December 13, 2012

Fraudsters plan spring strike on U.S. banks

Researchers believe that a fraud scheme to launch malware against customers at 30 U.S. banks is still moving forward, though organizers behind the plot are laying low before they strike next spring.

McAfee released a report Thursday that supports an October warning from RSA that a Russian cyber gang was preparing to infect users with a variant of the Gozi trojan called “Prinimalka.”

The findings from McAfee also disclosed new information about an earlier Gozi Prinimalka campaign, between March and April of this year, when attackers infected at least 500 individuals throughout the United States with the trojan. The company also discovered that the group would be ready to strike as early as next spring. 

Gozi Prinimalka, which enables fraudsters to initiate unauthorized wire transfers on their behalf by hijacking live banking sessions, has been updated by developers over the years to carry out the same malicious tricks as widespread banking trojans Zeus and SpyEye.

Limor Kessem, an intelligence expert at RSA's FraudAction Research Lab, told SCMagazine.com on Thursday that the major difference between Prinimalka, introduced in 2008, and major players like Zeus and SpyEye, was that the latter are available commercially on underground markets. Prinimalka is sold privately.

“We have really analyzed and reverse-engineered Gozi since around 2010,” Kessem said. “We saw that it's added a lot of features that we know from Zeus and SpyEye – for instance, man-in-the-browser automated capabilities.”

Ryan Sherstobitoff, threat researcher at McAfee, told SCMagazine.com on Thursday that each malicious binary is encrypted uniquely, which helps the trojan to evade detection.

“You would have to update your anti-virus setting every time to detect it,” Sherstobitoff said. “Any future variant should be detected using behavior-based anti-virus [solutions].”

Researchers at McAfee believe national and investment banks in the U.S. will be the major targets of Prinimalka fraudsters, with a small percentage being credit unions. The group's plan will likely be to continue on in their previous strategy: strike, then disappear until their next campaign unfolds.

“This could very well be a threat in 2013,” Sherstobitoff said.

Related Articles
Related Topics
close

Next Article in News

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.