Global banks targeted by new versions of the infamous Gozi trojan
A new report from security firm buguroo (BUGUROO OFFENSIVE SECURITY S.L.) has revealed a new campaign targeting global banks and finance companies that is utilizing more effective versions of the infamous Gozi trojan.
According to the report, targeted companies include PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, the Bank of Tokyo and others and are currently being honed in Poland, Japan, and Spain before likely being launched in the United States and Western Europe once perfected.
The new versions of Gozi are said to go undetected by web fraud solutions as it uses an elaborate form of web injection that is optimized to avoid detection.
When an infected user at a targeted financial institution attempts a transaction the Command and Control service is notified in real time and sends the users’ browser the information necessary for carrying out a fraudulent transfer.
On the screen the injected code shows the user a fraudulent deposit-pending alert requesting the security key to complete the transfer; this sits on top of the actual real transfer page drawing in the target to key in their code.
Interestingly the account information of the infected user can include the SWIFT BIC and account information used for international money transfers, with buguroo suggesting that the new Gozi variants may underlie the recent spate of fraudulent transfers reported by a number of central banks that utilized Swift for transfers.
Making the evolution of Gozi fascinating (presuming you can appreciate the dark arts) is that in certain newer versions the trojan is said to send a form of biometric information to its control panel, including details of how long the user takes to move from an input field to the next or the time between keystrokes; it then subsequently uses these values to fill in the necessary field to perform the fraudulent transfer in an attempt to bypass protection systems that utilize the biometrics of the given user, or put more simply it inputs data back into the system mimicking the way the given user types.
“Perhaps most importantly for businesses, these campaigns are sophisticated enough to evade traditional web fraud detection tools,” the report concludes. “Companies are advised to install Internet-based, real-time web fraud detection to prevent these attacks from happening to them.”
A full copy of the report is available from buguroo here.
Image credit: Pixabay/Public Domain CC0
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.