Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

RSA: Botmasters Wanted for Large-scale Trojan Attacks Against Banks

During a Wave of Trojan Attacks, a Virtual-machine-synching Module Would “Duplicate” Victim PCs and Use a Genuine IP Address When Compromising Accounts…

A gang of cyber thugs has threatened to launch a series of Trojan attacks against at least 30 U.S. banks, according to RSA. Word of what the security firm is saying could be a “blitzkrieg-like” series of attacks was published by the RSA FraudAction Research Labs on Thursday.

During a Wave of Trojan Attacks, a Virtual-machine-synching Module Would “Duplicate” Victim PCs and Use a Genuine IP Address When Compromising Accounts…

A gang of cyber thugs has threatened to launch a series of Trojan attacks against at least 30 U.S. banks, according to RSA. Word of what the security firm is saying could be a “blitzkrieg-like” series of attacks was published by the RSA FraudAction Research Labs on Thursday.

Banks Targeted in Cyberattacks

RSA’s announcement centers on the communicated plans discovered online, which call for a Trojan attack spree aimed at 30 financial institutions. The campaign is to be carried out with a little-known Trojan called Gozi Prinimalka, and up to 100 botmasters could be included in order to assure success. According to underground chatter, RSA said in a blog post, Gozi Prinimalka is to be deployed so that the gang can complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios.

Previous incidents linked to this Trojan that were investigated by RSA corroborate the gang’s claims, as the malware has been linked to more than $5 million in losses in the U.S. since 2008.

If successful, the full impact of this campaign might not be felt by the targeted banks for a month or so, and the sustainability of the attack itself will depend on the reaction time by the individual institutions.

Botmasters who meet the requirements will be trained and entitled to a cut of the money that is eventually stolen from victim accounts.

“To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits,” noted RSA’s Mor Ahuvia in a company blog.

The attack itself however, has several interesting technical aspects, as the RSA blog explains:

A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website. Using VoIP phone-flooding software, the gang plans to prevent victim account holders from receiving the bank’s confirmation call or text message used to verify new or unusual online account transfers.

While RSA notified the banks that were mentioned by name as potential targets, as well as the relevant law enforcement agencies, they did note that the attack might not happen at all.

“…it’s important to note that cyber criminals often make claims they do not necessarily act upon and they, along with other adversaries frequently change their tactics, abandoning unworkable lines of attack and developing new approaches. Security teams should consider the potential urgency and applicability of this intelligence within their specific organization’s threat matrix and risk profile.”

Related: Sophisticated DDoS Toolkit Used in Debilitating Cyber Attacks

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...