Page 1 of 2
An organized cybercrime group is in the process of recruiting the operators of illegal botnets to participate in a coordinated attack on 30 American banks, according to security vendor RSA.
The attack, which is apparently planned for an undisclosed date this fall, would likely be the largest coordinated cyber attack in history, involving as many as 100 botmasters and their respective botnets.
According to RSA, the group will be leveraging a proprietary Gozi-like Trojan, which RSA calls "Gozi Prinimalka." The word "Prinimalka," which is derived from the Russian word meaning "to receive," appears as a folder name in every URL path to the gang's servers.
[Related: Major Banks Fend Off Barrage Of DDoS Attacks]
It's believed that the group will attempt to steal money via fraudulent wire transfers executed through man-in-the-middle (MiTM) manual session-hijacking exploits.
"They are specifically targeting institutions that do not use multifactor authentication," said Berk Veral, senior product marketing manager at RSA. "They would like to infect users, get control of the machines and use man-in-the-middle types of attacks while they are doing online banking. They want to hijack the accounts and then transfer money to their own mule accounts."
"They will try to simulate the profile of the device that the user is logging in from, including IP address, cookies, time zone, etc.," added Veral. "Then they will then use a VM module to create a virtual machine identical to the end-user machine so that the bank will not be able to tell the difference."
A SOCKS proxy connection would need to be installed on the infected PCs to enable access to the IP address. VoIP phone-flooding software would likely be used to intercept confirmations issued by the banks.
According to RSA, it appears that the similar Gozi Trojan was used in 2008 to steal approximately $5 million from bank accounts. Based on that observation, the company believes that a group known as the "HangUp Team" may be behind the plot.
The specific targeting of U.S. banks could be a political statement, or it could be related to the fact that most of these financial institutions have not yet adopted multifactor authentication in their customer transactions.
According to well-known security blogger Brian Krebs, RSA's warning may be tied to a Russian hacker who uses the alias "vorVzakone," which Krebs translates to "thief in law,” a Russian idiomatic expression referring to an elite organized crime subculture, or sometimes a criminal leader.
"In early September, vorVzakone posted a lengthy message announcing the beginning stages of a campaign he dubbed 'Project Blitzkrieg'" Krebs writes in a recent blog post. "This was envisioned as a collaborative effort designed to exploit the U.S. banking industry’s lack of anti-fraud mechanisms relative to European financial institutions, which generally require two-factor authentication for all wire transfers."