'Project Blitzkrieg': Are Russian cybercriminals about to invade US banks?
Security researchers uncovered 'Project Blitzkrieg', a plan for a major cyberheist of US banks, after its purported Russian mastermind posted recruitment messages online. It's not clear whether the publicity halted the plot.
(Page 2 of 2)
McAfee and RSA agree that vorVzakone sought to put the prospective participants into a "boot camp-style process" in which "accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims’ accounts into mule accounts controlled by the gang," RSA researchers blogged in October.Skip to next paragraph
Subscribe Today to the Monitor
"To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits. The gang and a long list of other accomplices will also reap their share of the spoils, including the money-mule herder and malware developers."
A key feature of the plot was to purchase computerized "phone flooding" equipment so that banks seeking to call or text victims to verify whether a wire transfer was real or not, would not be able to reach them by phone because the digital pathways to the phones would be blocked. Meanwhile, the fraudster can call the bank, claiming to be the accountholder approving the transaction.
The planned attack, both RSA and McAfee agree, is built on a particularly nasty piece of a malicious software called Prinimalka, which is itself a previously little-known private variant of a better-known piece of criminal malware called Gozi that was specifically designed to steal banking login credentials.
The insidious difference between the two malwares is that Prinimalka clones the victim's computer – sending all the essential variables to Russia so a "virtual machine" can assemble a fake version of the victim's computer complete with all the same cookies, operating system, and other software configurations. The fake can then be operated from Russia, but appear to bank security systems to be the victim's legitimate machine sitting somewhere in the US.
"Their method of doing this is to essentially clone the victim's computer so the copy can be run on a virtual machine anywhere in the world," says Daniel Cohen, head of RSA's Knowledge Delivery branch, which deals with external cyber threats. "It looks to the bank like that computer belongs to Joe Schmo sitting somewhere in America."
While McAfee says the Blitzkrieg plot appears to have been real until very recently, based on the tracking of malware deposited on victim machines across the US, it is now possible that the plot has been sunk by all the publicity. Or it might merely be on hold – or even still in deep development.
"Some recent reports argue that vorVzakone has called off this attack because it has been made public," notes the McAfee study. "Yet it is possible that the publicity may merely drive his activities deeper underground."
After media picked up the story, vorVzakone wrote in a final message that things had become "too hot, too much media attention," Mr. Cohen agrees.
"The guy in charge of phone flooding said on the same forum that he was now out of a job and available for hire. We tracked vorVzakone as he went into deeper underground forums, but haven't seen him posting. He's also being chastised by members of the forum for bringing so much unwanted attention."