When denial-of-service cyberattacks were jamming up major bank websites in September, the public disruption made headlines.
But in the sketchy recesses of the underground Web, something potentially much more damaging was apparently brewing. IT security company RSA noted in an Oct. 4 blog post that a cybergang linked to Eastern Europe was recruiting about 100 botmasters for a planned “blitzkrieg-like series of Trojan attacks” on 30 U.S. financial institutions.
The weapon was dubbed Gozi Prinimalka, a mutation of the Gozi financial malware that has bedeviled banks for several years now.
RSA analyst Mor Ahuvia, in Israel, blogged that if the project materialized it would be “the largest coordinated attack on American financial institutions to date.”
Most Read Stories
The Gozi rumblings illustrate the significant challenge banks face defending against myriad shifting cyberthreats. The denial-of-service attacks inconvenienced customers and made a statement. But Gozi, like its older cousin Zeus and other financial malware, is about draining money right out of accounts. It’s a subject banks have been loath to discuss.
RSA, the security division of Massachusetts tech giant EMC, wouldn’t release the list of targets. But Internet security firm Trend Micro in Cupertino, Calif., provided a list that includes 26 companies, including Charles Schwab and Scottrade as well as several of the country’s top banks.
Wells Fargo and U.S. Bank declined to comment for this story.
The Gozi cyberheist isn’t targeting bank networks. It goes after customers banking online, and siphons money from accounts by essentially taking them over without victims knowing it.
Gozi allows cyberthieves to steal a company’s online-banking credentials to gain access to their business accounts, impersonating both the victim and the financial institution. Detection is very difficult.
“It’s the scariest way that they commit fraud,” said Ryan Elmer, an account executive at Total Networx, an IT security company in Burnsville, Minn., that’s focused on banks.
The malware can lurk in email attachments, for instance, or be embedded in poisonous websites that victims unwittingly browse.
Cyberthieves looting company bank accounts by taking them over — dubbed corporate account takeover — is a top fraud concern of banks. Gozi is the latest tactic in corporate account takeover, according to Total Networx. Increasingly, attacks target small-business bank customers.
They’re an attractive target. Small companies typically lack the IT resources and controls of large ones. And unlike individual bank customers with a checking account, businesses wire large sums of money around and use the electronic Automated Clearing House to handle such transactions as payroll.
Corporate-account takeovers caused losses of at least $45 million last year, according to the Federal Deposit Insurance Corp. The FBI says it’s investigating about 230 reported cases of such fraud, involving the attempted theft of more than $255 million, with actual losses around $85 million.
Last month, hackers stole more than $400,000 from a Bank of America account held by the town of Burlington, Skagit County.
Ahuvia, at RSA, said the thieves behind the purported Gozi campaign are targeting U.S. financial institutions partly because they don’t use a second layer of authentication — an added security measure beyond a login and password — for private banking customers to the extent banks in Europe do. Federal bank regulators last year recommended banks use multiple layers of authentication, but it’s not a mandate.
What’s notable about the latest Gozi version, Ahuvia said, is the degree to which it can impersonate an account holder, duplicating the victim’s complete PC settings in an attempt to deceive the bank’s back-end security systems. The scheme involves phone-flooding software to block victims from getting a call or text message from the financial institution that would verify online account activity.
Tech-security circles have buzzed about the timing of the potential Gozi spree, which was expected to hit as early as this month. There are plenty of skeptics. In a recent interview, Daniel Cohen, RSA’s head of business development for Online Threats Managed Services, said the Gozi blitzkrieg may be off altogether.