A cybergang based in Eastern Europe recently announced plans to launch a Trojan attack on 30 American banks this fall.
The attack is part of a large-scale orchestrated crimeware campaign and will be carried out by approximately 100 botmasters the group will recruit, according to RSA, the security division at EMC Corp.
"If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two. The spree’s longevity, in turn, will depend on how fast banks and their security teams implement countermeasures against the heretofore-secret banking-Trojan," wrote Mor Ahuvia, cybercrime communications specialist for RSA, in a blog post.
Bedford, Mass.-based RSA believes the gang will use a variant of the Gozi Trojan in the attack. The security firm has named this particular Trojan "Gozi Prinimalka," from the Russian word meaning "to receive" and alluding to a Trojan drop point. The Trojan is rumored to be the final step in completing fraudulent wire transfers via Man-In-The-Middle manual session-hijacking scenarios.
The Gozi Trojan was first detected in 2006. The Trojan is configured to be sold to cybercriminals as a service. It steals SSL data, spreading through browser exploits to hijack financial transactions and steal sensitive account data.
The Gozi connection suggests that the group behind the scheme may be the Russian-based HangUp Team, or a group closely affiliated with it.
According to RSA, the gang claims Anti-American motives in its choice of targets, but the decision may have also been made based on convenience and prior experience.
"Another attractive element for the attackers appears to be the slim deployment of two-factor authentication (2FA) for private banking consumers in the US, unlike many European banks that generally require all consumers to use 2FA for wire transfers," Ahuvia said.
The gang is looking for partners for the project who will go through what Ahuvia calls a boot-camp style process of selection and training for the attack. Each accomplice will have a claim to a portion of the profits siphoned from victims' accounts.
Features of the campaign include a virtual-machine-synching module installed on the botmaster's machine. The synching device will duplicate settings on the victims' machines, including time zone, screen resolution, cookies, browser type and version, and software product IDs.
"Impersonated victims' accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank's website," Ahuvia said.
Bank notifications seeking to verify new or unusual online account transfers will be blocked using phone-flooding services.
The investigation into this threat is ongoing, and RSA did not name specific banks that might be in danger of an attack.
"RSA recommends banks review authentication procedures relevant to both online wire transfers and transfers performed over the telephone banking channel,"Ahuvia said.