Banks Not Prepared for New Trojan

Researchers Say Virus Bypasses Standard Security Measures

By , October 24, 2012.
Banks Not Prepared for New Trojan

The usual fraud-detection and prevent defenses likely won't be enough to catch and stop a new banking Trojan dubbed Gozi Prinimalka, experts say.

See Also: 2015 Financial Services Cybersecurity Agenda: An Inside Out Look at a New Risk Mitigation Approach

In early October, security vendor RSA discovered this new variant of the legacy man-in-the-middle Trojan known as Gozi (see RSA Warns of New Attacks on Banks).

RSA, in a blog posted Oct. 4, said it had identified 30 U.S. banks that had been targeted by a cybercrime gang believed to be based in Russia. The gang, according to RSA, was setting the stage for a "blitzkrieg-like" series of attacks, which would be launched by 100 botmasters the gang was working to recruit.

Now other security vendors, including Trusteer and TrendMicro, say they, too, have tested this new banking Trojan and confirmed its increased risk for fraudulent wire transfers. According to Trusteer, which recently posted a blog about the issue, typical device identification measures and Internet protocol tracking are useless.

As a result, experts say banks and credit unions need to enhance transaction monitoring measures to catch suspicious wire transfers, ideally in real-time, before they're approved. That's because the new Trojan easily bypasses standard authentication. Institutions also should focus on proxy identification and malware detection as well as ensure their end-users are consistently updating anti-virus software. And since the Trojan exploits basic authentication methods, institutions also should invest in multifactor authentication.

Prinimalka: More Than Gozi

RSA warned early on that U.S. banking institutions were being targeted because they don't typically require two-factor authentication for wire transfers.

But Amit Klein, Trusteer's chief technology officer, says the Trojan, now known as Gozi Prinimalka, attacks a system in new ways. The format of the attack's HTML injection, the malware's code configuration elements and how a compromised machine's code is injected into the browser are different than other Trojans, including Gozi, he explains.

Gozi Prinimalka's device-cloning feature and its ability to mimic a user's IP address makes it particularly dangerous, Klein states in his blog post.

"This [device-cloning] feature allows fraudsters to create a cloned computer with settings identical to those of the victim's device - including the same device fingerprint," he writes. "It also allows the fraudsters to route/proxy all Web communication from the cloned computer through the victim's device, using the victim's IP address. The net effect is that both device and IP address seem to belong to the genuine user [victim]."

Trend Micro has identified similar risks, says senior threat researcher Ivan Macalintal. He blogged about the new threat, naming 26 banking institutions that had been identified by Trend Micro as targets. Macalintal says configurations contained in the malware's code led researchers to identify the following institutions as targets:

Accurint, American Funds, Ameritrade, Bank of America, CapitalOne, Charles Schwab, Chase, Citibank, eTrade, Fidelity, Fifth Third Bank, HSBC, M&T Bank, Navy Federal Credit Union, PNC, Regions Financial Corp., Scottrade, ShareBuilder, State Employees Credit Union, Suntrust, The Huntington National Bank, United States Automobile Association, USBank, Wachovia, Washington Mutual and Wells Fargo.

RSA researcher Limor Kessem acknowledges specific banks targeted for attack also have been identified by RSA. But she declined to reveal the targets or to confirm the accuracy of Trend Micro's list.

No Attacks Yet

Researchers say all of the banks identified as being at risk have been notified, and law enforcement is involved. No Gozi-Prinimalka attacks have yet been logged, according to RSA, Trusteer and Trend Micro.

But Macalintal says past variants of Gozi, and other banking Trojans, have been known to also target social-networking sites, based on configuration files.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE New Federal CIO Withholds InfoSec Judgment

After nearly 2½ months on the job, federal Chief Information Officer Tony Scott was reluctant to...

Latest Tweets and Mentions

ARTICLE New Federal CIO Withholds InfoSec Judgment

After nearly 2½ months on the job, federal Chief Information Officer Tony Scott was reluctant to...

The ISMG Network