So far, this blog has established that a group of cyber operators breaks into home and office routers, and installs software on the routers. I will provide one example of what comes next.
One of the programs installed on the routers turns the routers into a proxy. A proxy is a service that can be used to disguise the original source of network traffic.
The QuantumFilament operators, or one of their customers using QuantumFilament’s network of hacked routers, tried to log into a financial service 16,991 times. The 16,991 attempted logins used 16,971 unique user IDs. The success rate was about 1.33%.
| Status | Count |
|---|---|
| DENIED | 14,712 |
| UNKNOWN | 2,033 |
| SUCCESS | 226 |
I have contacted the financial service offering to share my information about the hacked accounts.
The financial service has an Apple iOS mobile app, and the evidence indicates the QuantumFilament hackers or customers are using the same internal API calls as the iOS mobile app to try to log into the financial service accounts. When the hacker’s program tries to log into the financial service, it sends along information about an Apple iOS device. Most likely, the programmer who built the alternative login app copied the template of the real financial service app running on a real Apple iOS device. Here is some of the information sent by the hacker’s login app, common to all 16,991 login requests.
| Information | Value |
|---|---|
| Device | Apple iPhone |
| Operating system | Jailbreak iOS 9.1 |
| Language setting | ru (Russian) |
| Country | ru (Russia) |
| Time zone | Europe/Moscow |
| Wifi network | ZHK_SU |
| iPhone name | ZHK |
| LAN IP address | 192.168.0.102 |
| Proxy IP | 192.168.0.107 |
| Proxy port | 8888 |
The original programmer who reverse engineered the internal API of the financial service likely copied the submission values from the legitimate Apple iOS app, and this iOS app was probably running on a jailbroken iPhone, located in Russia, in the Moscow time zone.
QuantumFilament 