GootKit Launches Redirection Attacks in the UK

While going over some recent GootKit configurations, I came across an unfamiliar URL format that includes two URLs instead of one. It only takes a fraction of a second to understand: GootKit has launched redirection attacks — a more advanced way to manipulate online banking sessions than the typical webinjection attacks its operators had used up until now.

Much like some of its counterparts in other organized cybercrime gangs — namely, Dridex, GozNym and TrickBot — GootKit joins the ranks of malware that hijacks infected victims to a fake website to trick them into a simulated online banking session. Only this one is completely fraudulent.

Launched in the UK

GootKit’s first targets in this new redirection scheme were the business banking web applications of four major banks in the U.K.

Some coincidence it is that most of these gangs kick off redirection attacks in the U.K. When this modus operandi first surfaced with Dyre in 2014, it was launched in the U.K. The same geography was the launch zone when Dridex first used redirection attacks. The latest addition to that bunch was TrickBot, whose operators also selected the U.K. as the first destination for the redirection attacks they devised. The only other Trojan that uses redirection attacks is GozNym. In this case, it was an exception, since it launched redirection attacks in Poland.

Unsurprisingly, all of the above are believed to be operated by organized cybercrime gangs focused on targeting business banking, which is an umbrella term for anything from corporate banking to treasury, wealth management and investment banking accounts.

What’s Different About Redirection Attacks?

Read the rest of this post here.