Pierluigi Paganini October 09, 2012

In the last weeks we have assisted to a massive DDoS attacks against U.S. financial institutions that demonstrated how much invasive is this type of offensive.

The dimension of the attacks was very impressive considering that it has beaten the defense systems of so large organizations, experts believe it is negligible if compared to the attack that a group of cybercriminals is planning.

According RSA security firm 30 American banks might soon be victims of a devastating attack conducted using a malware spread and controlled by around 100 botmasters.

RSA hasn’t clarified how it is in possession of these information, according to Krebson Security blog it captured a series of post of a Russian hacker “vorVzakone” posted on Underweb forums.

The malware detected by security researchers looks very similar to Gozi trojan and it has been named Gozi Prinimalka since the word “Prinimalka” appears in every URL path utilized by the authors.

The group of cyber criminals, named itself HangUp Team, according the investigation has started a recruiting campaign for botmaster figures. The Gozi trojan has been spread in the past to steal $5 million  from American bank accounts, it belongs to the family of Trojan mainly used for banking frauds as the most famous Zeus. The trojan to allow fraudulent wire transfers implements the classic Man-In-The-Middle (MiTM) attack.

Singular the way that authors of the trojan intend to involve botmasters, they will receive only executable files and will be trained individually in the use of the dangerous trojan.

During the first days of September, vorVzakone announced the beginning of the operation he named “Project Blitzkrieg.” that desire to involve other hackers in a massive attack against U.S. banking sector that appears vulnerable due the lack of anti-fraud mechanisms.

“The two factor authentication is not covered since it’s rare in USA.” wrote vorVzakone, the hacker also added on the malware:

“Successful load rate is increased to 80-90%

Success of the transfers – 99%, unless the bank dials through or the holder logs into the account, if the methodology is followed

The development of the system took 4 years of daily work and around $500.000 was spent

Since 2008 by using this product  not less than $5m was transferred just by one team.

The product has no auto-transfer ability (manual operation only)”

Cybercrime Communications Specialist for RSA FraudAction, Mor Ahuvia, declared:

“In a boot camp-style process, accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims’ accounts into mule accounts controlled by the gang,”

“To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits.”

vorVzakon announced the beginning of his campaign writing:

“The goal – together, en-masse and simultaneously process large amount of the given material before anti-fraud measures are increased,”

Another interesting part of the attack announced by vorVzakone is the flooding of victim’s phone lines while during robbery avoiding the reception of confirmation calls or text messages from their banks, the hacker started discussion threads on different forums posting a video on how flood telephone services.

RSA Security has alerted the financial institutions on the imminent threat and related effects, the hope is that the cyber criminals once realized to have been discovered could change their plan.

According to security experts the American banking is most exposed to this type of attacks due the lack of  proper authentication methods for wire transfers.

What credibility can be given to the story?

Although the threat of similar malware to the banking world is concrete, I think that the the single case is little concrete. The hacker in question has littered the web of his tracks, posting videos in which recognizable face in front of  his car with a license plate prominently displayed. vorVzakone  flaunts safety, probably because attempt to sell his image, recently it seems is selling a service “Insurance from criminal prosecution” to enable those in his country who are prosecuted for computer crime groped to bribe the police … all upon payment of a membership fee to his initiative.

Singular and very strange idea that might really make sense in his context, the reality is sometimes stranger than fiction.

What you have to worry about is the organizational model for the attack, on forums present in the deep web is not uncommon find groups of hackers who exchange information on how to make fraud more or less complex …  is the evolution of crime that seeks to maximize the adoption of the technological tools.

How to protect ourselves?

Common sense, awareness of the threat and the demand to those who manage the services we access to give proper warranty on their security level.

Specifically, I find it absurd that there are gaps so obvious in the process of authentication of some banks.

Pierluigi Paganini