Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Russians Set to Make Big Withdrawals from U.S. Banks — Without Having Bank Accounts. Cybercriminal Start-up Recruiting Botmasters for Massive Attack.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Using profit-sharing as added incentive to get recruits, a Russian-speaking criminal startup is organizing a massive fraudulent wire transfer Trojan attack targeting U.S. banks. Security expert Mor Ahuvia says a vorVzakone (Russian for Thief-in Law) is at the center of the scheme. This thief-in-law — not to be confused with a brother-in-law who’s a business partner who embezzles — is, according to Wikipedia, “a criminal who is respected, has authority and a high ranking status within the criminal underworld in the old Soviet Union and its successor states. Thieves-in-law are the elite of the Post-Soviet world of organized crime.”

Using the Underweb, a new multimedia communications alternative to the WWW, this vorVzakone, or Vory for short, is putting out “want ads” for botmasters to attack U.S. banks en masse using a Trojan that’s been used to steal more than $5 million from U.S. banks since 2008.

Ahuvia says American banks were allegedly targeted for two reasons. One was an anti-American bias. Another was security. European banks require two-factor authentication for wire transfers; American banks only rarely do.

In its account in, security researcher Brian Krebs reports, “the cyberattack will allegedly ingeniously distract American victims. Account holders’ phone lines will be flooded, preventing them from receiving confirmation calls or text messages from their banks while their accounts are siphoned. ….account holders at major American financial institutions such as TD Ameritrade, Bank of America, Capital One, Chase, PNC Bank, and Wells Fargo are at risk.”

The Vory made a video clip to show how victims’ phone lines will be flooded via Skype. And, just for Russian speakers, there’s a YouTube video explaining much of the scheme. Fortunately for the Vory, no one in the security industry or law enforcement speaks Russian. Yes, that was sarcasm. And there’s more sarcasm to come. Or maybe it’s irony: The Vory team claims to be using a proprietary Trojan called Gozi Prinimalka, which completes fraudulent wire transactions through manual sessions. But exactly what is a proprietary Trojan? Like the creators of Gozi Prinimalka are going to sue if somebody pirates their software!

Kaspersky Labs noted that the attack is code named Project Blitzkrieg and it follows closely after recent DDoS attacks on U.S. banks.

Neal Ungerleider on points out a number of things which don’t seem to add up. “It is highly unusual for cybercriminals such as vorVzakone to make self-promoting YouTube videos and to post help-wanted ads for accomplices online, and it is equally unusual for prominent firms such as RSA to go public before an attack actually takes place. One thing is for sure: The security breaches that the Russian hackers claim they will exploit exist in America–but not in the European Union, where more stringent regulations exist.”

Andreas Baumhof, chief technology officer at ThreatMetrix, offered this perspective in BankInfoSecurity.

“The reality is that they have only limited options,” Baumhof says. “Gozi is known to be able to defeat two-factor authentication. … All financial institutions know that they are exposed to a greater risk; the problem is that they have no way of mitigating this risk.”

Baumhof, however, says banks and credit unions can improve their Trojan detection by implementing more thorough reviews of online transactions. But the process for many institutions is far too manual, which means it’s time and resource consuming.

Ultimately, banks may have to absorb financial losses linked to attacks, Baumhof says, because it will be impossible for them to detect and stop everything coming their way.

“My fear is that banks that just did as much as they had to, or as much as the FFIEC told them, could now be in trouble,” he says.

By ThreatMetrix Posted