Earlier reports of a planned, sophisticated attack on 30 U.S. banks to siphon millions from fake wire transfers have been vetted by McAfee Labs in a just-released report.
Speculation about the authenticity of the planned attack, dubbed Project Blitzkrieg, on large U.S. financial institutions surfaced this fall after a hacker going by the handle vorVzakone (“thief in law”) advertised in September for accomplices in an underground forum. Messages included screen shots of the malware and information on how the cybercriminal planned to organize an army of botnets to take advantage of a vulnerability in banks’ and brokerage firms’ authentication for wire transfers.
“Not only did we find evidence validating the existence of an early pilot campaign operated by vorVzakone and his group using the Trojan Prinimalka that infected at a minimum 300 to 500 victims across the United States, but we were also able to track additional campaigns as a result of the forum posting,” according to Ryan Sherstobitoff, a McAfee Labs threats researcher who authored a report released Thursday.
Prinimalka is a variant of Gozi malware designed to swipe banking login credentials. The little-known Trojan can replicate a victim’s computer and use the fake version to avoid fraud detection and bypass bank and credit union security systems. Targets are said to include major players like Wells Fargo, Citibank, Bank of America and JPMorgan Chase.
“We do know that the thieves have had an active system since April 2012, with at least 500 victims who can be linked to vorVzakone,” the report states. “Most victims’ accounts are at investment banks. It will be interesting to see how the attackers will move money from these accounts, which are certainly targets of high value.”
The scheme was first uncovered last fall by security firm RSA. Following a flurry of media coverage about the planned attack, vorVzakone went dark, leading some to believe the grand heist had been called off or at least put on hold. But the McAfee report suggests the hacker may just have gone deeper underground – particularly after being chastised by peers for drawing so much attention.
“Although Project Blitzkrieg hasn’t yet infected thousands of victims and we cannot directly confirm any cases of fraud, the attackers have managed to run an operation undetected for several months while infecting a few hundred. That subsequent campaigns using Prinimalka have popped up after the initial forum posting, though connecting to different infrastructure, suggests that other groups have bought into vorVzakone’s offer,” Sherstobitoff wrote.