A cyber gang thought to be based in Eastern Europe and the former Soviet Union is recruiting dozens of people to participate in a scheme to steal millions of dollars from 30 major U.S. banks, according to RSA.
The organizers are thought to be associated with the Hangup Team, which claims to have used a proprietary Trojan family, called Gozi, to siphon $5 million through online banking accounts since 2008, RSA said Friday.
The gang, believed to have at least a half dozen members, hopes to recruit 100 "botmasters" through the criminal underground and could launch the attack within a couple of months.
"This is the first time we've seen a gang try to orchestrate this large-scale banking-Trojan campaign," said Mor Ahuvia, a cyber crime communications specialist at RSA. She declined to name the targeted banks.
[Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.]
The accomplices would be in charge of managing the compromised PCs of banking customers to steal user IDs and passwords and transfer money to bank accounts set up by the gang. They would also be responsible for launching small denial-of-service attacks on victims' mobile data services to prevent them from seeing messages typically sent from banks to notify customers of a money transfer. In return, the gang is promising a portion of the money they receive.
"It could be a hoax. The gang could want to make a quick profit by signing people up and getting a startup fee," Ahuvia said. "But I personally believe from my experience in looking at the underground...[that] they just want to leverage their Trojan, which they have worked really hard in developing and perfecting."
The gang is promising to train people in the use of the malware, which RSA calls Gozi Prinimalka, which is derived from the Russian word meaning "to receive." To protect the criminals' intellectual property, accomplices would be able to use the Trojan, but won't be given the compiler necessary to build new executable files. Those files would come from the gang as anti-virus vendors discover and block older files.
While the gang is capable of running its own money-stealing botnet, Ahuvia believes it's looking for partners to make the operation harder to stop and to build a much larger and profitable network than the gang could create on its own. The upcoming operation could involve hundreds of thousands of compromised PCs, compared to only 50,000 used in the past by the Hangup Team, she said.
The scheme involves buying space on networks of compromised websites where the Trojan can be downloaded when someone visits the site or clicks on a fake ad, Ahuvia said. Once in a PC, the malware creates two files, an executable and a data file for storing the systems' IP addresses, installed software and other information.
The data would enable the gang's partners to create a replica of the victim's system on a virtual machine. After stealing the person's user ID and password, the scammers can visit a bank site and use the replica to fool the bank into believing the customer is returning.
The gang is looking for each botmaster to have an "investor" who would put up the money for the hardware needed to run the scam, Ahuvia said. That person would then have an interest in ensuring that money went to the gang's accounts in order to get a cut.
Fewer safeguards are in place for accomplices. "As a botmaster, I'd have to trust the gang to get my share," Ahuvia said.
Now that the cybercriminals have pre-announced the bank attack, law enforcement could try to infiltrate the operation. This has been done before. In June, the FBI announced the arrest of more than two-dozen suspects in a two-year international sting operation. The FBI had set up an underground forum and marketplace to attract criminals who bought and sold credit card, debit card and bank account numbers.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.