Evidence Indicates that Project Blitzkrieg Would not be a Massive Attack, But Rather a More Selective One Going After Specific Fargets…
Security firm McAfee released a report on Thursday confirming the operators behind a massive cyber-fraud campaign against U.S. financial institutions is still moving forward with their plans.
Referred to as Project Blitzkrieg, the upcoming campaign would be a coordinated Trojan attack against 30 U.S. banks in the spring of 2013, RSA Security warned back in September. RSA researchers had uncovered recruitment messages posted by a person going by the handle vorVzakone on underground forums looking for botnet operators to take part in the campaign.
RSA Security’s warnings were met with initial skepticism in the industry, as some groups thought the messages were part of a sting operation by Russian law enforcement. When vorVzakone ceased posting on the forums, it appeared Project Blitzkrieg had been cancelled as a result of the media scrutiny, or a hoax.
McAfee Labs analyzed available malware samples and related threat information and found Project Blitzkrieg was a “credible threat,” Ryan Sherstobitoff, a threats researcher at McAfee Labs and primary author of the report, told SecurityWeek.
McAfee’s report merely confirmed RSA’s earlier warnings, Limor Kessem, cybercrime and online fraud communications specialist at RSA Security, told SecurityWeek. “RSA had never thought they would cancel the attacks, but they would go further underground,” Kessem said. The fact that there were no more forum messages meant vorVzakone was being more secretive, not scared off.
In the original recruitment post, vorVzakone had said the attacks would rely on a variant of the Gozi Trojan, a malware that has been in active development since 2008. The variant Gozi Prinimalka infects personal computers via e-mail messages and intercepts usernames and passwords when users access their online accounts.
Gozi Prinimalka appears to be different from other banking Trojans as the command-and-control server has a “virtual machine syncing module” capable of duplicating the victim’s PC settings, such as the time zone, screen resolution, cookies, browser type, and installed software IDs. The attacker can clone a virtual system using the settings and access the victim’s online account. It will be harder for banks to detect the fraudulent login, since the cloned system will be using the last-known IP address for the victim’s computer.
In the new report, McAfee Labs uncovered small campaigns using Gozi Prinimalka against at least 300 to 500 targets across the United States since April. The campaigns can be considered as pilot programs as attackers become familiar with how the Trojan works, RSA’s Kessem said. The botnet operators are being paired up, so these campaigns provide an opportunity for them to work together.
Many of the victims in these initial forays had investment accounts. “It will be interesting to see how the attackers will move money from these accounts, which are certainly targets of high value,” McAfee Labs wrote in the report.
New C&C servers have also popped up in recent months. Originally found in Romania, Russia, and the Ukraine, McAfee Labs have found new servers in other areas, Sherstobitoff said. The evidence seem to indicate that Project Blitzkrieg would not be a mass attack, but rather a more selective one going after specific targets.
“They will stay under the radar by attacking selected groups,” McAfee Labs wrote, adding that the smaller number of infections would reduce the malware’s footprint and make it harder for defenders to detect. Right now, the campaigns are all being treated as pilots, and have not yet reached critical mass, Sherstobitoff said.
Kessem noted the financial institutions can’t really do anything to block Gozi Prinimalka as the infection is happening on user computers. The users will have to make sure their antivirus software is always up-to-date, and it will be up to the AV vendors to promptly release signatures for Gozi variants as soon as they are detected. Even though Project Blitzkrieg is not expected to be a mass attack, Kessem said the fact that defenders are expecting attacks within a specific time period, and the increase in the volume of attacks, would help make it more visible and easier to detect.
Banks will have to step up their fraud-detection capabilities to try to recognize patterns and identify when a transaction may be initiated by Gozi Prinimalka and not the user, Kessem said.
Kessem or Sherstobitoff were both unable to narrow the timeframe of the attack beyond “spring of 2013.” There was also no indication of which institutions may be particularly vulnerable to these attacks.
But some bank security experts believe that vendor reports on Project Blitzkrieg are flirting along the lines of FUD.
“The Trojan capabilities are nothing new,” a source at a large global bank told SecurityWeek. “It’s more about having to answer questions from senior management.”
“The only thing new is an actor has moxie to make a claim in an underground forum. It could be interpreted as the actor is just looking for attention in the underground.”