Fraudsters plan spring strike on U.S. banks

Share this article:

Researchers believe that a fraud scheme to launch malware against customers at 30 U.S. banks is still moving forward, though organizers behind the plot are laying low before they strike next spring.

McAfee released a report Thursday that supports an October warning from RSA that a Russian cyber gang was preparing to infect users with a variant of the Gozi trojan called “Prinimalka.”

The findings from McAfee also disclosed new information about an earlier Gozi Prinimalka campaign, between March and April of this year, when attackers infected at least 500 individuals throughout the United States with the trojan. The company also discovered that the group would be ready to strike as early as next spring. 

Gozi Prinimalka, which enables fraudsters to initiate unauthorized wire transfers on their behalf by hijacking live banking sessions, has been updated by developers over the years to carry out the same malicious tricks as widespread banking trojans Zeus and SpyEye.

Limor Kessem, an intelligence expert at RSA's FraudAction Research Lab, told SCMagazine.com on Thursday that the major difference between Prinimalka, introduced in 2008, and major players like Zeus and SpyEye, was that the latter are available commercially on underground markets. Prinimalka is sold privately.

“We have really analyzed and reverse-engineered Gozi since around 2010,” Kessem said. “We saw that it's added a lot of features that we know from Zeus and SpyEye – for instance, man-in-the-browser automated capabilities.”

Ryan Sherstobitoff, threat researcher at McAfee, told SCMagazine.com on Thursday that each malicious binary is encrypted uniquely, which helps the trojan to evade detection.

“You would have to update your anti-virus setting every time to detect it,” Sherstobitoff said. “Any future variant should be detected using behavior-based anti-virus [solutions].”

Researchers at McAfee believe national and investment banks in the U.S. will be the major targets of Prinimalka fraudsters, with a small percentage being credit unions. The group's plan will likely be to continue on in their previous strategy: strike, then disappear until their next campaign unfolds.

“This could very well be a threat in 2013,” Sherstobitoff said.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.