Gozi Trojan leads to Russian data hoard
Log-in, account information of thousands compromised
Computerworld - A Russian Trojan program named Gozi that remained largely undetected for more than 50 days earlier this year has stolen more than 10,000 records containing confidential information belonging to about 5,200 home users.
The compromised information included about 2,000 Social Security numbers, account numbers, user names and passwords that the individuals used to log into bank accounts as well as online retail and e-commerce sites.
The stolen data also included employee log-in information to applications from more than 300 companies and government organizations -- including several law enforcement agencies at the federal and state level -- as well as medical information of health care employees and patients whose usernames and passwords were compromised via their home PCs.
All of the information was sent by Gozi to a server in St. Petersburg, where it was then sold on a subscription basis to an unknown number of individuals. The black market street value of the stolen data: $2 million.
Details of the Trojan and the stolen information were uncovered in January by Don Jackson, a security researcher at SecureWorks Inc., an Atlanta-based managed security service provider. Jackson noted that there are at least two more known variants of Gozi, meaning new attacks are likely.
According to Jackson, an acquaintance reported that several accounts on Web sites he visited from work and home had been hijacked. An investigation of the PC used to access the sites uncovered a previously unclassified malware executable that appeared to have been installed last December.
An analysis of the Trojan program showed that it was designed to steal data from encrypted Secure Sockets Layer (SSL) streams and send it to a server based in Russia. The Trojan took advantage of a vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer. The buffer overflow flaw basically allows attackers to take complete control of a compromised system. In this case, the users compromised by the Gozi Trojan appear to have visited several hosted Web sites, community forums, social networking sites and those belonging to small businesses.
The server to which the information was being sent had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters. Each customer-generated query had a price associated with it, Jackson said. The currency unit used on the site was WMZ, which is a WebMoney unit roughly equivalent to the U.S. dollar, Jackson said.
When Jackson first discovered the Trojan in January, not one of the 30 antivirus products he tested detected the malware specifically. Several flagged it as a suspicious file or a generic threat based on the fact that it was using a commonly known packing tool to compress the code. Updated versions of the same 30 products in early February did a better job of picking up Gozi, though even at that point five of the products completely missed it, according to Jackson.
Details of the Trojan and the information on the Russian server have been passed on to law enforcement authorities, and to several of the affected companies, Jackson said. The subscription service offering this stolen information was disabled Match 12, he said. However, the server housing the data is still online and is continuing to receive stolen information, he said.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
Enhance Your Virtualization Infrastructure With IBM and Vmware
Date: Wednesday, May 14, 2014, 1:00 PM EDT
Virtualization technology is now expanding beyond the server compute elements to encompass networking and storage...
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
All Cybercrime and Hacking White Papers |