Oct 10, 2012
A credible threat to the U.S. banking system has been identified by cyber security firm RSA and suggests that plans for a highly organized, large scale online bank heist targeting retail customers in the United States is currently underway.
In an advisory, RSA said it has information suggesting the gang plans to unleash a little-known Trojan program to infiltrate computers belonging to US banking customers and to use the hijacked machines to initiate fraudulent wire transfers from their accounts.
If successful, the effort could turn out to be one of the largest organized banking-Trojan operations to date, Mor Ahuvia, cybercrime communications specialist with RSA’s FraudAction team, said today. The gang is now recruiting about 100 botmasters, each of whom would be responsible for carrying out Trojan attacks against US banking customers in return for a share of the loot, she said.
Each botmaster will be backed by an “investor” who will provide money to buy the hardware and software needed for the attacks, Ahuvia said.
“This is the first time we are seeing a financially motivated cyber crime operation being orchestrated at this scale,” Ahivia said. “We have seen DDoS attacks and hacking before. But we have never seen it being organized at this scale.”
RSA’s warning comes at a time when US banks are already on high alert. Over the past two weeks, the online operations of several major banks, including JP Morgan Chase, Bank of America, Citigroup and Wells Fargo were disrupted by what appeared to be coordinated denial-of-service attacks.
A little-known group called “Cyber fighters of Izz ad-din Al qassam” claimed credit for the attacks, but some security experts think a nation may have been behind the campaign because of the scale and organized nature of the attacks.
The latest discussion suggests that they now have individual consumer accounts in their crosshairs, Ahuvia said, warning that the gang plans to attempt to infiltrate computers in the US with a little known Trojan malware program called Gozi Prinimalka.
The malware is an updated version of a much older banking Trojan, Gozi, which was used by cyber criminals to steal millions of dollars from US banks.
The group’s plan apparently is to plant the Trojan program on numerous websites and to infect computers when users visit those sites.
The Trojan is triggered when the user of an infected computer types out certain words — such as the name of a specific bank — into a URL string.
Source: Computer World
As noted in the RSA report, Denial-of-Service attacks responsible for taking down the web sites of several of the nation’s largest banks last month were attributed to an online terrorist organization. According to the U.S. government, the cyber terror cell had direct ties to, you guessed it, the Iranian government.
Additionally, this week the Intelligence Committee of U.S. Congress requested a banon two Chinese technology firms for their undermining of national security. According to a report from Real Agenda, a one year investigation by the committee concluded that the firms Huawei and ZTE have been illegally transferring sensitive corporate information to China through the use of their telecommunication network access in the United States. Moreover, Google this week issued emergency emails to users of their gmail service citing a “state sponsored” hijacking threat to sensitive user information and communiques.
Considering the Obama administration has, since September, been circulating a draft of an Executive Order which aims to implement some of the regulations and security features of the 2012 Cybersecurity Act which failed to muster enough votes in Congress earlier this year, this latest report regarding the possibility of an attack on the consumer banking system and customer funds at the largest financial institutions in the country could be another psychological operation designed to rally support for legislation that would give the government more monitoring and control over domestic internet activity.
Whether this is a ploy to coerce Congress and the American people to give up their online privacy rights, or, in fact, a legitimate threat to U.S. bank customers is anybody’s guess.
(Perhaps it’s a mixture of both – never let a good crisis go to waste)
According to some analysts there are gaping holes in the online consumer banking system that could easily allow such a trojan to first identify security credentials to access personal accounts, and then to rapidly distribute funds within those accounts to fake bank accounts around the world. That the perpetrators have been identified as originating in Europe and Russia ads further credence to the possibility that this is real:
In any event it’s not good; reports are that the “ringmasters” are in Russia and Eastern Europe, long a hotbed of this sort of activity.
The gist of the attack is that most US banks do not require “two factor” authentication before initiating a wire transfer. This is especially important because once a wire transfer is confirmed it is really gone, and in general cannot be recalled. It appears that they intend to deploy (or may have already deployed!) trojan horse programs that capture keystrokes, obtain login information and then en-masse initiate wire transfers out of the United States from the victims’ accounts before the banks can react, effectively draining huge sums of money and distributing the proceeds among the crooks.
The biggest challenge is that today’s hacker looking to rob you is more-interested in getting some sort of “quiet” keylogger or other trojan into your system. These arevery difficult to detect, as they’re not designed to disrupt your system’s operation in any way — just to look for anything that appears to be a password and then sending it on to the criminals. Do not be fooled if you’re on a Mac into thinking you’re impervious either — and in particular be very careful with mobile devices, most of which are far weaker than their desktop counterparts when it comes to security.
I can’t judge the credibility of this threat accurately, but it has attracted the attention of a fair number of folks who are sounding warning bells, and at least thus far the information appears to be reasonably credible.
Via Market Ticker
Because such trojans or malware can be dropped onto computers when visiting any number of web sites or opening emails, we urge readers to take preventative measures by verifying that their systems have not been compromised (including mobile devices). Online security firms like McAfee, Symantec and Kaspersky offer tools that will scan your computer for such infections and actively monitor your system in real-time as you receive email or visit web sites.
Additionally, we strongly recommend this free tool from Malware Bytes. It has been rated 5-stars by Cnet and thousands of users, and does not require a subscription. It will both scan and clean your system of potential key loggers or other trojans, spyware and viruses.
After your system has been scanned and cleaned of threats, best practices suggest that you change passwords for any online financial related accounts you have (in case a key logger has already captured your information), as well as accounts that require privacy, such as email.
Whether the above threat is credible or not, it’s better to be safe than sorry.