Sophos Cloud Optix
RSA last week revealed that an internet gang is recruiting some 100 botmasters to join a planned Trojan attack spree against 30 US banks.
Brian Krebs has since unmasked the mastermind as a Russian hacker called vorVzakone.
The name translates to “thief-in-law”, an elite rank of criminal in the post-Soviet world of organized crime.
RSA reported last week that the “blitzkrieg-like” series of Trojan attacks is planned to launch this fall with the help of some 100 botmasters. The security firm is referring to the project as “the making of the most substantial organized banking-Trojan operation seen to date.”
Krebs has posted a professionally translated version of vorVzakone’s recruitment post in which the hacker offers to let botmasters in on the deal for a total of $400, unless, that is, they already have a server, bots and accounts ready to go.
The post brags that since 2008, the Trojan has earned one team $5 million in fraudulent bank transfers.
RSA’s analysis of the post links it to a little-known, proprietary, Gozi-like Trojan, which RSA has dubbed “Gozi Prinimalka”, from the Russian word meaning “to receive”.
RSA found that the word “Prinimalka” is used as a folder name in every URL path given by the gang over the years to its crimeware servers.
Underground chatter has led RSA to the conclusion that the gang will deploy the Trojan in man-in-the-middle, manual session-hijacking attacks that result in fraudulent wire transfers.
RSA’s analysis found a few features that distinguish this attack from previous Trojan attacks, including phone-flooding that will block a bank’s attempts to verify unusual online account transfers:
- A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website.
- Using VoIP phone-flooding software, the gang plans to prevent victim account holders from receiving the bank’s confirmation call or text message used to verify new or unusual online account transfers.
Beyond political animosity, one reason the attack is aimed at American banks is because two-factor authentication use in the United States is rare, particularly when compared with European banks.
From vorVzakone’s post:
"The two factor authentication is not covered since it's rare in USA."
But the question remains: is this guy for real?
Given the alleged fraudster’s flamboyant claims, the Underweb isn’t sure whether or not he’s a trap set by Russian law enforcement, Krebs writes.
If vorVzakone is in fact offering a legitimate service to cybercrooks, he’s using an unusual form of recruitment to amass his troops.
Recruiting from underground forums of “mutually distrustful parties” (description courtesy of an analysis [PDF] of the Underweb by University of California/San Diego) is a new wrinkle in the insular world of cybercrime, as noted by RSA’s Mor Ahuvia:
"Organized crime in the fraudster underground is normally orchestrated within private circles, and it is almost unheard of for a cyber gang to turn to masses of "UnderWeb" dwellers in order to find recruits for its operations. The move is both risky and peculiar considering recent law enforcement operations in the underground leading to extensive fraudster arrests by the FBI."
Krebs notes that the underground is leery of the deal, given other posts in which vorVzakone has bragged about his criminal resume.
If he’s legit, he’s cocky as hell. In this video posted to YouTube, the cheerful, potential cyber criminal greets his viewers in front of a Toyota Land Cruiser that fully shows its registration plate, introduces himself as Serega or Vor V Zakone, and gives a tour of what he claims is his home.
As Krebs says, many are finding it hard to take him seriously, given that he appears unconcerned about anonymity or personal safety.
Krebs quotes a Russian expert who, he says, helped to translate vorVzakone’s post:
"This guy’s language and demeanor is that of street corner drug dealer or a night club bouncer, and not of someone who can comprehend what 'backconnect socks' or GeoIP is."
vorVzakone’s bravado is certainly not typical of the caginess employed by members of the criminal underground, which points to his perhaps being a boobytrap set by Russian law enforcement, as many in that community fear.
But as Krebs notes, regardless of his legitimacy, the alleged fraudster has served to add yet another reason for US banks to strengthen authentication controls around money transfers.
Two-factor authentication is far from a panacea, as security expert Bruce Schneier has been commenting on for years.
Individuals who promptly report unauthorized bank account activity aren’t liable for stolen funds, but small businesses are.
Krebs thinks the best way to bank safe is to simply stop using Windows while conducting your banking, given that it’s the platform most targeted by criminals who plant the Trojans that enable transfer fraud and other attack forms.
He suggests switching to a Linux build on a Live CD when online banking, thus protecting a banking session even if the underlying hard drive has been infected.
Would you go that far to avoid being victimized by online banking fraud?
Chaos image from Shutterstock.
At my house we use a live CD in order to do all banking. When I first seen this suggestion on Krebs I thought it was a no brainer! You can never be too careful.
Obviously, I'm no authority on Linux live CDs, but I do wonder if the level of maintenance required to use one safely higher than people realise.
I guess, my concern is that most Linux ditros also regulalrly download and install security patches. Therefore, I would wonder if any Live CD that is more than a few months old wiould actually be any more secure than a well patched and maintained Windows install.
Like I say, I am not speaking as any kind of auhority. But perhaps a virtual machine with a regulalry updated Linux ditro would be safer? Or a cheap tablet, like a Nexus 7, which you don't install any apps on?
I'd be interested on hearing what people who know more than I do about this, think.
So … let me see if I have this right. Nobody can track down the people pouring Nigerian scams, porn, and Viagra ads into our mailboxes, nor will anyone admit to the authors of STUXNET, DUQU, FLAME, or GUASS, but they are certain a Russian is planning on an attack against America's banks?
If you believe that one, I have some of Saddam's nuclear weapons to sell you!
We know that the US financial system is stretched to the breaking point, and we know that if the government of either Greece of Spain is driven from office by angry protests, credit default swaps sold by Wall Street against those debts come due, and there is no money to pay the claims. The Euro might even collapse, and that would trigger even more Credit Default Swaps. So it makes logical sense that the US Government will take down the US financial computers, and blame it on Russia (or Iran). This gets Wall Street and Washington DC off the hook, because now the financial melt-down is an act of war, rather than the result of decades of Wall Street crime and corruption and the predations of Private Central Banks.