Light Dark
April 18, 2013 By Etay Maor 2 min read
Fraud Protection
Banking & Finance
Malware

Gozi is a financial malware that was the focus of media attention over several months in late 2012 and early 2013. It infected more than 1 million computers around the world, causing tens of millions of dollars in damage. In late 2012, Gozi was part of a planned attack against U.S. banks, and recently, it was reported that the alleged author of the malware was arrested and faces up to 95 years in prison if he is found guilty

It seems that the capture of the alleged author was celebrated all too soon. Banks across the world — and specifically in the United States — have continued to experience Gozi-based fraud well into 2013. Not only that, but it’s actually getting worse.

Gozi Gets Worse

The research team for IBM Security Trusteer has identified a new Gozi variant that infects the Master Boot Record (MBR), ensuring it loads with the operating system after a reboot and remains on the infected system even if the operating system is reinstalled. Even though MBR rootkits are considered highly effective, they haven’t been integrated into a lot of financial malware. One exception was the Mebroot rootkit, which was used to deploy Torpig (aka Sinowal/Anserin).

Due to their strategic placement in the operating system’s kernel, rootkits are difficult to identify and remove. Upon infection, Gozi lurks in the MBR, waiting for Internet Explorer (IE) to be launched. Once IE is detected, the malware injects itself into the process and runs inside the browser. It intercepts traffic and performs Web injections, like most financial Trojans do. In fact, the Gozi variant IBM research detected looks like an old variant that was not previously packaged with the rootkit that was used. This may indicate that a new rootkit is being sold in cyber criminal forums and adopted by malware authors.

Although some rootkits can be removed using dedicated tools, most experts recommend a complete hard drive format to ensure a clean start. Financial institutions should change infected user credentials only after a system format or after the malware functionality is disabled.

IBM Security Trusteer Rapport protects end users by preventing the malware code from injecting into the browser. However, to fully mitigate fraud risk, it is recommended that infected users do format the hard drive, reinstall the operating system, install Trusteer Rapport and receive new credentials to their online banking account.

 |  |  |  | 
Etay Maor
Executive Security Advisor, IBM Security

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature