack types. IBM’s recent analysis of IcedID examined how it’s used to target U.S. e-commerce vendors.
“The threat tactic is a two-step injection attack designed to steal access credentials and payment card data from victims,” the post says. “Given that the attack is separately operated, it’s plausible that those behind IcedID are either working on different monetization schemes or renting botnet sections to other criminals, turning it to a cybercrime-as-a-service operation, similar to the Gozi trojan’s business model.” Gozi is a type of financial malware.
Typical targets are banks, payment card providers, mobile-services providers, payroll, Web mail, and e-commerce sites. “In their configuration files, it is evident that IcedID’s operators target business accounts in search of heftier bounties than those typically found in consumer accounts,” IBM says.
“IcedID’s operators are most likely in Eastern Europe,” Limor Kessem, IBM executive security advisor, says in an email to Digital Transactions News. “According to X-Force research of the malware, the operators are believed to be Russian speakers.” X-Force is IBM’s security research service.
The malware can be disguised as a legitimate-appearing Web page, inciting an unaware individual to enter his access credentials and payment data, IBM says. Once entered, the details can be viewed and searched by criminals on a control panel. A device infected with IcedID also would not interact with other command-and-control servers that may alert others to the intrusion.
Protecting against the malware isn’t easy, Kessem says. “Retailers wishing to protect their Web sites against malware like IcedID would have to find a way to block the malware’s Web injections,” she says. “Keep in mind that malware operators continually evolve the injections to ensure that they still work over time, so it is a task that has to be undertaken by experienced anti-malware researchers.”
Criminal gangs experiencing success with IcedID likely will seek ways to target more organizations, she says. “When a malware operator sees success in targeting one brand, they are very likely to attempt to duplicate that success by targeting other ones as well,” Kessem says. “It is likely that IcedID’s operators will target retailers to take over user accounts and use them in fraudulent purchases or as a foothold for additional compromises of the same victim.”