During a Wave of Trojan Attacks, a Virtual-machine-synching Module Would "Duplicate" Victim PCs and Use a Genuine IP Address When Compromising Accounts...
A gang of cyber thugs has threatened to launch a series of Trojan attacks against at least 30 U.S. banks, according to RSA. Word of what the security firm is saying could be a "blitzkrieg-like" series of attacks was published by the RSA FraudAction Research Labs on Thursday.
RSA’s announcement centers on the communicated plans discovered online, which call for a Trojan attack spree aimed at 30 financial institutions. The campaign is to be carried out with a little-known Trojan called Gozi Prinimalka, and up to 100 botmasters could be included in order to assure success. According to underground chatter, RSA said in a blog post, Gozi Prinimalka is to be deployed so that the gang can complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios.
Previous incidents linked to this Trojan that were investigated by RSA corroborate the gang’s claims, as the malware has been linked to more than $5 million in losses in the U.S. since 2008.
If successful, the full impact of this campaign might not be felt by the targeted banks for a month or so, and the sustainability of the attack itself will depend on the reaction time by the individual institutions.
Botmasters who meet the requirements will be trained and entitled to a cut of the money that is eventually stolen from victim accounts.
“To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits,” noted RSA’s Mor Ahuvia in a company blog.
The attack itself however, has several interesting technical aspects, as the RSA blog explains:
A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website. Using VoIP phone-flooding software, the gang plans to prevent victim account holders from receiving the bank’s confirmation call or text message used to verify new or unusual online account transfers.
While RSA notified the banks that were mentioned by name as potential targets, as well as the relevant law enforcement agencies, they did note that the attack might not happen at all.
“...it’s important to note that cyber criminals often make claims they do not necessarily act upon and they, along with other adversaries frequently change their tactics, abandoning unworkable lines of attack and developing new approaches. Security teams should consider the potential urgency and applicability of this intelligence within their specific organization’s threat matrix and risk profile.”