Russian Trojan Built To Bypass Banking Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Russian Trojan Built To Bypass Banking Security

The Gozi Trojan, which reportedly has been feeding stolen personal information to a Russian crime ring, also is exploiting flaws in the Internet Explorer browser.

A Trojan that is reportedly feeding information from 10,000 stolen records to a Russian crime ring was specifically designed to circumvent financial institution's safeguards.

The malware writer designed the malicious code with components geared to bypass the multifactor authentication protections that financial institutions generally use, according to a spokesman for SecureWorks, which first discovered the Trojan. Calling it a "novel approach," the spokesman said they have notified the financial community to be on the look out for a continuing or similar attack.

Analysts at SecureWorks said the Trojan, named Gozi, has been stealing personal information since Dec. 13, 2006. The malicious code, which had gone undetected for about 50 days, has stolen 10,000 records containing the personal information from roughly 5,200 people. A spokesman for the security company said in an e-mail to InformationWeek that their analysis showed that the stolen information included more than 2,000 Social Security numbers.

SecureWorks also reported that the data was obtained through compromised banking applications, student portals, online job applications, tax return electronic filing applications, government HR applications, and infected online call centers.

"Another interesting aspect is that several of the banks whose clients were compromised had multifactor authentication protections in place," the spokesman wrote in the e-mail. "However, the information Gozi captured enabled one to circumvent the protections and in a relatively easy fashion."

The stolen records included account numbers and passwords from clients of many of the top global banks and financial services companies and major U.S. retailers, reported the spokesman, who added that the hacker's receiving server also contained information and employee login information for confidential government and law enforcement applications.

The data was reportedly being offered for sale by Russian hackers for more than $2 million.

Don Jackson, a researcher for SecureWorks, said in an online advisory that many home PCs became infected when users visited popular community forums for hobbies and online games.

SecureWorks notified a U.S. law enforcement agency in February and has been working to aid the investigation, the spokesman said.

The Gozi mothership server is located on a Russian-owned business network with a history of slow, uncooperative, or nonexistent response to takedown requests, Jackson wrote in the advisory, calling the network a "haven" for people running Trojan, spyware, or phishing kits. The Russian subscription service selling the stolen data was taken down as of March 12, SecureWorks reports. The server, though, is still up and running, and receiving any stolen data that the Trojan is capturing.

The rate of new infections appears to be slowing down considerably, said Jackson.

An advisory on the U.S.-CERT Web site notes that while new and sophisticated exploits can be difficult to defend against, keeping antivirus software updated can significantly aid in the fight. The agency also suggests a series of steps for securing Web browsers.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll