Fraudsters plan spring strike on U.S. banks

Share this article:

Researchers believe that a fraud scheme to launch malware against customers at 30 U.S. banks is still moving forward, though organizers behind the plot are laying low before they strike next spring.

McAfee released a report Thursday that supports an October warning from RSA that a Russian cyber gang was preparing to infect users with a variant of the Gozi trojan called “Prinimalka.”

The findings from McAfee also disclosed new information about an earlier Gozi Prinimalka campaign, between March and April of this year, when attackers infected at least 500 individuals throughout the United States with the trojan. The company also discovered that the group would be ready to strike as early as next spring. 

Gozi Prinimalka, which enables fraudsters to initiate unauthorized wire transfers on their behalf by hijacking live banking sessions, has been updated by developers over the years to carry out the same malicious tricks as widespread banking trojans Zeus and SpyEye.

Limor Kessem, an intelligence expert at RSA's FraudAction Research Lab, told SCMagazine.com on Thursday that the major difference between Prinimalka, introduced in 2008, and major players like Zeus and SpyEye, was that the latter are available commercially on underground markets. Prinimalka is sold privately.

“We have really analyzed and reverse-engineered Gozi since around 2010,” Kessem said. “We saw that it's added a lot of features that we know from Zeus and SpyEye – for instance, man-in-the-browser automated capabilities.”

Ryan Sherstobitoff, threat researcher at McAfee, told SCMagazine.com on Thursday that each malicious binary is encrypted uniquely, which helps the trojan to evade detection.

“You would have to update your anti-virus setting every time to detect it,” Sherstobitoff said. “Any future variant should be detected using behavior-based anti-virus [solutions].”

Researchers at McAfee believe national and investment banks in the U.S. will be the major targets of Prinimalka fraudsters, with a small percentage being credit unions. The group's plan will likely be to continue on in their previous strategy: strike, then disappear until their next campaign unfolds.

“This could very well be a threat in 2013,” Sherstobitoff said.

Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.