How McAfee unraveled Blitzkrieg
McAfee Labs turned to old fashioned human intelligence to blow the cover off an online-banking scam hatched by a shadowy cyber criminal with a bad nickname.
Network security watchers learned about Project Blitzkrieg on October 4, when the security firm RSA posted a blog entry saying a cyber gang was seeking to recruit “botmasters” to share the proceeds of a fraud offensive against major U.S. banks and their customers.
McAfee says that before its Dec. 13 white paper, security watchers weren’t sure if the threat was serious or a hoax.
There was good reason to wonder. The head of the gang used the Harry Potteresque nickname, vorVzakone, in his posts on a shadowy cyber criminal forum. He wrote in Russian, and even posted a grainy video of himself on YouTube.
Brian Krebs of krebsonsecurity.com reported these facts in October, and his blog was widely circulated in the security community.
It looked like it could be a bad joke or a ruse to distract experts from actual threats. On the other hand, maybe vorVzakone really was growing a criminal gang and testing Trojan software capable of stealing banking log-ins and answers to security challenge questions. RSA identified the gang's malware as a form of the previously known Gozi Trojan, and named it Gozi Prinimalka after a folder in the malware.
McAfee threat researcher Ryan Sherstobitoff knew a good mystery when he saw one. He dug into the evidence and reported his findings in the paper, “Analyzing Project Blitzkrieg, A Credible Threat.”
The paper warned that 30 major banks might indeed face massive fraud attempts, not in the fall as initially predicted by RSA, but by next spring. CNN and other media leaped on the report, and McAfee gave briefings to the FBI, Department of Homeland Security and the National Cyber Security Partnership, a private sector group working to establish voluntary security strategies.
Sherstobitoff’s first step toward decloaking blitzkrieg was a low-tech one. He needed to see the postings that vorVzakone made Sept. 9 on a cyber criminal forum. The details might steer him to relevant evidence in McAfee’s vast trove of malware samples. He could then connect the dots, if there were any, and assess the seriousness of the threat.
“I went to a source that I knew might have this connection, and he provided all of the screen shots and all of the 16 pages of chatter in Russian, and that’s where we began the investigation,” Sherstobitoff said.
VorVzakone, it turns out, was sloppy. He posted screenshots of his handy work – possibly to convince recruits that he was serious and that they should join. He redacted the IP address of a command and control server panel but forgot to redact the six-digit campaign identification number criminals rely on to stay organized.
“We were able to look up that campaign ID out of the subset of malware samples that we had and were able to find out which one was used in that particular instance,” Sherstobitoff said.
McAfee traced the hosting to servers in Des Moines, Iowa; the Netherlands and Moscow, and concluded that the gang has had an active Trojan system since April 2012. McAfee believes this was a pilot project toward a larger offensive planned for the spring of 2013. The gang began using a Romania server in August, and has compromised 300 to 500 accounts in the U.S., probably as a test.
McAfee suspects money was stolen but can’t say for sure.
“VorVzakone said that 5 million has been lost. It is quite plausible that this has already earned money, but we don’t have direct log files to actually support that yet,” Sherstobitoff said.
For now, vorVzakone has gone quiet but McAfee says the financial industry should get ready.