Security researchers at RSA warned Thursday that a sophisticated plan is being hatched online to raid the bank accounts of customers at some 30 banks in the United States.
Based on an analysis of "underground chatter," researchers have determined that a Russian-speaking cyber gang is preparing to launch a large-scale attack in which fraudsters will infect victims' computers -- mostly belonging to home users -- with a trojan similar to Gozi, enabling the swindlers to initiate unauthorized wire transfers on their behalf by hijacking live banking sessions.
"If the gang's plans do materialize, this campaign could be the largest coordinated attack on American financial institutions to date," Mor Ahuvia, cybercrime communications specialist at RSA's FraudAction Research Labs, wrote in a blog post.
For the operation to come to fruition, however, the masterminds are relying on a number of recruits who will serve as "accomplice botmasters," Ahuvia wrote. Each of these individuals will control a segment of computers infected with the trojan being used, dubbed "Gozi Prinimalka." (The machines initially will be seeded with the trojan via drive-by downloads).
Additionally, the botmasters will be trained in how to deliver instructions to compromised endpoints, as well as how to perform man-in-the-middle bank transfers. They also will be asked to find an "investor" to fund items needed for the campaign, such as laptops and servers.
But these botmasters won't have access to the code of the Gozi Prinimalka trojan.
"At no point in time will accomplice botmasters receive the Gozi Prinimalka compiler," Ahuvia wrote. "This model ensures that accomplice botmasters will be completely dependent on the Gozi Prinimalka gang for receiving new executable files."
According to RSA, the orchestrators are using a number of methods to ensure their plan isn't foiled.