The plot has been uncovered by RSA – not so much ‘uncovered’ as pieced together from clues on the underground chat channels. It is an altogether new development. The potential size of the plot is matched only by the apparent brazenness of the attackers, currently recruiting 100 botnets for a co-ordinated criminal campaign. It could almost be a ploy by law enforcement agencies to gather intelligence on botnets – but that is not the impression given by RSA.
“A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign,” announced Mor Ahuvia of RSA FraudAction. RSA links the plans ‘to a little-known, proprietary Gozi-like Trojan, which RSA has dubbed ‘Gozi Prinimalka’.” ‘Prinimalka’ appears as a folder name in communications between the trojan and the C&C servers. RSA also believes that the plan is being organized by the HangUp Team - or a gang closely affiliated to it.
The step-change comes in the size of the plan. It is more usual for criminals to enlist around a maximum of five botnets for individual campaigns – this campaign is twenty-times the norm. What makes this so plausible is that it is all possible and realistic. The ‘weapon’ is a man-in-the-browser trojan that is little known, even though it has been successful in the past. Because it is little known and its signature easily changed, it will probably defeat the majority of anti-malware defenses even where victims’ computers have them.
And the target – American banks – is also realistic. Unlike European banks, which tend to be fewer and larger, American banks do not normally use the two-factor user authentication that can defend against man-in-the-browser attacks. In short, American banks are generally more vulnerable to such attacks than European banks. But the gang is also planning a form of DDoS to hide its actions. “Using VoIP phone-flooding software, the gang plans to prevent victim account holders from receiving the bank’s confirmation call or text message used to verify new or unusual online account transfers.”
It’s possible, admits RSA, that by going public with these details, the report might persuade the gang to back down – but doesn’t recommend the banks should expect so. “RSA recommends banks review authentication procedures relevant to both online wire transfers and transfers performed over the telephone banking channel,” says the report – which is good advice whether the blitzkrieg materializes or not.