New, more effective versions of the Gozi malware have been detected in active campaigns targeting a rash of major global banks.
Threat intelligence experts at buguroo Labs said that the victims include PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and many more. Most of the attacks have taken place in Poland, Japan and Spain, but the researchers expect them to soon be launched in the US and other parts of Europe.
Here’s how it works: When an infected user at a target financial institution attempts a transaction, the Command and Control server is notified in real time and sends the user’s browser the information necessary for carrying out fraudulent transfers. The user simply sees a deposit-pending alert requesting the security key to complete the transfer.
Hidden underneath, however, is the actual real transfer page being presented to the bank. The unsuspecting user is inadvertently entering their key to send their money to a mule designated by the malware operators.
The account information of the infected user can include the SWIFT BIC and account information used for international money transfers.
“This suggests—but by no means confirms—that this attack might underlie the spate of high-value fraudulent transfers recently reported by some countries’ central banks,” the researchers said, in an analysis.
These new Gozi variants escape undetected by virtually all web fraud defense solutions, thanks to an elaborate web injection that’s optimized to fly under the radar. For certain versions of the webinjects used for specific companies, the malware sends a kind of biometric information to its control panel, such as how long the user takes to move from an input field to the next or the time between keystrokes. The malware uses these values to fill the necessary fields to perform the fraudulent transfer in what appears to be an attempt to bypass protection systems based on biometrics of user behavior.
When it’s discovered by incident responders, the authors continually refine and quickly update the malicious code to boost its stealthiness.
“Deep analysis by buguroo shows Gozi continues to evolve, and the latest variants use advanced techniques that leave organizations using the leading web fraud defense tools extremely vulnerable,” the researchers explained. “Further, the dynamic web injection being used indicates a high degree of automation to optimize the selection of ‘mules,’ based on the quality and vulnerability of the victim, with the juiciest prospects earning an ‘operators are standing by’ live intervention.”
The buguroo threat analysts observed both automated and manual “concierge” customized responses from the control panel, based on the situation determined by the webinject. Certain users are assigned to a specific mule in a particular country, and the malware operator decides the amount of money to be transferred. Other users are assigned to a random selected mule and a fixed amount of money to be transferred depending on their account balance. More reliable mules are assigned to bigger operations.
Photo © Serpeblu