A threat by cyber thieves to steal millions of dollars electronically from customers' accounts at dozens of U.S. banks in the coming year may be credible.
A researcher at security firm McAfee said Thursday that banks need to be prepared for a wave of attacks this spring that use virtual machines to clone customers' real computers or mobile devices. The cloning can trick banks into thinking the device is authentic and allow criminals to drain money from targeted accounts.
The plot, called Project Blitzkrieg, was flagged in October by RSA (EMC), which said it had discovered an operation conceived by two Russian hackers known as vorVzakone and NSD, who asked members of the underground to join them in return for a share of the proceeds.
According to RSA, the operation uses a program called Prinimalka that poses as a legitimate file on computers it infects. The organizers reportedly claimed the operation already had used Prinimalka to drain $5 million from U.S. accounts.
"Forum chatter from members of this cyber gang seem to indicate plans to employ a unique technical model that essentially turns cybercriminals into trusted partners of the campaign's masterminds, if such a thing can actually exist in the world of cyber thieves," Mor Ahuvia, a cybercrime communications specialist with RSA wrote on Oct. 4.
In a white paper it released on Thursday, McAfee said it has been able to use its own data to verify the credibility of the threat, which was greeted with skepticism by some in the underground community, including those who speculated whether Blitzkrieg might be a sting operation.
"Not only did we find evidence validating the existence of an early pilot campaign operated by vorVzakone and his group using Trojan Prinimalka that infected at a minimum 300 to 500 victims across the United States, but we were also able to track additional campaigns as a result of the forum posting," McAfee researcher Ryan Sherstobitoff, wrote.
Sherstobitoff and his colleagues tracked campaigns from early 2008 to October 2012 by thieves who the researchers say have used Prinimalka to launch attacks on U.S. accounts from servers in the Ukraine and Romania, as well as a pilot campaign by vorVzakone that began in March.
The researchers also say the plotters appear to have recruited at least some hackers to their cause. "That subsequent campaigns using Prinimalka have popped up after the initial forum posting, though connecting to different infrastructure, suggests that other groups have bought into vorVzakone' s offer," Sherstobitoff added.
According to McAfee, the Romanian campaign infected computers belonging to victims in varied U.S. cities over a roughly two-month period starting in August.
The hackers kept the foray small by design to narrow the malware's footprint and shield their activities from digital defenses at banks, McAfee said.
Sherstobitoff and his colleagues say thieves have used Prinimalka to collect such information from victims as account balances, log-in times and answers to challenge questions that some banks require customers to answer correctly before moving money from their accounts.
Security experts say McAfee's findings shore up the seriousness of the threat.
Brian Krebs, an independent security researcher, says that while some in the underground remain skeptical about the operation, McAfee's research suggests vorVzakone and NSD may have some ability to carry out their plan.
"The McAfee paper I thought was interesting because they were able to look back at information they had gathered and correlate that there was an attack infrastructure in place, that these guys are serious about their plan," Krebs told American Banker.
"Some of it was suspicious the first time around because of the nature of the perpetrator," Doug Johnson, vice president of risk management policy at the American Bankers Association, told American Banker. "Now I think we know from an independent party it's potentially a real threat and we're going to treat it like one."
Krebs says the plotters' decision to outsource part of the operation magnifies the threat. "One or two talented cybercriminals can do a lot of damage," Krebs said. "One or two aided by a hundred or so in concert could do even more."
Though Krebs declines to speculate whether Project Blitzkrieg will confront banks in any measurable way, he adds that "the idea of multiple sorts of self-interested miscreants working together should always be concerning."
Though neither McAfee nor RSA cited specific financial institutions, targets of Project Blitzkrieg may include many of the nation's biggest banks, including JPMorgan Chase (JPM), Bank of America (BAC), Wells Fargo (WFC), PNC (PNC) and SunTrust (STI), based on a screen shot reportedly posted by vorVzakone that Krebs linked to in October.
Wells Fargo spokeswoman Sara Hawkins said in an email the bank takes steps to "constantly monitor the environment, assess potential threats, and take action as warranted." She added that Wells Fargo has "significant efforts in place" to make sure its websites and mobile banking function fully for customers.