According to a recent ABC News report Russian and Eastern European cyber criminals have been stealing money from US citizens’ online stock trading accounts. In many cases, cyber criminals are hijacking online stock trading accounts and executing a ‘pump and dump’ scam (source).
Cyber criminals execute a typical online ‘pump and dump’ scam by hijacking unsuspecting customers online trading account and using the available funds to purchase otherwise worthless penny stocks. The collective effect of the many hijacked accounts purchasing the penny stocks results in a surge in the share price of the penny stock. At this point the cyber criminal sells his position in the penny stocks at a tidy profit and leave the customers with the hijacked accounts holding the now worthless shares.
‘Pump and Dump’ scams, as well as other illegal online enterprises, are enabled by a robust online criminal infrastructure. The recent discovery of the Gozi Trojan helps illuminate the contours of this online ‘malware marketplace’ (Previous Report, Previous Report).
Case Study: the Gozi Trojan
While the Gozi Trojan does not appear to utilize a zero-day exploit, at the time of its discovery it was not detected by at least 30 different anti-virus applications (source). It is believed that the Gozi Trojan was operating undetected for at least 54 days prior to its discovery by Don Jackson, a security researcher from SecureWorks (source). The Gozi Trojan was designed to surreptitiously install itself onto vulnerable computers and then steal data sent to various financial institutions, online retail, e-commerce, and government organizations (source). While this data was encrypted via the Secure Socket Layer (SSL), Gozi was designed to intercept and re-direct the data to a server in St. Petersburg, Russia prior to its encryption (source). In total it is believed that the Gozi Trojan was used to steal data from more than 5,200 individuals, and the resulting haul of personal information had a black market value of approximately $2 million (source).
The Gozi Trojan sheds light on the current state of cyber crime. It is vital to note that the server used to store the stolen data was professionally designed and maintained as evidenced by its ingenious interface that allowed the cyber criminal customers to mine the database for stolen data. Further, the cyber criminals responsible for this server appeared to have sold subscription access to this server. This indicates that many cyber criminals have adopted a professional mindset and are investing resources into building the infrastructure required to support a long-term illegal enterprise.
The tactics embraced by cyber criminals are becoming increasingly sophisticated. While the technique of intercepting SSL data prior to encryption isn’t necessarily new, the fact that the Gozi Trojan went undetected for nearly two months indicates that cyber criminals are constantly evolving their tactics in an effort to stay one step of ahead of security professionals and anti-virus companies.
Future Trends
Gozi’s cache of stolen data was stored on a server based in St. Petersburg, Russia, indicating Russian cyber criminals and possibly the Russian mafia were in part responsible for the Gozi Trojan. It is likely that many of the targets of the Gozi Trojan were users based in the United States because there are many additional online targets in the US Not only are there more people online in the US, but there is an overwhelming number of online banking, online retail, and e-commerce site users.
We believe that cyber criminals will continue to evolve their tactics in an effort to outwit security professionals and anti-virus companies. The combination of incredible profits and the low risk of arrests dictate that cyber criminals will continue to design new vectors of attack.
We also believe future attacks will mirror Gozi in its stealth and targeted nature. While Gozi Trojan remained undetected for a long period of time, it is not known to have infected more that 5,200 home computer users. These targets were assumably targeted because home users are less likely than corporate users to detect an infection. Additionally, Gozi was seemingly controlled to prevent a rapid spread across the Internet, a tactic that would have allegedly been detected by any number of security organizations like the Internet Storm Center.