U.S. banks warned of another attack threat

Just as one type of attack against U.S. banks has subsided, the banks are being warned to get ready for another, called "Project Blitzkrieg," aimed at online theft.

The distributed-denial-of-service (DDoS) attacks that briefly disrupted the online services of a half-dozen major financial institutions late last month -- Wells Fargo, U.S. Bancorp, PNC Financial Services Group, Citigroup, Bank of America and JPMorgan Chase -- ended abruptly about two weeks ago, even though the group that claimed credit for them had threatened to continue them.

Izz al-Din al-Qassam Cyber Fighters, the military wing of Hamas, the Islamic party that governs the Gaza Strip, had said in a Pastebin message that the attacks would continue until a trailer of the independent film "Innocence of Muslims," which they said insults the prophet Mohammed, was taken off the Internet.

But now, says a blog post by Mor Ahuvia, cybercrime communication specialist at security firm RSA, another wave of attacks is looming, this one aimed at stealing big money.

"A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign," Ahuvia wrote. "Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date."

RSA said the gang leadership appears to come from Russia, and plans to use a "Gozi-like Trojan" that RSA is calling Gozi Prinimalka. Prinimalka is derived from the Russian word meaning "to receive."

"According to underground chatter, the gang plans to deploy the Trojan in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios," Ahuvia wrote.

"If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two. The spree's longevity, in turn, will depend on how fast banks and their security teams implement countermeasures against the heretofore-secret banking-Trojan," she wrote.

Brian Krebs, who writes the blog KrebsonSecurity, said in a recent post that the RSA analysis "seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets."

But he also said this particular threat could be a hoax -- that there is some suspicion in the cybercrime world that it could be a sting operation by Russian law enforcement, since the announcement has been so public.

Krebs said the threat appears to be coming from a series of posts on Underweb forums by a Russian hacker nicknamed "vorVzakone." His name translates to "thief-in-law," which Krebs said, "in Russia and Eastern Europe refers to an entire subculture of elite criminal gangs that operate beyond the reach of traditional law enforcement. The term is sometimes also used to refer to a single criminal kingpin."

Krebs said vorVzakone called the campaign "Project Blitzkrieg," and according to a translation of one of his messages, said he hopes to recruit 100 botmasters to take advantage of authentication weaknesses in U.S. bank systems before they can improve their protection. The botmasters would have to qualify with an online interview and be trained, and would then get to share in the profits.

In vorVzakone's message, he said: "The development of the system took 4 years of daily work and around $500.000 was spent. Since 2008 by using this product not less than $5m was transferred just by one team."

[In depth: Organized cybercrime revealed]

Jason Healey of the Atlantic Council, a cybercrime expert and former White House security official, said it sounds to him like the group is "trying to be the Russian online equivalent of Ocean's Eleven -- call it Ocean's Odinnadsat' -- or a group that wants to be seen in that light. They can get some cool points, either way."

Most security experts say the financial sector is the best prepared of any in the U.S. to deal with direct attacks. But these attacks will, of course, not be aimed directly at the banks, but at their customers. And vorVzakone also wrote that the operation will flood cyberheist victim phone lines while the victims are being robbed, in an effort to prevent account holders from receiving confirmation calls or text messages from their banks."

In an interview, Brian Krebs said cyber thieves, "almost always target the line of least resistance, and that is the customer. That doesn't excuse the banks from their obligation to be constantly upgrading their defenses against such attacks. There are thousands of financial institutions in the U.S. and many of them are woefully behind in updating their customer-facing security measures."

He noted that banking law does not protect commercial and business customers at the same level as individual customers, and said banks need to do much better at flagging abnormal transaction behavior, such as, "a sudden addition of many new employees to an organization's payroll, particularly if those people are spread all over the country geographically."

"You'd be amazed at how many times a month some bank lets this happen, and with disastrous results," Krebs said.

Still, if vorVzakone and his presumed colleagues are serious about their plan, why broadcast it so blatantly? Is that an indication that the whole thing may be a fraud?

Krebs said there is reason for skepticism, noting in his blog post that vorVzakone even posted a homemade movie on YouTube, in which he. "introduces himself as 'Sergey,' the stocky bald guy in the sunglasses. He also introduces a hacker who needs little introduction in the Russian underground -- a well-known individual who used the nickname 'NSD.'"

Krebs then quotes one Russian expert saying vorVzakone's "language and demeanor is that of street corner drug dealer or a night club bouncer," not someone who can organize and run a sophisticated cyberheist operation.

Krebs himself is not quite as harsh, but said such projects "are announced all the time on the underground, but usually they are in fairly closed, secretive forums. The forums on which this project was announced were moderately secret, but it's fairly unusual for miscreants to create YouTube videos of such projects and to promote them so openly."

Healey said the public bragging is a mistake. "To succeed with a Trojan, you want it to be somewhat secret with few people involved," he said. "The few who are involved should be well known and trustworthy. That is the opposite of what Ocean's Odinnadsat' has done."

He said that and the fact that they are recruiting people who may be unknown to them "makes it more likely that the intel and threat companies, and law enforcement, can get the code beforehand."

Another problem that could undermine the operation is simple organizational weaknesses. "My sense is that such a project would require a decent amount of operational cohesion and security, and cooperation," Krebs said. "From what I've seen of the underground, the more people you involve in a scheme, the more likely it is to fall apart."

But he said whether this threat is real or not, the need for protection is crucial. The best way for customers to avoid theft is to prevent their computer from being infected.

"The trouble is," Krebs said. "It's becoming increasingly difficult to tell when a system is or is not infected. That's why I advocate the use of a Live CD approach to online banking. That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like Gozi, your online banking session is protected."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts