Last week, security firm RSA detailed a new cybecriminal project aimed at recruiting 100 botmasters to help launch a series of lucrative online heists targeting 30 U.S. banks. RSA’s advisory focused primarily on helping financial institutions prepare for an onslaught of more sophisticated e-banking attacks, and has already received plenty of media attention. I’m weighing in on the topic because their analysis seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets.
RSA wasn’t specific about where it got its intelligence, but the report’s finding appear tied to a series of communications posted to exclusive Underweb forums by a Russian hacker who uses the nickname “vorVzakone,” which translates to “thief in law.” This is an expression in Russia and Eastern Europe that refers to an entire subculture of elite criminal gangs that operate beyond the reach of traditional law enforcement. The term is sometimes also used to refer to a single criminal kingpin.
A screen shot posted by vorVzakone, showing his Project Blitzkrieg malware server listing the number of online victims by bank.
In early September, vorVzakone posted a lengthy message announcing the beginning stages of a campaign he dubbed “Project Blitzkrieg.” This was envisioned as a collaborative effort designed to exploit the U.S. banking industry’s lack of anti-fraud mechanisms relative to European financial institutions, which generally require two-factor authentication for all wire transfers.
The campaign, purportedly to be rolled out between now and the Spring of 2013, proposes organizing hacker cells throughout the cybercriminal community to collaborate in exploiting these authentication weaknesses before U.S. banks erect more stringent controls. “The goal – together, en-masse and simultaneously process large amount of the given material before anti-fraud measures are increased,” vorVzakon wrote. A professionally translated version of his entire post is available here.
RSA said the project is being powered by a version of the Gozi Trojan called “Gozi Prinimalka.” The company believes this Trojan is part of family of malware used by a tight-knit crime gang that has stolen at least $5 million from banks already. From its analysis:
“In a boot camp-style process, accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims’ accounts into mule accounts controlled by the gang. To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits. The gang and a long list of other accomplices will also reap their share of the spoils, including the money-mule herder and malware developers.
While the campaign is not revolutionary in technical terms, it will supposedly sport several noteworthy features. A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website.”
vorVzakone also says the operation will flood cyberheist victim phone lines while the victims are being robbed, in a bid to prevent account holders from receiving confirmation calls or text messages from their banks (I’ve covered this diversionary tactic in at least a couple of stories). Interestingly, this hacker started discussion threads on different forums in which he posts a video of this service in action. The video shows racks of centrally-managed notebook computers that are each running an installation of Skype. While there are simpler, cheaper and less resource-intensive ways of tying up a target’s phone line, causing all of these systems to call a single number simultaneously would probably achieve the same result. If you don’t see English subtitles when you play the video below, click the “cc” icon in the player to enable them:
THE FIRST RULE OF PROJECT BLITZKRIEG…
vorVzakone’s post has been met with a flurry of curiosity, enthusiasm and skepticism from members of the underground. The skepticism appears to stem from some related postings in which he brags about and calls attention to his credentials/criminal connections, an activity which tends to raise red flags in a community that generally prefers to keep a low profile.
In the following introductory snippet from a homemade movie he posted to youtube.com, vorVzakone introduces himself as “Sergey,” the stocky bald guy in the sunglasses. He also introduces a hacker who needs little introduction in the Russian underground — a well-known individual who used the nickname “NSD” [an abbreviation for the Russian term несанкционированный доступ, or “unauthorized access”] in the mid-2000s, when he claims to have exited the hacking scene.
“Good day to everybody, evening or night, depends on when you are watching me,” the hacker begins, standing in front of a Toyota Land Cruiser. “My name is Serega, you all know me by my nickname “vor v zakone” on the forum. This is my brother, my offline representative – Oleg ‘NSD’. So, what? I decided to meet you, let’s say ‘remotely.’ Without really meeting, right? Now you will see how I live. Let’s go, I will show you something.”
A still shot from a video posted by hacker “vorVzakone”, foreground.
And he proceeds to show viewers around what he claims is his home. But many in the underground community found it difficult to take seriously someone who would be so cavalier about his personal safety, anonymity and security. “This guy’s language and demeanor is that of street corner drug dealer or a night club bouncer, and not of someone who can comprehend what ‘backconnect socks’ or GeoIP is,” remarked one Russian expert who helped translate some of the documentation included in this blog post.
But soon enough, hackers on the forums in which vorVzakone had posted his videos began checking the story, digging up records from Russian motor vehicle agencies indicating that the license plates on the Toyota and other cars in video were registered to a 27-year-old Oleg Vsevolodovich Tolstykh from Moscow. Further, they pointed out, the videos were posted by a youtube user named 01NSD, who also had previously posted Finnish and Russian television interviews with NSD describing various facets of the hacker underground. Indeed, if you pause this 2007 video 22 seconds in, you can see on NSD’s screen that he’s in the midst of a chat conversation with a hacker named vorVzakone.
In response to taunts and ridicule from some in the underground, vorVzakone posted this message on Oct. 6 to a prominent crime forum explaining why he doesn’t worry about going public with his business.
“Hi all
Many saw videos on neighboring forums, where I openly demonstrate my cars, house and face.
What do I want to say?
That if you accurately target customers in the USA while being in Russia then you can fear nothing while living in your country. Except the one thing – you should never expose yourself during заливы [“залив” means “in the process of stealing victim’s money from a bank account”].
I am the obvious example of the fact that you can fear nothing in our country, you can live openly and calm.”
‘INSURANCE FROM CRIMINAL PROSECUTION’
vorVzakone’s apparent calm may also be part of a clever sales pitch for another criminal service he is currently pimping to the Underweb: “Insurance from criminal prosecution” for cybercrime charges. For a deposit of 15,000 rubles (roughly $500), hackers can avail themselves of a service that — in the event that local prosecutors levy cyber criminal charges — will try to bribe officials into scuttling the case. “Full anonymity,” vorVzakone promised hackers who signed up for his insurance program. “The [customer’s] real last name gets known only when this person’s ‘ass is on fire.’”
This incredibly bold offering promises many things to subscribers, including the assignment of an attorney, reachable via a subscriber-specific phone number and PIN code. From there, the attorney meets with police and the accused, and discusses the case with his client.
“If there is no credible evidence, the lawyers put pressure on law enforcement officials, so that the person gets set free; If evidence is falsified, they work with local police internal affair office and local prosecutors. If the evidence is credible, they work with the investigator to “buy out” the accused; If there are “real proofs” of felony, they will try to “buy out” the person from the problem; If they are not successful, we find access to investigator’s management (we have contacts). $40,000 is enough to buy the insured out from investigator’s management. There are also people who are ready to go to prison instead of the subscriber.” [emphasis added].
Subscribers are offered a $10,000 budget to cover attorney travel costs and initial legal (and probably extra-legal) maneuvers on the client’s behalf. The ad also gives us a rough approximation of what it generally costs to bribe or intimidate local law enforcement officials into inaction.
- $1,000 is enough to take knowledgeable lawyer to neighboring region by car.
- $3000 is enough to fly to any region with two lawyers.
- $6,000-$8,000 is enough to involve local police internal affair office to build the case against the police.
- $20,000 is enough to buy out the insured from the investigator.
- $40,000 is enough to buy the insured out from local police chiefs.
- $100,000 is enough to resolve the issue at the highest levels of management or to place some “drop” to prison instead of the insured.
For those interested in reading more, a rough translation of the entire advertisement for the “insurance from criminal prosecution” service is available here.
TAKEAWAYS?
It’s difficult to say whether vorVzakone’s offerings are legitimate, or if he is — as many in the underground apparently fear — an instrument (if not creation) of Russian law enforcement officials. Nevertheless, banks should already be moving toward implementing more stringent authentication controls for customers who want to move money. Unfortunately, many U.S. financial institutions are lagging behind the rest of the world in this regard.
Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen tens of millions of dollars from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.
But the best way to avoid a cyberheist is to not have your computer systems infected in the first place. The trouble is, it’s becoming increasingly difficult to tell when a system is or is not infected. That’s why I advocate the use of a Live CD approach for online banking: That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like Gozi, your online banking session is protected.