Time Is Money: GozNym Launches Redirection Attacks in Poland

The GozNym banking malware, a Trojan hybrid discovered by IBM X-Force in early April, isn’t wasting any time. A week after launching an aggressive attack campaign on 24 banks in North America, GozNym’s operators are spreading a new European configuration. On the list this time: corporate, SMB, investment banking and consumer accounts held with major Polish banks; one bank in Portugal; and one American bank.

It gets worse. The GozNym team has apparently been hard at work: The release of the new configuration includes the launch of redirection attacks currently targeting 17 select banks in Poland and one major Portuguese bank.

According to X-Force research, this configuration has one of the widest attack scopes in Poland, proving that the country has become a lucrative target for organized cybercrime. While the list of targeted entities features redirection instructions for 17 bank brands, it further includes close to 230 URLs targeting the websites of community banks and webmail service providers in Poland.

Redirection Attacks: A Cybergang’s Blueprint

Redirection attacks are successful because they bypass bank security measures by taking victims to a malicious website before they ever reach the bank’s actual site. The malicious website is a replica of the bank’s legitimate page, leaving victims unaware that they’ve been tricked.

By keeping victims away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes on the replica site, all without the bank knowing that the customer’s session has been compromised.

Redirection attacks are most often identified with the resources and capabilities of organized cybergangs with developers on their team. There is extra setup required to pull the effort off, specifically the maintenance and updating of unique site replicas for each target.

The technique first surfaced in 2014 when the Dyre gang launched it, targeting banks primarily in the U.K., U.S., Australia and Spain. Although Dyre activity died down in November 2015, its methods lived on.

Less than two months after Dyre disappeared, X-Force reported the Dridex Trojan launched Dyre-like redirection attacks in the U.K. Now, three months after Dridex’s redirection efforts, the Nymaim gang has launched its own version of the redirection scheme via the GozNym hybrid’s configuration.

Read the rest of this post here.