03:57 PM

Russian Trojan Built To Bypass Banking Security

The Gozi Trojan, which reportedly has been feeding stolen personal information to a Russian crime ring, also is exploiting flaws in the Internet Explorer browser.

A Trojan that is reportedly feeding information from 10,000 stolen records to a Russian crime ring was specifically designed to circumvent financial institution's safeguards.

The malware writer designed the malicious code with components geared to bypass the multifactor authentication protections that financial institutions generally use, according to a spokesman for SecureWorks, which first discovered the Trojan. Calling it a "novel approach," the spokesman said they have notified the financial community to be on the look out for a continuing or similar attack.

Analysts at SecureWorks said the Trojan, named Gozi, has been stealing personal information since Dec. 13, 2006. The malicious code, which had gone undetected for about 50 days, has stolen 10,000 records containing the personal information from roughly 5,200 people. A spokesman for the security company said in an e-mail to InformationWeek that their analysis showed that the stolen information included more than 2,000 Social Security numbers.

SecureWorks also reported that the data was obtained through compromised banking applications, student portals, online job applications, tax return electronic filing applications, government HR applications, and infected online call centers.

"Another interesting aspect is that several of the banks whose clients were compromised had multifactor authentication protections in place," the spokesman wrote in the e-mail. "However, the information Gozi captured enabled one to circumvent the protections and in a relatively easy fashion."

The stolen records included account numbers and passwords from clients of many of the top global banks and financial services companies and major U.S. retailers, reported the spokesman, who added that the hacker's receiving server also contained information and employee login information for confidential government and law enforcement applications.

The data was reportedly being offered for sale by Russian hackers for more than $2 million.

Don Jackson, a researcher for SecureWorks, said in an online advisory that many home PCs became infected when users visited popular community forums for hobbies and online games.

SecureWorks notified a U.S. law enforcement agency in February and has been working to aid the investigation, the spokesman said.

The Gozi mothership server is located on a Russian-owned business network with a history of slow, uncooperative, or nonexistent response to takedown requests, Jackson wrote in the advisory, calling the network a "haven" for people running Trojan, spyware, or phishing kits. The Russian subscription service selling the stolen data was taken down as of March 12, SecureWorks reports. The server, though, is still up and running, and receiving any stolen data that the Trojan is capturing.

The rate of new infections appears to be slowing down considerably, said Jackson.

An advisory on the U.S.-CERT Web site notes that while new and sophisticated exploits can be difficult to defend against, keeping antivirus software updated can significantly aid in the fight. The agency also suggests a series of steps for securing Web browsers.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll