- Jun 9, 2013
- 6,720
The GozNym banking malware is coming to America with a fresh tactic.
Hackers combined code from two malware types, known as Nymaim and Gozi, to create the unholy hybrid dubbed GozNym—a franken-trojan, if you will. It was first spotted in April, and has since evolved: Its operators are testing redirection attacks on four of the largest banks in the United States and targeting their business accounts, according to IBM X-Force. Redirection attacks are most typically used with organized cybercrime that have the resources necessary to implement them.
The overall idea behind redirection attacks is to hijack malware-infected users, sending them to a website that looks exactly like their bank’s site. They then log into their “account,” and their credentials are stolen on the fake site in real time, tested against the bank’s genuine home page and used to initiate a fraudulent money transfer out of the account.
“Moreover, the victim is kept on the fake website, where the attacker can push social engineering notifications to them, making them divulge personally identifiable information (PII) and two-factor authentication elements,” IBM researchers explained.
The firm added that the team behind GozNym has built its own special scheme designed to keep the attacks hidden from prying security researchers’ eyes.
“To prepare a successful redirection attack, GozNym has a two-stage process in place,” IBM researchers said. “At first, the malware redirects the victim to the fake site replica. It then masks the malicious webpage with a white overlay screen. The second part of the redirection is lifting the overlay and revealing the site replica to the infected user. IBM X-Force researchers believe the odd masking portion of the redirection attack is designed to keep the page looking harmless in an interim stage before it is presented to the victim.”
Read more. GozNym Attacks 4 US Banks with Redirection Attacks
Hackers combined code from two malware types, known as Nymaim and Gozi, to create the unholy hybrid dubbed GozNym—a franken-trojan, if you will. It was first spotted in April, and has since evolved: Its operators are testing redirection attacks on four of the largest banks in the United States and targeting their business accounts, according to IBM X-Force. Redirection attacks are most typically used with organized cybercrime that have the resources necessary to implement them.
The overall idea behind redirection attacks is to hijack malware-infected users, sending them to a website that looks exactly like their bank’s site. They then log into their “account,” and their credentials are stolen on the fake site in real time, tested against the bank’s genuine home page and used to initiate a fraudulent money transfer out of the account.
“Moreover, the victim is kept on the fake website, where the attacker can push social engineering notifications to them, making them divulge personally identifiable information (PII) and two-factor authentication elements,” IBM researchers explained.
The firm added that the team behind GozNym has built its own special scheme designed to keep the attacks hidden from prying security researchers’ eyes.
“To prepare a successful redirection attack, GozNym has a two-stage process in place,” IBM researchers said. “At first, the malware redirects the victim to the fake site replica. It then masks the malicious webpage with a white overlay screen. The second part of the redirection is lifting the overlay and revealing the site replica to the infected user. IBM X-Force researchers believe the odd masking portion of the redirection attack is designed to keep the page looking harmless in an interim stage before it is presented to the victim.”
Read more. GozNym Attacks 4 US Banks with Redirection Attacks