RSA last week revealed that an internet gang is recruiting some 100 botmasters to join a planned Trojan attack spree against 30 US banks.
Brian Krebs has since unmasked the mastermind as a Russian hacker called vorVzakone.
The name translates to “thief-in-law”, an elite rank of criminal in the post-Soviet world of organized crime.
RSA reported last week that the “blitzkrieg-like” series of Trojan attacks is planned to launch this fall with the help of some 100 botmasters. The security firm is referring to the project as “the making of the most substantial organized banking-Trojan operation seen to date.”
Krebs has posted a professionally translated version of vorVzakone’s recruitment post in which the hacker offers to let botmasters in on the deal for a total of $400, unless, that is, they already have a server, bots and accounts ready to go.
The post brags that since 2008, the Trojan has earned one team $5 million in fraudulent bank transfers.
RSA’s analysis of the post links it to a little-known, proprietary, Gozi-like Trojan, which RSA has dubbed “Gozi Prinimalka”, from the Russian word meaning “to receive”.
RSA found that the word “Prinimalka” is used as a folder name in every URL path given by the gang over the years to its crimeware servers.
Underground chatter has led RSA to the conclusion that the gang will deploy the Trojan in man-in-the-middle, manual session-hijacking attacks that result in fraudulent wire transfers.
RSA’s analysis found a few features that distinguish this attack from previous Trojan attacks, including phone-flooding that will block a bank’s attempts to verify unusual online account transfers:
- A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website.
- Using VoIP phone-flooding software, the gang plans to prevent victim account holders from receiving the bank’s confirmation call or text message used to verify new or unusual online account transfers.
Beyond political animosity, one reason the attack is aimed at American banks is because two-factor authentication use in the United States is rare, particularly when compared with European banks.
From vorVzakone’s post:
"The two factor authentication is not covered since it's rare in USA."
But the question remains: is this guy for real?
Given the alleged fraudster’s flamboyant claims, the Underweb isn’t sure whether or not he’s a trap set by Russian law enforcement, Krebs writes.
If vorVzakone is in fact offering a legitimate service to cybercrooks, he’s using an unusual form of recruitment to amass his troops.
Recruiting from underground forums of “mutually distrustful parties” (description courtesy of an analysis [PDF] of the Underweb by University of California/San Diego) is a new wrinkle in the insular world of cybercrime, as noted by RSA’s Mor Ahuvia:
"Organized crime in the fraudster underground is normally orchestrated within private circles, and it is almost unheard of for a cyber gang to turn to masses of "UnderWeb" dwellers in order to find recruits for its operations. The move is both risky and peculiar considering recent law enforcement operations in the underground leading to extensive fraudster arrests by the FBI."
Krebs notes that the underground is leery of the deal, given other posts in which vorVzakone has bragged about his criminal resume.
If he’s legit, he’s cocky as hell. In this video posted to YouTube, the cheerful, potential cyber criminal greets his viewers in front of a Toyota Land Cruiser that fully shows its registration plate, introduces himself as Serega or Vor V Zakone, and gives a tour of what he claims is his home.
As Krebs says, many are finding it hard to take him seriously, given that he appears unconcerned about anonymity or personal safety.
Krebs quotes a Russian expert who, he says, helped to translate vorVzakone’s post:
"This guy’s language and demeanor is that of street corner drug dealer or a night club bouncer, and not of someone who can comprehend what 'backconnect socks' or GeoIP is."
vorVzakone’s bravado is certainly not typical of the caginess employed by members of the criminal underground, which points to his perhaps being a boobytrap set by Russian law enforcement, as many in that community fear.
But as Krebs notes, regardless of his legitimacy, the alleged fraudster has served to add yet another reason for US banks to strengthen authentication controls around money transfers.
Two-factor authentication is far from a panacea, as security expert Bruce Schneier has been commenting on for years.
Individuals who promptly report unauthorized bank account activity aren’t liable for stolen funds, but small businesses are.
Krebs thinks the best way to bank safe is to simply stop using Windows while conducting your banking, given that it’s the platform most targeted by criminals who plant the Trojans that enable transfer fraud and other attack forms.
He suggests switching to a Linux build on a Live CD when online banking, thus protecting a banking session even if the underlying hard drive has been infected.
Would you go that far to avoid being victimized by online banking fraud?
Chaos image from Shutterstock.