New malware campaign avoids detection to target major financial brands
Updated versions of the Gozi malware are being used in currently active campaigns targeting global financial brands according to threat intelligence experts buguroo Labs.
Targets of the attack include PayPal, CitiDirect BE, ING Bank, Société Générale, BNP Paribas, and the Bank of Tokyo. It's expected that attacks currently being perfected in Poland, Japan and Spain, will soon be launched in the US and Western Europe.
When an infected user at a target financial institution attempts a transaction, the malware’s C&C server is notified in real time and sends the user's browser the information necessary for carrying out fraudulent transfers. The injected code presents a fraudulent deposit-pending alert requesting a security key from the user to complete the transfer. Hidden beneath this, however, is the actual transfer page being presented to the bank. The unsuspecting user is inadvertently entering their key to send their money to a 'mule' designated by the malware operators.
Analysis by buguroo shows that these latest Gozi variants use advanced techniques that leave even organizations using the leading web fraud defense tools extremely vulnerable. In addition, the dynamic web injection being used indicates a high degree of automation to optimize the selection of 'mules' based on the quality and vulnerability of the victim, with the juiciest prospects earning an 'operators are standing by' live intervention.
"Through our ongoing cyber intelligence activity and world-class expertise, our team was able to identify the latest Gozi advances and alert the public," says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo. "We are also proud to confirm that bugFraud Defense is one of the few, and perhaps the only, effective defense against these very sophisticated emerging attacks".