The phishing email warns the recipient about a problem with a transaction and provides a link to a site that will supposedly help solve the issue. Instead, a malicious website downloads the Gameover malware. Gameover employs the traditional and configurable ‘man-in-the-browser’ injection technique where it can access the user’s bank details before they are encrypted and after they are decrypted. However, one of the main differences between Zeus and Gameover is that the latter is controlled via a distributed command and control infrastructure.
Following theft from the victim’s bank account, Gameover instigates a botnet-based denial of service attack (DDoS) against the bank’s servers. This serves two purposes: it deflects the bank’s attention away from the fraud and disrupts the bank’s fraud detection systems.
“The combination of financial fraud and DDoS attack,” comments Amit Klein, CTO of browser protection specialist Trusteer, “is most disturbing indeed, as it cunningly draws attention to the more obvious issue (DDoS), which makes the fraud more easily missed. It raises the bar for defense systems and forces them to react to fraud in real time in order to remain effective.” A system that searches for fraud patterns after the event, he explains, will be subject to the disruptions caused by the DDoS attack and be rendered less effective.
According to the FBI, the stolen money may then be used to finance the purchase of expensive jewelry or watches. The money is wired into the store’s account and the goods collected by a ‘mule’ (an intermediary employed by the criminals) usually on the day after the fraud.