Cyber Gang Planning Massive Trojan War On US Banks

A group of cyber criminals has pledged to launch a “Trojan attack spree” on US banks this autumn, security firm RSA has warned.

A cyber army of 100 botmasters will be running the attack, which will amount to “the most substantial organized banking-Trojan operation” ever, according to RSA.

However, after they sent out communications across hacker forums,  in being caught out by such a major security firm the cyber criminals may have shot themselves in the foot.

RSA said it had linked the group to malware known as Gozi Prinimalka. Warnings will now go out to banks about what is happening and security firms will most likely rush to block the threat. RSA has also contacted the relevant US law enforcement bodies.

Kicking off a Trojan war

“According to underground chatter, the gang plans to deploy the Trojan in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios,” said Mor Ahuvia, cyber crime communications specialist at RSA, in a blog post.

“Previous incidents involving this Trojan, handled by RSA and other information security vendors, appear to corroborate the gang’s claims that since 2008 their Trojan has been at the source of siphoning $5 Million from American bank accounts.

“Gozi Prinimalka’s similarity to the Gozi Trojan, both in technical terms and its operational aspects, suggests that the HangUp Team – a group that was previously known to launch Gozi infection campaigns – or a group closely affiliated with it, may be the troupe behind this ambitious scheme.”

Ahuvia said that the hackers were most likely targeting American institutions because of their lack of two-factor authentication, which makes it considerably harder to initiate MiTM attacks.

According to the group’s messages, they have been holding boot-camps similar to X Factor-esque talent competitions, to determine which botmasters can take part. Those that get through the approval process will get a slice of the proceedings from the hits.

The attacks will have some noticeably advanced technical features that could help them avoid detection.

“A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs,” said  Ahuvia.

“Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website,” he added.

Banks in the US have been getting battered by distributed denial of service (DDoS) attacks this month. Wells Fargo, J.P. Morgan Chase & Co and Bank of America have all experienced disruption on their customer-facing sites as a result of massive DDoS attacks.

Are you a security pro? Try our quiz!