The U.S. financial services industry has issued a warning that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars.
In addition, the computer security firm McAfee has reported that the cyber-criminal, who calls himself “Thief-in-Law,” already has infected the hundreds of computers of unwitting American customers in preparation to steal their bank account data.
The warning was issued Thursday by the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares information throughout the financial sector about terrorist and online threats, said Douglas Johnson, vice president for risk management at the American Bankers Association.
“FS-ISAC has sent out several notices warning about this gentleman,” Mr. Johnson told The Washington Times.
According to McAfee, Thief-in-Law has installed malicious software programs, known as “malware,” on hundreds of computers as part of his plan, dubbed “Project Blitzkrieg.” The malware steals passwords and login information, which hackers can use to drain victims’ bank accounts online.
“McAfee Labs believes that Project Blitzkrieg is a credible threat to the financial industry and appears to be moving forward as planned,” a company report states.
The report’s author, Ryan Sherstobitoff, told The Times that a “pilot program” that apparently ended in October had infected as many as 500 computers in the U.S. About 120 additional computers were infected in a follow-up campaign that ended in November, he said.
“Project Blitzkrieg is an active operation,” Mr. Sherstobitoff said.
The Times reported in October that Thief-in-Law was trying to recruit an army of hackers to rob U.S. bank accounts next year and had posted a video of himself boasting about his online criminal activities and his immunity from law enforcement.
“If you accurately target [bank] customers in the USA while being in Russia, then you can fear nothing while living in your country,” said the gangster, who uses the online alias “vorVzakone.”
His nickname is Russian slang that translates to “Thief-in-Law” but also implies untouchability, such as a “made man” or “Mafia don.”
Out of sight
In a Sept. 9 posting on an online cybercrime forum, Thief-in-Law said he already had stolen $5 million from American banks by using his malware, called “Gozi Prinimalka.”
Mr. Sherstobitoff of McAfee called that “a plausible claim,” based on the fact that “Gozi Prinimalka has been out there since 2008.”
“It was under the radar,” he said. “It wasn’t traded or swapped in online forums, so there was little awareness of it.”
But after cybercrime blogger Brian Krebs posted Thief-in-Law’s supposed real name and address — by tracking down the registration documents for the car he drove in his video — the cyber-criminal announced he was abandoning Project Blitzkrieg and dropped out of sight online.
His disappearance and the fact that he only recently had started posting on online cybercrime forums prompted speculation that Thief-in-Law was a “wannabe” cyber-gangster who never had been serious about his plan or that he was part of a law enforcement sting.
But the public cancellation of Project Blitzkrieg “was just a PR stunt to distract attention while [Thief-in-Law] moved ahead in secret,” Mr. Sherstobitoff said.
His report traces the latest malware campaign, which ran from Oct. 1 to Nov. 30, to servers in Romania.
The servers were likely operated by a gang working with Thief-in-Law, Mr. Sherstobitoff said.
“Either they’re working with him or he has sold them the malware,” Mr. Sherstobitoff said, noting that the malicious programs used in the pilot campaign and the Romanian campaign are “virtually identical.”
According to his report, Gozi Prinimalka is highly sophisticated, can steal banking passwords and logins in different ways, and can find the answers to “challenge questions” that online banking systems are programmed to ask, such as “What was the make of your first car?”
The malware can even collect information that allows the hackers to impersonate the victim’s own computer, deceiving security measures that are activated when a customer tries to log on from a strange machine.
The report’s data suggests that Thief-in-Law and his associates primarily have been targeting customers of investment banks, who generally keep large balances.
But financial industry officials said they are confident that the targeted banks are prepared for the attacks.
“We know what his attacks look like, and we know when they’re coming,” said Mr. Johnson of the bankers’ association.
He said McAfee had made the Gozi Prinimalka’s signature available “to all the targeted institutions,” so their security departments could prepare. A malware signature is a characteristic piece of code or other feature that identifies a piece of malicious software so it can be blocked by security systems.
“We have the tools we need [and] we have an unusual amount of detailed information in advance of this attack,” said Mr. Johnson. “That all bodes well for our institutions and our customers.”
Global impact
Estimates of the scale of global online banking fraud vary, and many are produced by computer security companies or others seen as having a vested interest in exaggerating the problem.
In response, a group of Cambridge University academics this year published what they said is a more rigorous and conservative estimate of cybercrime costs.
The Cambridge group concluded that the direct costs of account-takeover crime through malware like Gozi Prinimalka is about $690 million a year globally and $26 million in Britain.
Banks worldwide spend about $1 billion a year on technical measures to defeat cybercrime, the academics said, while law enforcement agencies spend about $400 million to track down and prosecute cyber-criminals — half of that in the United States alone.
Mr. Johnson said the banker’s association does not break out the costs of account-takeover crime for U.S. banks.
But a survey the group conducted last year found that that the costs of digital bank fraud in 2010 for the first time exceeded the costs of check fraud and other illegal paper transactions.
More than 90 percent of U.S. banks experienced electronic losses that year, totaling nearly $1 billion, mostly from debit-card fraud, the survey found.
It said paper-based fraud amounted to less than $800 million in losses.
• Shaun Waterman can be reached at swaterman@washingtontimes.com.
Please read our comment policy before commenting.