U.S. banks could be bracing for wave of account takeovers

Security researchers at RSA warned Thursday that a sophisticated plan is being hatched online to raid the bank accounts of customers at some 30 banks in the United States.

Based on an analysis of "underground chatter," researchers have determined that a Russian-speaking cyber gang is preparing to launch a large-scale attack in which fraudsters will infect victims' computers -- mostly belonging to home users -- with a trojan similar to Gozi, enabling the swindlers to initiate unauthorized wire transfers on their behalf by hijacking live banking sessions.

"If the gang's plans do materialize, this campaign could be the largest coordinated attack on American financial institutions to date," Mor Ahuvia, cybercrime communications specialist at RSA's FraudAction Research Labs, wrote in a blog post.

For the operation to come to fruition, however, the masterminds are relying on a number of recruits who will serve as "accomplice botmasters," Ahuvia wrote. Each of these individuals will control a segment of computers infected with the trojan being used, dubbed "Gozi Prinimalka." (The machines initially will be seeded with the trojan via drive-by downloads).

Additionally, the botmasters will be trained in how to deliver instructions to compromised endpoints, as well as how to perform man-in-the-middle bank transfers. They also will be asked to find an "investor" to fund items needed for the campaign, such as laptops and servers.

But these botmasters won't have access to the code of the Gozi Prinimalka trojan.

"At no point in time will accomplice botmasters receive the Gozi Prinimalka compiler," Ahuvia wrote. "This model ensures that accomplice botmasters will be completely dependent on the Gozi Prinimalka gang for receiving new executable files."

According to RSA, the orchestrators are using a number of methods to ensure their plan isn't foiled.

For instance, when the attackers access the targeted bank accounts, it will appear that their IP addresses match the victims' thanks to a "virtual machine-synching module" that will be installed on the botmaster's computer. In addition, the ring will utilize VoIP "phone-flooding" software to prevent victims from receiving possible bank notifications that someone is trying to transfer out large sums of money.

Researchers believe the saboteurs are choosing U.S. banks as targets because most lack two-factor authentication technology that might prevent a hacker from being able to perform a bank account transfer without getting permission from the legitimate account holder in some other way.

It's unclear when the campaign will begin, but participants intend to wipe out as many accounts as they can before their malware gets flagged by anti-virus software, Ahuvia said, adding that the operation is being conducted entirely for financial reasons, not ideological motivators as the recent DDoS attacks on banks were based.

She admitted that the operation could turn out to be "bogus," but she doesn't think this is the case, considering the complexity of the plan and her belief that it would be difficult to thwart the campaign, even if researchers and authorities know about it.

Angela Bell, an FBI spokeswoman, told SCMagazine.com that she was looking into the matter. A policy manger who handles security matters for the American Bankers Association, the largest trade group representing banks, did not immediately respond to a request for comment.

prestitial ad