Security firm RSA says that its threat analysts have picked up “underground chatter” indicating that a sophisticated gang of Russian cyber criminals is laying plans to launch an offensive against 30 US banks. Says RSA: “If the gang’s plans do materialize, this campaign could be the largest coordinated attack on American financial institutions to date.” Here’s the breakdown:
1. This gang has done it before.
The group claims to have stolen $5 million from American bank accounts since 2008. Their methods are complicated, but the results straightforward: once they have access to a bank account, they siphon off money through wire transfers to overseas accounts. Over the past few years, millions of dollars have been stolen this way, mostly from small businesses, school districts and local governments.
2. American banks are particularly vulnerable targets.
Most American banks require nothing more than a password to access an account. In Europe, by contrast, almost all banks use a much more secure, “two factor authentication” process.
3. The gang has a massive network of infected “zombie” PCs at the ready.
These days, it’s not enough to launch cyber attacks from whatever computers happen to belong to you. Gangs use “botnets” to accomplish their nefarious deed, whether they are shutting down websites or sending email spam. Botnets consist of up to hundreds of thousands of internet-connected PCs that have been infected with programs allowing complete control over the compromised devices.
4. They’re going to use a variant of software that has worked before.
A trojan is a piece of software that a user might have voluntarily downloaded without realizing what it was. (For example, they might receive a spam email with an attachment that they downloaded and attempted to open, not realizing that it had secretly installed malicious software on their PC.) The Gozi trojan was first described in 2007, and it has the ability to compromise what should be secure, encrypted connections, such as the kind a user’s web browser establishes with a bank’s web site. It’s also been used to steal personal data. This gang is using a variant on Gozi called Gozi Prinimalka, which is “derived from the Russian word meaning ‘to receive,’” says RSA.
5. If it performs as promised, this trojan will do everything from impersonating a user to blocking her phone.
Two qualities distinguish this new piece of malicious software. The first is that it could allow cybercriminals to clone a target system–everything from their screen resolution and time zone to web browser settings–and communicate with the user’s bank as if they were the user themselves. The gang is also planning to use “phone-flooding software” to “prevent victim account holders from receiving the bank’s confirmation call or text message used to verify new or unusual online account transfers,” according to RSA.
6. Many lesser cybercriminals may be recruited into the scheme as “mules.”
The gang behind this threat has complete control over the malicious software involved, but in order to magnify the impact of the attack (and the profits it nets), gang members are apparently recruiting other cybercriminals who have access to their own networks of infected zombie PCs.
7. Whether or not this heist occurs, the gang’s plans point to the ever-increasing sophistication and professionalization of cyber crime.
Sometimes “underground chatter” is just that. “It’s important to note that cyber criminals often make claims they do not necessarily act upon,” RSA notes. But what’s interesting about this particular threat is that everything described by RSA is well within the realm of plausibility and builds on exploits that have been detected in the past.