A new report from security firm buguroo (BUGUROO OFFENSIVE SECURITY S.L.) has revealed a new campaign targeting global banks and finance companies that is utilizing more effective versions of the infamous Gozi trojan.

According to the report, targeted companies include PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and others and are currently being honed in Poland, Japan, and Spain before likely being launched in the United States and Western Europe once perfected.

The new versions of Gozi are said to go undetected by web fraud solutions as it uses an elaborate form of web injection that is optimized to avoid detection.

When an infected user at a targeted financial institution attempts a transaction the Command and Control service is notified in real time and sends the users’ browser the information necessary for carrying out a fraudulent transfer.

On the screen the injected code shows the user a fraudulent deposit-pending alert requesting the security key to complete the transfer; this sits on top of the actual real transfer page drawing in the target to key in their code.

Interestingly the account information of the infected user can include the SWIFT BIC and account information used for international money transfers, with buguroo suggesting that the new Gozi variants may underlie the recent spate of fraudulent transfers reported by a number of central banks that utilized Swift for transfers.

Biometric bypass

Making the evolution of Gozi fascinating (presuming you can appreciate the dark arts) is that in certain newer versions the trojan is said to send a form of biometric information to its control panel, including details of how long the user takes to move from an input field to the next or the time between keystrokes; it then subsequently uses these values to fill in the necessary field to perform the fraudulent transfer in an attempt to bypass protection systems that utilize the biometrics of the given user, or put more simply it inputs data back into the system mimicking the way the given user types.

“Perhaps most importantly for businesses, these campaigns are sophisticated enough to evade traditional web fraud detection tools,” the report concludes. “Companies are advised to install Internet-based, real-time web fraud detection to prevent these attacks from happening to them.”

A full copy of the report is available from buguroo here.

Image credit: Pixabay/Public Domain CC0