Banks Facing Cyber Heist Threat in Early 2013

Posted: 27th December 2012

This report looks at warnings of a cyber operation dubbed ‘Project Blitzkrieg’ against United States banks using a trojan called Gozi-Prinimalka (overview from Trend Micro) that would allegedly skim millions of dollars from bank accounts during spring 2013. There are mixed feelings on the veracity of the threat’s source – a Russian hacker working by the name vorVzakone – but experts in the field believe that the reported technical capability is real.

Below is a history of vorVzakone since the hacker took to recruiting accomplices on forums in September 2012 and a short selection of key events since then:

  • September 9 – Appears on internet forums seeking recruits for a mass attack on banks exploiting gaps in anti-fraud mechanisms.
  • September 26 – Posted YouTube video claiming to show his home and fellow hacker. Vehicle agencies indicating that the license plates on the Toyota and other cars shown in a YouTube video were registered to a 27-year-old Oleg Vsevolodovich from Moscow.
  • October 8 – The threat hits the mainstream after popular security blog Krebs on Security reports on the story so far. Krebs and other analysts quickly question whether this operation is legitimate as described or a scheme by Russian law forces.
  • October 25 – Latest threat intelligence suggests the most recently infected account on this date, and shortly thereafter, VorVzakone states that he has already taken $5 million from the accounts of the customers of U.S. banks.
  • December 16 – McAfee announces that the original variant of Prinimalka (here’s a historical timeline) was created in November 2008, and was tied to attack infrastructure based in Ukraine.

Little new evidence has emerged since the mid-December report, but McAfee Labs reiterated the warning of a full scale operation planned by vorVzakone for the spring of 2013 that is intended to steal millions of dollars from customer accounts. The scheme is one of several upcoming cyber threats to watch during the next several months.

We’ll be following this subject, but as shown above, you can pop in to Recorded Future and analyze public reporting on this threat as well. Separately, in drawing up the visualizations for this write up, we stumbled across a familiar name in the Izz ad-Din al-Qassam Cyber Fighters, who are also threatening US banks with cyber attacks in the coming days. We’ll be back soon with deeper research on that organization, but in the meantime, leave us your thoughts on the Gozi trojan and Project Blitzkrieg.