What would be the perfect bank heist? For a Russian cyber-criminal known as “Thief-in-Law”, he’s this figured out. By infecting hundreds of computers belonging to American bank customers, he plans on stealing millions of dollars in a little operation that has been dubbed “Project Blitzkrieg”.

Blitzkrieg is German for “Lightning War” and is better known as a term describing an all-out attack against a target. Thief-in-Law is apparently recruiting an army of hackers to aid him in his efforts. A KrebsOnSecurity story some weeks ago described one of his posted videos where he boasted of his online criminal activities and immunity from law enforcement. He claims to have already pilfered $5 million dollars using malware he has named “Gozi Prinimalka” – a specialized banking Trojan designed to exploit a significant lack of anti-fraud elements in the United States banking system. Of the main faults that are being targeted is the lack of two-factor authentication in wire transfer authentication. The Trojan has managed to exist only in the online criminal underworld thus far, utilized by a gang of cyber-criminals that have not traded or swapped with other parties.

How does the malware work? Well, it’s not your classic hold-up. Once a computer is infected, it is designed to steal passwords and login information in a number of different ways. It can also find answers to online banking challenge questions that we are all quite familiar with. It is also reportedly so sophisticated that it gathers information from a target’s computer to allow the hacker to impersonate that computer in a log-on session.

The development of the system took 4 years of daily work and around $500.000 was spent
Since 2008 by using this product not less than $5m was transferred just by one team.

The infosec community has taken notice. McAfee’s Ryan Sherstobitoff reports that two pilot programs appear to have been deployed already. He further reports that Project Blitzkrieg will be moving forward as planned. In a post by “Thief-in-Law”, known in Russian as vorVzakone – meaning kingpin or one who is beyond the reach of the law, he states the goals of launching these hacker cells and the timing for the attack sometime in the Spring of 2013:

“The goal – together, en-masse and simultaneously process large amount of the given material before anti-fraud measures are increased,”

According to KrebsOnSecurity, vorVzakone has done little to hide his identity. He has posted online YouTube videos of his residence, showing off his equipment, and has even been interviewed on television to discuss his hacker lifestyle. The reason why is that he is apparently also a pitchman for a form of insurance where for about $500 if a hacker should face charges, his service will go about bribing people until the case goes away and assigns an attorney to the case. For informational purposes, here is the bribe price chart:

• $1,000 is enough to take knowledgeable lawyer to neighboring region by car.
• $3000 is enough to fly to any region with two lawyers.
• $6,000-$8,000 is enough to involve local police internal affair office to build the case against the police.
• $20,000 is enough to buy out the insured from the investigator.
• $40,000 is enough to buy the insured out from local police chiefs.
• $100,000 is enough to resolve the issue at the highest levels of management or to place some “drop” to prison instead of the insured.

While the security community will keep their eyes on this, some dismiss the whole thing as a shill pointing to the whole bribe scheme and apparently open nature about the effort, yet others such as McAfee see continued validity in the threat. The bank industry has emerged to state that they are prepared for these potential attacks, citing signature information from the attack and specific knowledge of when the attacks are reportedly coming.