Cybercrime Group Recruits Botnets For Coordinated Attack On 30 U.S. Banks5:23 PM EST Mon. Oct. 08, 2012
An organized cybercrime group is in the process of recruiting the operators of illegal botnets to participate in a coordinated attack on 30 American banks, according to security vendor RSA.
The attack, which is apparently planned for an undisclosed date this fall, would likely be the largest coordinated cyber attack in history, involving as many as 100 botmasters and their respective botnets.
According to RSA, the group will be leveraging a proprietary Gozi-like Trojan, which RSA calls "Gozi Prinimalka." The word "Prinimalka," which is derived from the Russian word meaning "to receive," appears as a folder name in every URL path to the gang's servers.
[Related: Major Banks Fend Off Barrage Of DDoS Attacks]
It's believed that the group will attempt to steal money via fraudulent wire transfers executed through man-in-the-middle (MiTM) manual session-hijacking exploits.
"They are specifically targeting institutions that do not use multifactor authentication," said Berk Veral, senior product marketing manager at RSA. "They would like to infect users, get control of the machines and use man-in-the-middle types of attacks while they are doing online banking. They want to hijack the accounts and then transfer money to their own mule accounts."
"They will try to simulate the profile of the device that the user is logging in from, including IP address, cookies, time zone, etc.," added Veral. "Then they will then use a VM module to create a virtual machine identical to the end-user machine so that the bank will not be able to tell the difference."
A SOCKS proxy connection would need to be installed on the infected PCs to enable access to the IP address. VoIP phone-flooding software would likely be used to intercept confirmations issued by the banks.
According to RSA, it appears that the similar Gozi Trojan was used in 2008 to steal approximately $5 million from bank accounts. Based on that observation, the company believes that a group known as the "HangUp Team" may be behind the plot.
The specific targeting of U.S. banks could be a political statement, or it could be related to the fact that most of these financial institutions have not yet adopted multifactor authentication in their customer transactions.
According to well-known security blogger Brian Krebs, RSA's warning may be tied to a Russian hacker who uses the alias "vorVzakone," which Krebs translates to "thief in law,” a Russian idiomatic expression referring to an elite organized crime subculture, or sometimes a criminal leader.
"In early September, vorVzakone posted a lengthy message announcing the beginning stages of a campaign he dubbed 'Project Blitzkrieg'" Krebs writes in a recent blog post. "This was envisioned as a collaborative effort designed to exploit the U.S. banking industry’s lack of anti-fraud mechanisms relative to European financial institutions, which generally require two-factor authentication for all wire transfers."
NEXT: Focus On Authentication
According to the RSA blog post, "In a boot camp-style process, accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims' accounts into mule accounts controlled by the gang. To make sure everyone is working hard, each botmaster will select their own 'investor,' who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits."
RSA says that although Gozi and the Prinimalka variant are very similar, Gozi writes a single DLL file to its bots upon deployment, whereas Prinimalka creates an EXE file and a DAT file, with the DAT file used to support command and control. Significant differences also exist in the registry keys and values.
RSA recommends that banks review their authentication procedures in advance of the intended onslaught. "Our adaptive authentication feature can recognize whether the machine is being used manually or automatically, based on behavior patterns," added RSA's Veral. "It looks into how fast the user logs in, whether they are using the same machine, same time of day, and a number of other parameters. The machine typing in credentials is much faster than most people can keystroke. This is one of the factors that we use."
Another useful strategy could involve using a dedicated machine for banking and brokerage transactions and employing a separate machine for all other computing uses.
"That's a good idea," added Veral. "When you go online, you don't have any control over the security of the websites that you visit. There is malware that can infect your machine just by visiting the website even without clicking an actual file. These are drive-by attacks. If you had a machine [used] just for banking, that would be a lot better than sharing the machine among all functions."
PUBLISHED OCT. 8, 2012