In October, the RSA revealed that a cybercriminal known as vorVzakone was planning a massive operation against a number of 30 banks from the United States. Some have speculated that this might be a sting set up by Russian law enforcement, but experts believe that it’s a real threat.
Security researchers from McAfee have managed to track down the server used by the criminal mastermind in the early stages of the operation dubbed Project Blitzkrieg and they’ve been able to identify the version of the Gozi Prinimalka Trojan that infected victims.
After Project Blitzkrieg started making headlines, some thought that the cybercriminals might be discouraged and would put a stop to their plans, but according to experts, some criminal groups have already accepted vorVzakone’s offer to join the campaign.
Starting with 2008, there have been a number of malicious operations that leveraged the Gozi Prinimalka Trojan.
One of the early campaigns operated on Ukrainian networks between 2008 and 2011. The cybercriminals used the “nah” version of the Trojan, which is an older variant.
Starting with March 2012, vorVzakone ran a pilot campaign before making his intentions public. As part of this pilot, at least 300 to 500 victims were infected.
Even more recently, cybercriminals operating on Romanian networks initiated a campaign between August and October 2012. Their targets were all US banks.
Interestingly, the cybercriminals didn’t target hundreds of thousands of victims. Instead, they attacked selected groups, most likely in an attempt to stay under the radar and to reduce the malware’s footprint.
These latest campaigns have been relying on the newer “gov” version of the Gozi Prinimalka Trojan.
“Although Project Blitzkrieg hasn’t yet infected thousands of victims and we cannot directly confirm any cases of fraud, the attackers have managed to run an operation undetected for several months while infecting a few hundred,” experts say.
The complete report from McAfee is available here.