The malware is an updated version of a much older banking Trojan, Gozi, which was used by cyber criminals to steal millions of dollars from U.S. banks. The group's plan apparently is to plant the Trojan program on numerous websites and to infect computers when users visit those sites.
The Trojan is triggered when the user of an infected computer types out certain words -- such as the name of a specific bank -- into a URL string.
Unlike the original Gozi, the new version is capable not only of communicating with a central command-and-control server but also of duplicating the victim's PC settings. The Trojan essentially supports a virtual machine cloning feature that can duplicate the infected PC's screen resolutions, cookies, time zone, browser type and version and other settings. That allow the attacker to access a victim's bank website using a computer that appears to have the infected PC's real IP address and other settings, Ahuvia said.
"Impersonated victims' accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank's website," she said in her alert.
Victims of fraudulent wire transfers will not immediately know of the theft because the gang plans on using VoIP flooding software to prevent victims from getting bank notifications on their mobile devices, she added.
Consumers need to ensure that their browsers are properly updated to protect against drive by downloads, she said. They also need to watch for any suspicious behavior or transactions on their accounts.
RSA has also notified U.S. law enforcement and its own FraudAction Global Blocking Network about the threat, she said. Banks, meanwhile, should consider implementing stronger authentication procedures and anomaly detection tools for spotting unusual wire transfers.
Sign up for Computerworld eNewsletters.