Dissecting Project Blitzkrieg

Posted by Sean Bodmer   |   December 17, 2012

Reports of a massive, looming cyber attack – coined Project Blitzkrieg – has dominated headlines following the recent release of a new McAfee Labs study.

According to the report, malware has been lying dormant in 30 leading U.S. financial services organizations – including Fidelity, E*Trade, Charles Schwab, PayPal, Citibank, Wachovia, Wells Fargo, Capital One, Navy Federal Credit Union and others – and will be activated by the Spring of next year. The report goes on to say that “the project appears to be moving forward as planned.”

This report supports RSA’s 2011 discovery of the cyber threat as the company monitored a Web chat room run by the Russian hacker known as vorVzakone.  McAfee believes vorVzakone used this chat room to recruit hackers to steal information from banks in exchange for a share of the stolen money. It is believed that Project Blitzkrieg has been successfully tested on at least 300 bank accounts in the United States to-date, reports CNN.

While this was big news this week, coordinated campaigns targeting financial services organizations are not novel or new – in fact they’ve been in play since well before 2010. Banks have been targeted for years, by carders and crimeware operators alike. Almost every black-market forum has a Web-inject module for sale that will steal user credentials from all of the top financial services organizations.

Here’s an example of a commonly available Web-inject module can siphon credentials from a supposed SSL secure connection to one of the largest banks in the United States.

injects prev (2)

You can see that many major banks are listed in this week’s news from the SecondZion site, which was shut down by authorities several months ago.

describe the image

What is new and most interesting is the mass profit sharing model being trumpeted by Project Blitzkrieg. It’s very unique at a broad level of operation. Cybercriminal operations and black-market sales have commercially leveraged sales options, such as suggestion/comment forums, service level agreements, and guaranteed response times. Not to be forgotten are bulk sales discounts of criminal tools, money transfers, product demonstrations, and product evaluation periods. Now, we’re seeing profit sharing. It would seem that the criminal underground is maturing at a much faster pace than ever before.

Another interesting piece this story is the implementation techniques that were labeled or so properly titled “Project Blitzkrieg.” For years, automated crimeware, such as custom builds of Zeus bots, have been capable of performing slow withdrawal processes in small increments to avoid detection. With this new scheme, hundreds of real bodies behind keyboards to pump and dump funds changes the detection dynamic yet again.

It’s important to note that almost all of these targeted financial services victims must have some type of malware already running on their systems to become victims. The reported malware, if remaining dormant for some time, could be detected via a set of common crimeware criteria and common actions taken by crimeware when reading and writing files and variables within the victim’s systems. This advance warning provides longer lead-time for traditional anti-malware solutions to detect and clean out dormant malware. Yet though detection efforts could certainly be improved, until organizations have a way to continuously monitor their systems deeper within the stack like vigilant ‘Sentinels’ –  actively protecting critical pieces of personal information – no one can be completely safe.


Topics: Cyber Crime, Cyber Security, malware, Cyber Attack, Research

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all