Cybercriminals Plot Massive Banking Trojan Attack

Cybercriminals Plot Massive Banking Trojan Attack
By Jaikumar Vijayan
October 5, 2012 03:49 PM ET

Computerworld – An international gang of cyber crooks is plotting a major campaign to steal money from the online accounts of thousands of consumers at 30 or more major U.S. banks, security firm RSA warned.

In an advisory Thursday, RSA said it has information suggesting the gang plans to unleash a little-known Trojan program to infiltrate computers belonging to U.S. banking customers and to use the hijacked machines to initiate fraudulent wire transfers from their accounts.

If successful, the effort could turn out to be one of the largest organized banking-Trojan operations to date, Mor Ahuvia, cybercrime communications specialist with RSA’s FraudAction team, said today. The gang is now recruiting about 100 botmasters, each of whom would be responsible for carrying out Trojan attacks against U.S. banking customers in return for a share of the loot, she said.

Each botmaster will be backed by an “investor” who will provide money to buy the hardware and software needed for the attacks, Ahuvia said.

“This is the first time we are seeing a financially motivated cyber crime operation being orchestrated at this scale,” Ahivia said. “We have seen DDoS attacks and hacking before. But we have never seen it being organized at this scale.”

RSA’s warning comes at a time when U.S. banks are already on high alert. Over the past two weeks, the online operations of several major banks, including JP Morgan Chase, Bank of America, Citigroup and Wells Fargo were disrupted by what appeared to be coordinated denial-of-service attacks.

A little-known group called “Cyber fighters of Izz ad-din Al qassam” claimed credit for the attacks, but some security experts think a nation may have been behind the campaign because of the scale and organized nature of the attacks.

In mid-September, the Financial Services Information Sharing and Analysis Center (FS-ISAC) warned banks to be on guard against cyberattackers seeking to steal employee network login credentials to conduct extensive wire transfer fraud. Specifically, the alert warned banks to watch out for hackers using spam, phishing emails, Remote Access Trojans and keystroke loggers to try and pry loose bank employee usernames and passwords.

FS-ISAC also noted that the FBI had seen a new trend where cyber criminals use stolen bank employee credentials to transfer hundreds of thousands of dollars from customer accounts to overseas locations.

Over the past few years, cyber crooks have siphoned off millions of dollars from small businesses, school districts and local governments by stealing online usernames and passwords and using those credentials to make the transfers.

The latest discussion suggests that they now have individual consumer accounts in their crosshairs, Ahuvia said, warning that the gang plans to attempt to infiltrate computers in the U.S. with a little known Trojan malware program called Gozi Prinimalka.The malware is an updated version of a much older banking Trojan, Gozi, which was used by cyber criminals to steal millions of dollars from U.S. banks. The group’s plan apparently is to plant the Trojan program on numerous websites and to infect computers when users visit those sites.

The Trojan is triggered when the user of an infected computer types out certain words — such as the name of a specific bank — into a URL string.

Unlike the original Gozi, the new version is capable not only of communicating with a central command-and-control server but also of duplicating the victim’s PC settings. The Trojan essentially supports a virtual machine cloning feature that can duplicate the infected PC’s screen resolutions, cookies, time zone, browser type and version and other settings. That allow the attacker to access a victim’s bank website using a computer that appears to have the infected PC’s real IP address and other settings, Ahuvia said.

“Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website,” she said in her alert.

Victims of fraudulent wire transfers will not immediately know of the theft because the gang plans on using VoIP flooding software to prevent victims from getting bank notifications on their mobile devices, she added.

Consumers need to ensure that their browsers are properly updated to protect against drive by downloads, she said. They also need to watch for any suspicious behavior or transactions on their accounts.

RSA has also notified U.S. law enforcement and its own FraudAction Global Blocking Network about the threat, she said. Banks, meanwhile, should consider implementing stronger authentication procedures and anomaly detection tools for spotting unusual wire transfers.

Oct 8, 2012