Cyber criminals plan attack on major U.S. banks

A cyber gang thought to be based in Eastern Europe and the former Soviet Union is recruiting dozens of people to participate in a scheme to steal millions of dollars from 30 major U.S. banks, according to RSA.

The organizers are thought to be associated with the Hangup Team, which claims to have used a proprietary Trojan family, called Gozi, to siphon $5 million through online banking accounts since 2008, RSA said Friday.

The gang, believed to have at least a half dozen members, hopes to recruit 100 "botmasters" through the criminal underground and could launch the attack within a couple of months.

"This is the first time we've seen a gang try to orchestrate this large-scale banking-Trojan campaign," said Mor Ahuvia, a cyber crime communications specialist at RSA. She declined to name the targeted banks.

[Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.]

The accomplices would be in charge of managing the compromised PCs of banking customers to steal user IDs and passwords and transfer money to bank accounts set up by the gang. They would also be responsible for launching small denial-of-service attacks on victims' mobile data services to prevent them from seeing messages typically sent from banks to notify customers of a money transfer. In return, the gang is promising a portion of the money they receive.

"It could be a hoax. The gang could want to make a quick profit by signing people up and getting a startup fee," Ahuvia said. "But I personally believe from my experience in looking at the underground...[that] they just want to leverage their Trojan, which they have worked really hard in developing and perfecting."

The gang is promising to train people in the use of the malware, which RSA calls Gozi Prinimalka, which is derived from the Russian word meaning "to receive." To protect the criminals' intellectual property, accomplices would be able to use the Trojan, but won't be given the compiler necessary to build new executable files. Those files would come from the gang as anti-virus vendors discover and block older files.

While the gang is capable of running its own money-stealing botnet, Ahuvia believes it's looking for partners to make the operation harder to stop and to build a much larger and profitable network than the gang could create on its own. The upcoming operation could involve hundreds of thousands of compromised PCs, compared to only 50,000 used in the past by the Hangup Team, she said.

The scheme involves buying space on networks of compromised websites where the Trojan can be downloaded when someone visits the site or clicks on a fake ad, Ahuvia said. Once in a PC, the malware creates two files, an executable and a data file for storing the systems' IP addresses, installed software and other information.

The data would enable the gang's partners to create a replica of the victim's system on a virtual machine. After stealing the person's user ID and password, the scammers can visit a bank site and use the replica to fool the bank into believing the customer is returning.

The gang is looking for each botmaster to have an "investor" who would put up the money for the hardware needed to run the scam, Ahuvia said. That person would then have an interest in ensuring that money went to the gang's accounts in order to get a cut.

Fewer safeguards are in place for accomplices. "As a botmaster, I'd have to trust the gang to get my share," Ahuvia said.

Now that the cybercriminals have pre-announced the bank attack, law enforcement could try to infiltrate the operation. This has been done before. In June, the FBI announced the arrest of more than two-dozen suspects in a two-year international sting operation. The FBI had set up an underground forum and marketplace to attract criminals who bought and sold credit card, debit card and bank account numbers.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts