The GozNym banking malware is coming to America with a fresh tactic.
Hackers combined code from two malware types, known as Nymaim and Gozi, to create the unholy hybrid dubbed GozNym—a franken-trojan, if you will. It was first spotted in April, and has since evolved: Its operators are testing redirection attacks on four of the largest banks in the United States and targeting their business accounts, according to IBM X-Force. Redirection attacks are most typically used with organized cybercrime that have the resources necessary to implement them.
The overall idea behind redirection attacks is to hijack malware-infected users, sending them to a website that looks exactly like their bank’s site. They then log into their “account,” and their credentials are stolen on the fake site in real time, tested against the bank’s genuine home page and used to initiate a fraudulent money transfer out of the account.
“Moreover, the victim is kept on the fake website, where the attacker can push social engineering notifications to them, making them divulge personally identifiable information (PII) and two-factor authentication elements,” IBM researchers explained.
The firm added that the team behind GozNym has built its own special scheme designed to keep the attacks hidden from prying security researchers’ eyes.
“To prepare a successful redirection attack, GozNym has a two-stage process in place,” IBM researchers said. “At first, the malware redirects the victim to the fake site replica. It then masks the malicious webpage with a white overlay screen. The second part of the redirection is lifting the overlay and revealing the site replica to the infected user. IBM X-Force researchers believe the odd masking portion of the redirection attack is designed to keep the page looking harmless in an interim stage before it is presented to the victim.”
The news comes less than two months after GozNym set up and launched redirection attacks on banks in Poland. IBM X-Force researchers believe that GozNym is an evolving malware project on the scale of other banking Trojans such as Neverquest and Dridex. The malware is quickly becoming a top global player, ranking fifth in the cybercrime arena for 2016 so far, according to attack volume data reported by IBM Security antifraud solutions.
The redirection approach could increase its status even further, Dyre and Dridex malware’s use of redirection attacks helped to propel them to the No. 1 and No. 2 most aggressive malwares by attack volume (before Dyre disappeared).
Photo © mama_mia