Published December 13, 2012
McAfee Global Threat Intelligence information for victims of Prinimalka campaigns reporting to Romanian control servers.
Russian cyber evildoers whose servers are based in Romania are coming closer to launching a major attack against 30 U.S. financial institutions aimed at stealing millions of dollars.
Attacks involving fraudulent transactions and targeting investment and national banks across the U.S. may launch next spring, new data from security firm McAfee show.
“McAfee Labs believes that Project Blitzkrieg is a credible threat to the financial industry and appears to be moving forward as planned,” said Ryan Sherstobitoff, McAfee Labs’ threat researcher.
The scheme, dubbed Project Blitzkrieg, will pull money from major banks and small financial institutions with less developed security protocols like credit unions over a period of time in nearly undetectable amounts, according to the report.
If Project Blitzkrieg goes full scale, it will target an unknown number of consumer accounts across 30 targeted financial institutions, Sherstobitoff said.
“The targets are all U.S. banks, with the victims dispersed across various U.S. cities,” McAfee said. “Thus this group will likely remain focused on U.S. banks and making fraudulent transactions.”
The threat, first brought to light by RSA in September, came in the form of a posting on Underweb forums by a Russian hacker who goes by the name “vorVzakone,” which translates to “thief in law.” The attacks were originally estimated to begin this fall, however McAfee’s data show they will actually occur in the spring of 2013.
The thieves have been active since April 2012 and at least 500 victims can be linked to vorVzakone, McAfee said.
“The attackers have managed to run an operation undetected for several months while infecting a few hundred,” Sherstobitoff said.
The Prinimalka Trojan associated with Project Blitzkrieg is a direct evolution of a Gozi variant seen in early 2007 that has historically focused on U.S.-based financial targets.
been targeted by a single Prinimalka campaign
While the Trojan has been around for years, McAfee said the attack this spring will combine both a “technical, innovative backend with the tactics of a successful, organized cybercrime movement.”
The attacks will use a type of hijacking that essentially steals log-in data and times as well as security questions and answers. It would be a generic attack, with an extracted script capturing the victim’s balance and last log-in date/time and posting it to a file on the server.
McAfee said the target is the Internet banking platform ibanking, which is used by hundreds of financial institutions. McAfee Labs’ initial data indicate “a simple form of data grabbing” will be used by Prinimalka to select targets for fraudulent transactions.
Citigroup (C) acknowledged the threat and said protecting the bank and its clients from criminal cyber threats is a “critical priority for us.”
“We have a focused information security strategy and dedicated resources to execute it,” a Citi spokesperson said.
The attacks piggyback on denial of service cyber attacks that have been intermittently occurring against major U.S. banks like Bank of America and Chase over the last few months. The unrelated attacks were responsible for downing or slowing their consumer web sites.
McAfee said the Project Blitzkrieg campaign won’t initially target hundreds of thousands of victims but will try to stay under the radar by attacking select groups. High-wealth customers at these banks may also be targeted.
“This strategy is necessary if the attackers hope to succeed in transferring several million dollars over the course of the project,” Sherstobitoff said. “A limited number of infections reduces the malware’s footprint and makes it hard for network defenses to detect its activities.”
According to McAfee data analyzing webinjects on the Trojan, which add malicious content tied to malware into banking websites, the security firm was able to determine that a majority of the victims will be national banks and investment banks.
“It will be interesting to see how the attackers will move money from these accounts, which are certainly targets of high value,” Sherstobitoff said.