Time Is Money: GozNym Launches Redirection Attacks in Poland
The
GozNym banking malware, a Trojan hybrid discovered by IBM X-Force in early
April, isn’t wasting any time. A week after launching an aggressive attack
campaign on 24 banks in North America, GozNym’s operators are spreading a new
European configuration. On the list this time: corporate, SMB, investment
banking and consumer accounts held with major Polish banks; one bank in
Portugal; and one American bank.
It gets
worse. The GozNym team has apparently been hard at work: The release of the new
configuration includes the launch of redirection attacks currently targeting 17
select banks in Poland and one major Portuguese bank.
According
to X-Force research, this configuration has one of the widest attack scopes in
Poland, proving that the country has become a lucrative target for organized
cybercrime. While the list of targeted entities features redirection
instructions for 17 bank brands, it further includes close to 230 URLs
targeting the websites of community banks and webmail service providers in
Poland.
Redirection Attacks: A Cybergang’s Blueprint
Redirection
attacks are successful because they bypass bank security measures by taking
victims to a malicious website before they ever reach the bank’s actual site.
The malicious website is a replica of the bank’s legitimate page, leaving
victims unaware that they’ve been tricked.
By
keeping victims away from the bank’s site, the fraudster can deceive them into
divulging critical authentication codes on the replica site, all without the
bank knowing that the customer’s session has been compromised.
Redirection
attacks are most often identified with the resources and capabilities of
organized cybergangs with developers on their team. There is extra setup
required to pull the effort off, specifically the maintenance and updating of
unique site replicas for each target.
The
technique first surfaced in 2014 when the Dyre gang launched it, targeting
banks primarily in the U.K., U.S., Australia and Spain. Although Dyre activity
died down in November 2015, its methods lived on.
Less
than two months after Dyre disappeared, X-Force reported the Dridex Trojan
launched Dyre-like redirection attacks in the U.K. Now, three months after
Dridex’s redirection efforts, the Nymaim gang has launched its own version of
the redirection scheme via the GozNym hybrid’s configuration.
Read the rest of this post here.
Comments
Post a Comment