October 8, 2012

Last week, security firm RSA detailed a new cybecriminal project aimed at recruiting 100 botmasters to help launch a series of lucrative online heists targeting 30 U.S. banks. RSA’s advisory focused primarily on helping financial institutions prepare for an onslaught of more sophisticated e-banking attacks, and has already received plenty of media attention. I’m weighing in on the topic because their analysis seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets.

RSA wasn’t specific about where it got its intelligence, but the report’s finding appear tied to a series of communications posted to exclusive Underweb forums by a Russian hacker who uses the nickname “vorVzakone,” which translates to “thief in law.” This is an expression in Russia and Eastern Europe that refers to an entire subculture of elite criminal gangs that operate beyond the reach of traditional law enforcement. The term is sometimes also used to refer to a single criminal kingpin.

A screen shot posted by vorVzakone, showing his Project Blitzkrieg malware server listing the number of online victims by bank.

In early September, vorVzakone posted a lengthy message announcing the beginning stages of a campaign he dubbed “Project Blitzkrieg.” This was envisioned as a collaborative effort designed to exploit the U.S. banking industry’s lack of anti-fraud mechanisms relative to European financial institutions, which generally require two-factor authentication for all wire transfers.

The campaign, purportedly to be rolled out between now and the Spring of 2013, proposes organizing hacker cells throughout the cybercriminal community to collaborate in exploiting these authentication weaknesses before U.S. banks erect more stringent controls. “The goal – together, en-masse and simultaneously process large amount of the given material before anti-fraud measures are increased,” vorVzakon wrote. A professionally translated version of his entire post is available here.

RSA said the project is being powered by a version of the Gozi Trojan called “Gozi Prinimalka.” The company believes this Trojan is part of family of malware used by a tight-knit crime gang that has stolen at least $5 million from banks already. From its analysis:

“In a boot camp-style process, accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims’ accounts into mule accounts controlled by the gang. To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits. The gang and a long list of other accomplices will also reap their share of the spoils, including the money-mule herder and malware developers.

While the campaign is not revolutionary in technical terms, it will supposedly sport several noteworthy features. A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website.”

vorVzakone also says the operation will flood cyberheist victim phone lines while the victims are being robbed, in a bid to prevent account holders from receiving confirmation calls or text messages from their banks (I’ve covered this diversionary tactic in at least a couple of stories). Interestingly, this hacker started discussion threads on different forums in which he posts a video of this service in action. The video shows racks of centrally-managed notebook computers that are each running an installation of Skype. While there are simpler, cheaper and less resource-intensive ways of tying up a target’s phone line, causing all of these systems to call a single number simultaneously would probably achieve the same result. If you don’t see English subtitles when you play the video below, click the “cc” icon in the player to enable them:

THE FIRST RULE OF PROJECT BLITZKRIEG…

vorVzakone’s post has been met with a flurry of curiosity, enthusiasm and skepticism from members of the underground. The skepticism appears to stem from some related postings in which he brags about and calls attention to his credentials/criminal connections, an activity which tends to raise red flags in a community that generally prefers to keep a low profile.

In the following introductory snippet from a homemade movie he posted to youtube.com, vorVzakone introduces himself as “Sergey,” the stocky bald guy in the sunglasses. He also introduces a hacker who needs little introduction in the Russian underground — a well-known individual who used the nickname “NSD” [an abbreviation for the Russian term несанкционированный доступ, or “unauthorized access”] in the mid-2000s, when he claims to have exited the hacking scene.

“Good day to everybody, evening or night, depends on when you are watching me,” the hacker begins, standing in front of a Toyota Land Cruiser. “My name is Serega, you all know me by my nickname “vor v zakone” on the forum. This is my brother, my offline representative – Oleg ‘NSD’. So, what? I decided to meet you, let’s say ‘remotely.’ Without really meeting, right? Now you will see how I live. Let’s go, I will show you something.”

A still shot from a video posted by hacker “vorVzakone”, foreground.

And he proceeds to show viewers around what he claims is his home. But many in the underground community found it difficult to take seriously someone who would be so cavalier about his personal safety, anonymity and security. “This guy’s language and demeanor is that of street corner drug dealer or a night club bouncer, and not of someone who can comprehend what ‘backconnect socks’ or GeoIP is,” remarked one Russian expert who helped translate some of the documentation included in this blog post.

But soon enough, hackers on the forums in which vorVzakone had posted his videos began checking the story, digging up records from Russian motor vehicle agencies indicating that the license plates on the Toyota and other cars in video were registered to a 27-year-old Oleg Vsevolodovich Tolstykh from Moscow. Further, they pointed out, the videos were posted by a youtube user named 01NSD, who also had previously posted Finnish and Russian television interviews with NSD describing various facets of the hacker underground. Indeed, if you pause this 2007 video 22 seconds in, you can see on NSD’s screen that he’s in the midst of a chat conversation with a hacker named vorVzakone.

In response to taunts and ridicule from some in the underground, vorVzakone posted this message on Oct. 6 to a prominent crime forum explaining why he doesn’t worry about going public with his business.

“Hi all

Many saw videos on neighboring forums, where I openly demonstrate my cars, house and face.

What do I want to say?

That if you accurately target customers in the USA while being in Russia then you can fear nothing while living in your country. Except the one thing – you should never expose yourself during заливы [“залив” means “in the process of stealing victim’s money from a bank account”].

I am the obvious example of the fact that you can fear nothing in our country, you can live openly and calm.”

‘INSURANCE FROM CRIMINAL PROSECUTION’

vorVzakone’s apparent calm may also be part of a clever sales pitch for another criminal service he is currently pimping to the Underweb: “Insurance from criminal prosecution” for cybercrime charges. For a deposit of 15,000 rubles (roughly $500), hackers can avail themselves of a service that — in the event that local prosecutors levy cyber criminal charges  — will try to bribe officials into scuttling the case. “Full anonymity,” vorVzakone promised hackers who signed up for his insurance program. “The [customer’s] real last name gets known only when this person’s ‘ass is on fire.'”

This incredibly bold offering promises many things to subscribers, including the assignment of an attorney, reachable via a subscriber-specific phone number and PIN code. From there, the attorney meets with police and the accused, and discusses the case with his client.

“If there is no credible evidence, the lawyers put pressure on law enforcement officials, so that the person gets set free; If evidence is falsified, they work with local police internal affair office and local prosecutors. If the evidence is credible, they work with the investigator to “buy out” the accused; If there are “real proofs” of felony, they will try to “buy out” the person from the problem; If they are not successful, we find access to investigator’s management (we have contacts). $40,000 is enough to buy the insured out from investigator’s management. There are also people who are ready to go to prison instead of the subscriber.” [emphasis added].

Subscribers are offered a $10,000 budget to cover attorney travel costs and initial legal (and probably extra-legal) maneuvers on the client’s behalf. The ad also gives us a rough approximation of what it generally costs to bribe or intimidate local law enforcement officials into inaction.

  • $1,000 is enough to take knowledgeable lawyer to neighboring region by car.
  • $3000 is enough to fly to any region with two lawyers.
  • $6,000-$8,000 is enough to involve local police internal affair office to build the case against the police.
  • $20,000 is enough to buy out the insured from the investigator.
  • $40,000 is enough to buy the insured out from local police chiefs.
  • $100,000 is enough to resolve the issue at the highest levels of management or to place some “drop” to prison instead of the insured.

For those interested in reading more, a rough translation of the entire advertisement for the “insurance from criminal prosecution” service is available here.

TAKEAWAYS?

It’s difficult to say whether vorVzakone’s offerings are legitimate, or if he is — as many in the underground apparently fear — an instrument (if not creation) of Russian law enforcement officials. Nevertheless, banks should already be moving toward implementing more stringent authentication controls for customers who want to move money. Unfortunately, many U.S. financial institutions are lagging behind the rest of the world in this regard.

Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen tens of millions of dollars from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.

But the best way to avoid a cyberheist is to not have your computer systems infected in the first place. The trouble is, it’s becoming increasingly difficult to tell when a system is or is not infected. That’s why I advocate the use of a Live CD approach for online banking: That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like Gozi, your online banking session is protected.


51 thoughts on “‘Project Blitzkrieg’ Promises More Aggressive Cyberheists Against U.S. Banks

  1. Petushok

    Is it real that this guy is “thief in law”, i.e. some kind of russian criminalized mafia?

  2. OtdelK

    Этот ебланец не вор в законе, а мент в загоне. Не сцыте амеры. Это работает полиция.

    This eblanets not a kingpin and cop in the pen. Not stsyte Amer. This is the police work.

  3. geniy

    То что он мент, это бесспорно, и раз его уже пиарят амерские спецслужбы, это говорит о том что идет замут международый по приему кардеров и хакеров.

  4. really colonel

    Близится прецедент приема в ру за работу по загранице.

  5. George

    Fidelity, Ameritrade, Schwab, et al., aren’t “banks”; better to say “Financial Institutions”.

  6. НСД

    Не трогайте моего муженька, мы с Серёжей уедем и заведём детей!

  7. петя петушок

    Продаётся лендкрузир прада и хундай салярис (битый в жопу, уебался в дерево пьяный когда парковался). За всё 50к, оплата через гаранта верифаед.

  8. Richard Steven Hack

    This “insurance” thing definitely sounds like a scam. How many $500 “deposits” are going to support a $10,000 budget for legal services and bribes for how many hackers who are likely to get caught, let alone the higher sums? How many hackers are going to be dumb enough to make a $500 deposit without PROOF that the services are actually available and effective?

    It would be smarter for hackers to simply tithe a portion of their earnings from their activities to their own chosen lawyer in advance in anticipation of their getting caught.

    As for the planned bank heists, I’ll just note that it sounds like a sting. Even if it’s not, as the Kingpin book showed, cooperation among cybercrooks rarely works out well, at least once it becomes highly organized… Too many c(r)ooks spoil the recipe…

    1. BrianKrebs Post author

      All good points. Not saying it’s real or no, but I could imagine a situation where actually very few of those who take the service ever need it (like many types of insurance in real life), and those that do end up paying more in addition to the retainer (think a costly deductible). Besides, when you are in some stinking prison awaiting trial and you’ve already invested some amount, aren’t you more likely to cough up additional monies in the service you’ve already invested in, as opposed to going through the trouble at that point of finding a new lawyer?

      1. Richard Steven Hack

        True, but again I’d rather do this with a real personal defense lawyer with a reputation than some guys I don’t know from Adam…

        Even if I did know them, how do I know these guys wouldn’t get caught before *I* do? I’m sure there are criminal charges of some sort for “providing insurance to criminals”, let alone guaranteeing bribes…

        Bottom line: While a service like that sounds good, the details matter. And I’d have to know every detail of their operation to be convinced – and that would make me a security risk…

        Which means the stupidity of the whole concept makes it 1) a scam, or 2) a sting, or 3) just plain stupid.

        1. zagonVvore

          4) vorVzakone is from police and he is making his career.
          btw it isnt so simply like it seems 😉 even this little blog and this article.

  9. anon noone

    >>As for the planned bank heists, I’ll just note that it sounds like a sting. <<

    my opinion also

  10. Aleksey

    Full name of the registered owner of both cars is “Олег Всеволодович Толстых” or “Oleg Vsevolodovich Tolstykh”, where “Vsevolodovich is a middle name (patronymic) and “Tolstykh” is the last name.

    Also an interesting fact – the leaked DMV records show that Oleg Tolstykh was caught speeding in the more expensive Land Cruiser on 09/05, 09/03, 08/29 (twice), 08/28, 08/22, 06/22 (twice), 06/15, 05/29 (twice), 05/15 (twice), 05/07, etc… This doesn’t count speeding tickets received in Hyundai or other cars.
    In the videos “Serega aka vorVzakone” brags about NSD being only the nominal owner of both cars, the fact which I think is contradicted by this record of speeding tickets. Unless, of course, Oleg Tolstykh is his personal driver in addition to being the technical lead of his carding operation. And the guy is a fast driver, no doubt – so many speeding tickets in such a short timeframe looks like quite an astonishing driving record to me 🙂

    1. addendum

      yes, Oleg V Tolstix
      entered into search seems to show him

      and WITHOUT insider info I’d say operation stingray started this spring – new car is part of ita

      1. addendum

        or even earlier, December 2011 when the youtube user was created

  11. Bikebrains

    Note that five of the first six comments are in Russian. KoS seems to have a following in the eastern time zones.

    1. Rabid Howler Monkey

      Just wait until Brian begins to learn Chinese (presumably, the Mandarin dialect). 🙂

      I copied and pasted the URL for this article into the text box at http://translate.google.com, selected From: ‘Russian’ and To: ‘English’ and it worked like a charm.

      P.S. Brian, have you given any thought to working with Google to make Google Translate available on your website? This might be beneficial to many of your readers and would likely increase your readership. Perhaps a command button could be configured to take a reader directly from one of your articles to http://translate.google.com where a user can simply select the From: and To: values for translation? Assuming that something like this is possible.

      1. meh

        I don’t know that I would trust a blind google translation of russian to not contain something malicious.

        1. meh

          Besides from the gist of the broken english spam they put on, not worth doing anyway.

      2. BrianKrebs Post author

        Hah. I am actually learning Mandarin as we speak, although I am still very much in the early stages.

        I don’t know that having some Google translate tab on my site is going to help matters. GT is actually a pretty good referrer of traffic to my blog already. As helpful as it has been in helping me to learn Russian, I find the service is still not nearly good enough for me to be comfortable encouraging readers to believe they’ll get a true and accurate translation of what I’m trying to get across.

        From what I’ve seen of GT’s translation of most Russian forums and sites, it leaves a lot of meaning and context to be desired. I would be reluctant to endorse any kind of robotranslation of my content given the kinds of mistranslations I’ve seen so far.

  12. Aleksey

    On “Vor V Zakone” nickname – The term “Вор в законе” never refers to an organization, it is always an individual. It is a popular subject in russian-speaking culture, very often brought up in mass media, and I never encountered it being used for describing anything but a single individual. “Воры в законе” (multiple of the word “Vor”) may refer to an organized group of them of course. By different estimates there are hundreds or thousands of Thieves in Law and they always build various alliances, affiliations, which obviously results in rivalries. Such rivalries sometimes escalate into “wars”. The arrests and attempted or successful assassinations of prominent Thieves in Law often become top news in Russian media.

    BTW, if VVZ is ever apprehended and thrown in jail the fact that he publicly called himself “Vor V Zakone” without being “officially coronated” as such will no doubt be a very big problem for him in jail – it is a grave violation of the rules of that world that is severely punishable. I would definitely try to keep out of jail especially hard if I was him… 🙂

  13. Zagonvorov

    Кребси, милый, не переживай так. Ворвзаконе любит пиар, напиши ему, подари леденец, он тебе и даст интервью 🙂
    Прикинь, ты будешь первым амером, взявшим интервью у настоящего русского вора в законе! Круть! Все твои соседи обзавидуются
    Такого пиара у тебя еще не было.
    Пиши на мыло: intervvvvkrebs@yahoo.com
    Устрою вам интервью :))

    1. BrianKrebs Post author

      I hope the fact that I leave these moronic comments here — even if they are not obviously so to Western readers — and not delete them is proof enough to my regular readers that I don’t censor comments around here. I rarely ever even thumb up or down a comment. The only time I remove comments if if they are inane and completely off-topic; contain excessive profanity; maliciously attack other readers; or link to malware or spammy sites.

  14. Zagonvorov

    билет Вор тебе оплатит,
    ток блин не бизнес класс, а то привыкли нахаляву кататься на деньги бедных русских воров в законе

    1. Анальный каратель

      Анус себе оплати, пёс.

  15. Hans

    The interior of vorVzakone’s appartment is set up without any thought for cosiness. Looks more like an office space.

    Which cracker would be stupid enough publishing a video presenting his car plates and his voice (recognition fingerprint)?

    Ding Ding its Sting time. Newbie criminals please subscribe 😉

  16. Кребс

    Вчера отцу признался что я гей. Он выглядел покинутым и лишь спросил:
    “У тебя парень есть?”
    Я грустно ответил что есть.
    Он спросил еще
    “И ты его прямо в пердачелло?”
    Я кивнул.
    “Долбишься в сракотан?”
    Опять я грустно кивнул.
    “Теребишь его в попчанский?”
    “Ебошишь его в шоколадницу?”
    “Месишь черное тесто с перцем?”
    “Заезжаешь на ночь в Попенгаген?”
    “Смотрел фильм Чарли и шоколадная фабрика?”
    Я послал нахуй отца и ушел.

  17. boondox

    /begin
    Ctrl-C
    Goes to translate.google.com
    Ctrl-V
    Tries to follow along…
    /end

    Haven’t seen this much Russian commentary in awhile…

  18. vor v zagone

    ha ha ha .
    SUPER MAX PRISON is crying out for this idiot ..stole 5 millions YE right maybe in his dreams .

    he cant do sh*t , never mind massive heist on banks .all he can do is VOIP FLOOD .

    all so VOR V ZAGONE works for FSB .
    welcome to the club brian .

  19. PTall

    I’m already using Linux as my everday operating system. Should I still boot a Live CD for online banking? While there are a lot of java / javascript exploits, aren’t they really just trying to deliver a Windows malware payload?

    1. boondox

      Yes, you should. Using Linux by itself doesn’t guarantee your transaction’s safety.

      Using the LiveCD will ensure that any malware currently resident on your Linux system’s HD (or memory) won’t impact or corrupt your financial transaction.

      You have to reboot your PC to run the LiveCD, which will clear your RAM. The LiveCD won’t used your HD, so even if you somehow get infected, the infection won’t be saved to disk, and won’t survive in memory when you reboot to get back to your regular Linux environment.

  20. james bond

    brian live CD is not broken only cos no one is using it right now i mean not that many people . as soon as very US bank will introduce live CD .it will be broken i can guaranty u that .

    it may even be broken now we just dont know

    1. BrianKrebs Post author

      Right, so people should just stop using this approach because it might one day be broken or attacked by the bad guys? Great logic. Nothing to see here, move along.

      1. james bond

        brian u know how much money it is going to cost , to introduce live CD to every person in USA ? billions and billions of dollars .
        trust me greedy banksters wont pay that soft of money just cos u may or may not loose some of YOUR hard earned cash ( that your problem if u do ) .

        your poor country cant even afford chip and pin never mind live CD . lol

        and when/if they do that hakers will move to mobile banking or something else .its a never ending game of a cat and mouse
        enjoy the ride .

        1. JCitizen

          I hand out Puppy Linux LiveCDs to all my clients for FREE! I don’t care if the bank pays for it or not.

  21. BrianCrabs

    Brian, you made my day. You are getting more and more respect in underground community with every sensational post. Keep up making our life funny.

    Some people think that vorVzakone is your man. And all bullshit that he wrote on forums was made by your request, to achieve higher PR. Is that true?

  22. George

    Why would someone planning such a big criminal project have so many recent speeding tickets? So deliberately over the top and high profile…more like those tickets were added to his record to make him look unlawful. Either that or he is a true doofus who idolizes Kim Schmitz.

    1. BrianCrabs

      Tickets are real, true carders checked license plates with police databases. They don’t make him look criminal, just stupid.

  23. Hayton

    So what’s the consensus about this RSA report? Is it, as many of the people posting comments are saying, a sting operation set up by the Russian authorities to trap anyone greedy or unwary enough to sign up for this proposed attack on US banks? It would certainly allow the Russian government to portray itself as a good friend of the American government (and financial system) if the police and/or FSB could arrest all the members of a dangerous hacking group and put them on trial.

    Or is this operation what it claims to be – a once-in-a-lifetime opportunity to get rich quick, with a get-out-of-jail guarantee if anyone is caught?

    I can see why RSA would be playing this for all it’s worth, but security companies like Trend Micro seem to be taking this seriously. Others appear to be slightly more sceptical, but they obviously have to treat it as a credible threat.

    My own impression is that giving out so much information so publicly before the proposed attack makes it less credible. And for the principal hackers to break cover and flaunt themselves in this way is (correct me if I’m wrong) unprecedented.

  24. alex.ua

    I think it’s a barrel of honey to attract guys – it is FSB, or just grifters. Although, i put there my money – i want to see a sample which they give out

Comments are closed.