RSA Warns of New Attacks on Banks Underground Crimeware Campaign Plans 'Substantial' Attack

Fighting the new Trojan aimed at U.S. banks will require multiple measures, says RSA researcher Mor Ahuvia. Gozi Prinimalka is different, and institutions have to be mindful of its characteristics.

Ahuvia, a cybercrime communications specialist for RSA FraudAction, says a new Trojan identified by RSA in early October will pose one of the greatest fraud threats U.S. banking institutions have ever seen.

RSA, in a blog posted Oct. 4, said it had identified 30 U.S. banks that had been targeted by a cybercrime gang believed to be based in Russia. The gang, according to RSA, was setting the stage for a "blitzkrieg-like" series of attacks, which would be launched by 100 botmasters the gang was working to recruit.

This variant of the man-in-the-middle Trojan known as Gozi, which Ahuvia blogged about, will likely be difficult for most institutions to detect, and will require multiple measures to prevent and fight fraud, Ahuvia says.

"Unfortunately, American online banking consumers are a bit more vulnerable because there is no wide use of two-factor authentication," Ahuvia says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].

Gozi Prinimalka

RSA has coined the new Trojan Gozi Prinimalka, because of its similarities to the legacy man-in-the-middle Trojan known as Gozi, Ahuvia says. Like Gozi, Prinimalka provides hackers the ability to manually set up fraudulent wire transfers in real-time. RSA discovered Prinimalka when it uncovered a planned scheme in underground forums that appears to be a "blitzkrieg-like" series of attacks. to be carried out by an estimated 100 botmasters.

To accomplish its mission, the group behind Prinimalka is working to recruit 100 botmasters and provide them access to the new Trojan - an attack tactic that is very unique, practically unheard of, Ahuvia says.

"RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date," Ahuvia writes in her blog.

Link to DDoS?

Despite suggestions that this new Trojan attack could be linked to the denial-of-service attacks recently waged against a handful of leading U.S. banks, Ahuvia says her research suggests otherwise.

"Different sources report different motives behind the DDoS attacks," she says. "Most of them seem to be emanating from the Middle East, but this is really something completely different. This is an announcement that was made by a Russian-speaking gang, and really the financial incentive here is unequivocal. There is no doubt that this gang is out there to make money. There is no ideological scheme here."

During this interview, Ahuvia discusses:

  • What makes this new Gozi variant and the attack described unique;
  • Why and how institutions could be caught off-guard;
  • How institutions can mitigate their risks.

As a cybercrime communications specialist for RSA FraudAction, Ahuvia has been at the forefront of online threats research for more than four years. Keeping customers and the media apprised of the latest in malware, phishing, and the cybercriminal black-market, Ahuvia's blogs for the FraudAction Research Lab have been quoted in numerous publications.

Discovering Prinimalka

TRACY KITTEN: RSA issued a warning Oct. 4 about a new Trojan attack believed to be aimed at 30 U.S. banks. How did RSA discover this alleged attack?

MOR AHUVIA: There was underground chatter that we saw in Russian underground communities. By looking at clues and following the announcements, we were able to link those claims to a Trojan variant we actually saw in the wild and which we handled within the past two years. We saw several incidents of the Trojan, and by having both intelligent sensibilities and Trojan detection and mitigation abilities, we were able to make the connection.

KITTEN: What cybergang or group is suspected of actually being behind this planned attack?

AHUVIA: We cannot know for sure, but we imagine that since it takes anywhere from between three and five people to code a banking Trojan that the gang would probably have to be at least that size. Now the gang also is trying to recruit more botmasters, so it can have a larger financial profit instead of just going after banks by itself. This gang wants to reap a share of the profits, similar to a network-marketing model, and that is why it is looking for 100 botmasters to partake in this Trojan campaign.

The Attack

KITTEN: When is this attack expected to hit?

AHUVIA: We cannot say for sure. This is not something that was explicitly stated in the announcement. The gang is only at the organizational stage right now. It's trying to recruit people. It's trying to recruit people that can be trained to master this Trojan that it has been operating for the past four years. They want to get the critical mass of botmasters so that they have the amount they need to be able to get a prescheduled date and launch the campaign. We're expecting anywhere from between several weeks to maybe two months. Of course, the credibility of fraudsters, in general, is not very high. We don't know if the gang will actually act on the plans in several weeks or a couple of months, but that is what we're currently estimating.

KITTEN: How long does RSA think this attack might last?

AHUVIA: It is difficult, but I can give you several factors that would have an impact on the longevity of the attack. First of all, we're looking at a Trojan that is not very well known. This gang has allegedly been operating it for the past four years, since 2008. It actually claims to have siphoned $5 million from consumers' banking accounts within that time. We know this Trojan exists, and we have been able to handle it and block it at communication sources, so I think there are several factors that will impact on how long it will last.

One is how well antivirus-detection engines will be able to detect the Trojan. This will probably be very difficult. ... So it depends on how well this Trojan will be able to evade detection by antivirus engines, and it really depends, also, on the security vendors' ability to come up with detection that recognizes it as a malicious file, develop a patch, issue a patch, and then you have the banks install it. We don't know how well banks will be able to block and detect this threat. We are looking at man-in-the-middle transfers, and that means that once the victim goes online, botmasters will supposedly be alerted of the fact that the victim is online and will the try to hijack the session and conduct an online wire transfer. So, how well the bank's systems can identify the transfer attempt as being fraudulent will probably also have an impact. ... As long as the bank systems are not able to handle threats, these attacks will probably go on.

Timing of Threat?

KITTEN: The timing of this is interesting, coming on the heels of the fraud alert issued by the FS-ISAC and the FBI about new account-takeover schemes. Do you see institutions taking steps now to mitigate some of these risks?

AHUVIA: First of all, man-in-the-middle attacks involve session hijacking. This methodology is not new. It has actually been out there for the past six years, if not longer. So nothing in the technical methodology here is new. There are products and services worldwide that can protect against this. Unfortunately, American online banking consumers are a bit more vulnerable because there is no wide use of two-factor authentication. If I want to make an online transfer in the U.S., I don't have to put in a one-time password. I don't have to put in token code either, usually. So there are a lot of stages where vendors can act to mitigate threats. There is blocking and there is shut-down, meaning that even if you are infected, we'll be able to shut down the communication point of the Trojan so that you're putting in your online banking account details but the information will not be sent to a fraudster's server. And if we miss that part and you are infected, there is still authentication, as well as transaction monitoring. Prior to authentication, we'll look at your device ID and different parameters to see if it is really you logging in.

There is also transaction monitoring. So, for example, if I am somebody wiring money to somebody I've never wired money to before, that is going to be considered an anomaly and could potentially be blocked.

Link to Gozi

KITTEN: RSA doesn't really know a great deal about this Trojan, but a based on some of the claims made by this group that allegedly developed the Trojan, you have a little background, don't you?

AHUVIA: We do know that it is a derivative of the Gozi Trojan, which is one of the oldest Trojans that has been around, but it seems like the gang for this campaign will be using a variant of the Trojan that is specifically coded to perform man-in-the-middle session hijacking attacks. Just to differentiate, there are fully automated attacks that are called man-in-the-browser and then there is man-in-the-middle, which means that somebody is manually intervening the online banking session in real-time.

What we do know is that it is similar to Gozi. Another kind of interesting characteristic that ties Gozi and Prinimalka is the business model I mentioned. In 2010, we did see this team that privately developed and operated the Gozi Trojan. It employed a similar a business model. It doesn't give out its Trojan, but it gives the infection file and then rents its botnets to different fraudsters. There are a lot of similarities that make us think this is the same gang, or a gang that is closely affiliated with the developers of Gozi. But unlike Gozi, Prinimalka is deployed differently on the infected system. It writes different files to the system. Gozi just installs a single file, whereas Prinimalka will first have infection file that starts on the computer, it will also make a list of all your system, details including all the software you have installed in the computer, and will then send that file to its servers. So, there are similarities, but, nonetheless, we characterized it as a variant of Gozi, not Gozi itself.

KITTEN: What is it that makes this unique?

AHUVIA: We've never seen a gang turn to just random members of underground communities and say, "Come join us in this operation and use our privately developed Trojan." It is very rare for a private gang to involve anyone in their operation. On the other hand, they are very selective and very careful. They will only take on people that they have interviewed and that they have had prior experience with, so that is a very unusual. We have really never seen a gang modeled like this. They are going to keep tight control over the Trojan. Nobody is going to be able to recreate it; they are only going to be giving away infection files. And once that infection file is sampled and blocked and patches are issued for that sample, they will give that file to their botmasters.

KITTEN: Mor, how valid do you think these threats are?

AHUVIA: I think it is serious because it is a man-in-the-middle attack and it is being performed on a large scale.

KITTEN: And do you think that RSA's efforts here to get the word out to the financial industry could in some way curb the attack?

AHUVIA: Definitely. We may have deleted it; we may have redirected the campaign toward other banks; maybe now they want to charge at this bank, and other banks, too, for instance. You know, there is a whole wide range of possibilities.

Connection to DDoS Hits?

KITTEN: Do you think there is any connection with the denial-of-service attacks targeted at leading U.S. institutions recently?

AHUVIA: There is almost certainly no connection whatsoever between the two. Different sources report different motives behind the DDoS attacks that have been online. Most of them seem to be emanating from the Middle East, but this is really something completely different. This is an announcement that was made by a Russian-speaking gang, and really the financial incentive here is unequivocal. There is no doubt that this gang is out there to make money. There is no ideological scheme here. They are looking into targeting American banks and exploit the fact that banks in the U.S. do not use two-factor authentication, as I mentioned. Also, we've seen that the same banks have been targeted by this gang, by the Prinimalka Trojan, for the past two years, so they are familiar with these banks. They know how to cash them out, apparently, or at least they think they do. And I really think there is absolutely no connection between the two.

KITTEN: Can you tell us at all about the 30 financial institutions that have allegedly being named as targets?

AHUVIA: I can say is that they all are high-profile major financial institutions. These are banks with a large number of online-banking consumers.

KITTEN: How will institutions be kept in the loop going forward?

AHUVIA: I can't make any promises, but I do know that we have informed the FBI and the Secret Service of our findings.

Around the Network