Banks Not Prepared for New TrojanResearchers Say Virus Bypasses Standard Security Measures
The usual fraud-detection and prevent defenses likely won't be enough to catch and stop a new banking Trojan dubbed Gozi Prinimalka, experts say.
See Also: Ransomware: The Look at Future Trends
In early October, security vendor RSA discovered this new variant of the legacy man-in-the-middle Trojan known as Gozi (see RSA Warns of New Attacks on Banks).
RSA, in a blog posted Oct. 4, said it had identified 30 U.S. banks that had been targeted by a cybercrime gang believed to be based in Russia. The gang, according to RSA, was setting the stage for a "blitzkrieg-like" series of attacks, which would be launched by 100 botmasters the gang was working to recruit.
Now other security vendors, including Trusteer and TrendMicro, say they, too, have tested this new banking Trojan and confirmed its increased risk for fraudulent wire transfers. According to Trusteer, which recently posted a blog about the issue, typical device identification measures and Internet protocol tracking are useless.
As a result, experts say banks and credit unions need to enhance transaction monitoring measures to catch suspicious wire transfers, ideally in real-time, before they're approved. That's because the new Trojan easily bypasses standard authentication. Institutions also should focus on proxy identification and malware detection as well as ensure their end-users are consistently updating anti-virus software. And since the Trojan exploits basic authentication methods, institutions also should invest in multifactor authentication.
Prinimalka: More Than Gozi
RSA warned early on that U.S. banking institutions were being targeted because they don't typically require two-factor authentication for wire transfers.
But Amit Klein, Trusteer's chief technology officer, says the Trojan, now known as Gozi Prinimalka, attacks a system in new ways. The format of the attack's HTML injection, the malware's code configuration elements and how a compromised machine's code is injected into the browser are different than other Trojans, including Gozi, he explains.
Gozi Prinimalka's device-cloning feature and its ability to mimic a user's IP address makes it particularly dangerous, Klein states in his blog post.
"This [device-cloning] feature allows fraudsters to create a cloned computer with settings identical to those of the victim's device - including the same device fingerprint," he writes. "It also allows the fraudsters to route/proxy all Web communication from the cloned computer through the victim's device, using the victim's IP address. The net effect is that both device and IP address seem to belong to the genuine user [victim]."
Trend Micro has identified similar risks, says senior threat researcher Ivan Macalintal. He blogged about the new threat, naming 26 banking institutions that had been identified by Trend Micro as targets. Macalintal says configurations contained in the malware's code led researchers to identify the following institutions as targets:
Accurint, American Funds, Ameritrade, Bank of America, CapitalOne, Charles Schwab, Chase, Citibank, eTrade, Fidelity, Fifth Third Bank, HSBC, M&T Bank, Navy Federal Credit Union, PNC, Regions Financial Corp., Scottrade, ShareBuilder, State Employees Credit Union, Suntrust, The Huntington National Bank, United States Automobile Association, USBank, Wachovia, Washington Mutual and Wells Fargo.
RSA researcher Limor Kessem acknowledges specific banks targeted for attack also have been identified by RSA. But she declined to reveal the targets or to confirm the accuracy of Trend Micro's list.
No Attacks Yet
Researchers say all of the banks identified as being at risk have been notified, and law enforcement is involved. No Gozi-Prinimalka attacks have yet been logged, according to RSA, Trusteer and Trend Micro.
But Macalintal says past variants of Gozi, and other banking Trojans, have been known to also target social-networking sites, based on configuration files.
Based on claims in underground forums by the creators of this new Gozi variant, attacks are expected to begin before the end of the year. The cybercrime gang identified by RSA has allegedly said it won't initiate attacks until it has recruited 100 assistant hackers. RSA does not name the group, but security blogger Brian Krebs has linked the group to the Russian hacker known by the nickname "vorVzakone."
The stated purpose of the attacks is to perpetuate fraud, RSA notes.
Gozi Prinimalka's attack methods could change over time, researchers say.
"Once the criminals have an end-user's genuine login credentials, they do not necessarily have to proxy all communication through the victim's device," Klein says. "Fraudulent transactions can be submitted from a cloned device on a new IP or a new device."
This is the challenge anti-virus engines face when it comes to malware-infection prevention of any kind, Kessem adds. "The configuration file can be changed at any time throughout the day," she says. "So, if criminals want to add more targets, they can. Some botmasters will change a config file on a daily basis. This is why, as researchers, we are always looking for new institutions they are targeting."
Kessem also says most anti-virus engines are not yet equipped to detect Gozi Prinimalka. "The AV engines have not sampled this variant yet, so it will be able to get around most AV engines," she says.
Prevention: Next Steps
Financial institutions cannot control an end-user's device, so malware prevention is challenging, Kessem says. This is why transaction monitoring is so critical. "The bank can only detect suspicious transactions and flag or block them," she says.
The best solution is to set up circumstances that raise the risk score of certain types of transactions, Kessem says. Doing so helps institutions increase their chances of catching more suspicious activity.
"The banks have to stick to a layered security doctrine," she says. "At the phase of the authentication of the user, they must closely monitor the transaction and have alerts set up for when money is being sent to a suspicious account."