Online thieves are planning to attack bank websites by using an obscure banking Trojan and recruiting 100 hackers to control botnets, security firm RSA says. The thieves allegedly plan to commit fraudulent wire transfers by breaking into accounts and impersonating their victims online in order to create more victims.
The hackers plan to execute a man-in-the-middle attack, a method of manipulation that involves connecting to two computers, eavesdropping on them and intercepting and replacing their communications.
When this attack is done right, the two victims believe they are having a private conversation, when in reality the man-in-the-middle is sending its own messages to both of them.
RSA's FraudAction team picked up on communications indicating that a gang is targeting up to 30 American banks for an online heist. According to RSA's research, the hackers plan to use a relatively unknown banking Trojan called Gozi.
Based on previous cyberheists involving Gozi, RSA believes the group may be a Russian outfit known as the HangUp Team.
[ The Bank Cyberattacks: Is Your Money Safe? ]
According to Mor Ahuvia, a cybercrime communications specialist for RSA, the hackers are attracted to American financial institutions because many European banks require two-step authentication that makes breaking into accounts much more difficult.
The little-known Gozi Trojan is responsible for some $5 million in missing money. The hackers probably hope that Gozi's obscurity will make it more difficult to combat.
Despite RSA's effort to bring the planned heist to light before it occurs, Ahuvia doesn't think it will be much of a deterrent.
"I don’t think anything we know will have such a dramatic effect on them. There are so many Trojans available and so many points of failure in security that could go wrong, that they’d still have some chance of success," Ahuvia told Threatpost.
The sustained, distributed denial-of-service attacks aimed at American banks over the past two weeks probably weren't motivated by money, but some analysts speculated that the attacks may have been a distraction to cover up an online theft.
Follow Ben on Twitter @benkwx.
