Security Experts:

The Man Behind the Gozi Trojan Attack: Mastermind or Trap?

A Russian cyber-criminal going by the handle vorVzakone may be behind the plan to launch a series of Trojan attacks against financial institutions, Brian Krebs, the security researcher and reporter behind, wrote Monday. Krebs identified the supposed mastermind based on a message posted on "exclusive Underweb forums," he wrote.

Related Reading: Three Charged in Worldwide Gozi Banking Malware Operation  

vorVzakon Behind ‘Project Blitzkrieg’ ?As SecurityWeek reported last week, RSA researchers uncovered clues that a group of cyber-criminals was recruiting botmasters to join a "blitzkrieg like" series of Trojan attacks that may target as many as 30 financial institutions. The attackers are planning to use the Gozi Prinimalka Trojan as part of man-in-the-middle manual session hijacking attacks, RSA said.

vorVzakone apparently posted a recruitment post inviting botmasters to join the campaign for an upfront investment of $400, according to a translation of the original post by Krebs. The fee is waived if the botmaster already has servers and bots ready to go. The campaign is purportedly planned for sometime between now and spring of 2013, according to the post.

"A release of the best Trojan [sic] is being prepared. The install of the software will be 'free,'" according to the post.

The big question right now is whether vorVzakone is really the one in charge of the operation or if the post is just a part of an elaborate trap set by Russian law enforcement authorities, Krebs said. For starters, he is being quite public in his activities, "which tends to raise red flags in a community that generally prefers to keep a low profile," Krebs wrote. For example, vorVzakone introduced himself as "Sergey" in a video clip recently posted to YouTube and showed off where he claimed to live.

"This guy’s language and demeanor is that of street corner drug dealer or a night club bouncer, and not of someone who can comprehend what ‘backconnect socks’ or GeoIP is," a security expert told Krebs.

RSA's Mor Ahuvia had also noted the incongruity of using Underweb forums to recruit like-minded criminals for a future attack. "Organized crime in the fraudster underground is normally orchestrated within private circles," Ahuvia wrote, calling this particular recruitment tactic "both risky and peculiar considering recent law enforcement operations in the underground leading to extensive fraudster arrests by the FBI."

In response to critics who accused him of being cavalier with his personal safety and anonymity, vorVzakone posted to another underground forum over the weekend, "That if you accurately target customers in the USA while being in Russia then you can fear nothing while living in your country…I am the obvious example of the fact that you can fear nothing in our country, you can live openly and calm."

It's not clear at this point whether vorVzakone is really a cyber-criminal planning to attack US banks, or if he is somehow tied to Russian law enforcement, Krebs said. Either way, banks should be looking at more stringent authentication mechanisms for customers. It's worth remembering that vorVzakone noted that U.S. banks don't use two-factor authentication to verify wire transfers, something most European banks support.

Regardless of vorVzakone's true intentions, banking customers need to be careful about what computers they use for online banking. It goes without saying that all installed software, security programs, and operating system be updated regularly.

Many experts recommend using a PC dedicated to online banking and never used for regular Web browsing, and others, including Krebs, recommend using a Live CD to load up a temporary system for online banking.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.