GozNym, a major cyber crime group based in Eastern Europe, is effectively out of business for good. Indictments from a United States federal court that were unsealed this week reveal that key figures in the organization have been charged thanks to an international effort involving six countries as well as Europol and Eurojust.
The GozNym cyber crime group is named for the product they distributed to their criminal clients, a combination of the dangerous banking trojan Gozi with the Nymaim malware. From late 2015 to December 2016, the group sold this malware through underground criminal forums. It was popular as it did not require a great degree of technical skill to put into action, and they were able to steal an estimated $100 million USD from bank accounts throughout the United States and Europe.
GozNym in action
GozNym specifically targeted financial institutions username and password combinations, and is estimated by federal prosecutors to have been provided to at least 200 criminal clients and to have infected over 41,000 victims. Businesses and bank employees were the primary targets.
GozNym is effectively a simple keylogger that looks for bank login information specifically.
Malware would usually be delivered to targets using a phishing email, with the keylogger hiding quietly in the background sending the login details to the remote target. The indictments indicate that the group appears to have played some additional role in helping their clients launder money stolen from the bank accounts.
The cyber crime group was made up of members in several different Eastern European countries. Ringleaders Alexander Konovolov and Marat Kazandjian will be prosecuted in Georgia, while “account takeover specialist” Krasimir Nikolov has been extradited from Bulgaria to the United States. Ukrainian hosting service administrator Gennady Kapkanov is facing trial in the Ukraine for firing a Kalashnikov assault rifle through his apartment door at law enforcement officers.
Five Russian nationals associated with the group remain at large, though they did not appear to play instrumental roles that would allow them to revive the scheme. Additionally, the Avalanche network that was used to host GozNym and numerous other forms of malware was dismantled in late 2016.
Most of the GozNym attacks targeted small businesses. Prosecutors did not release business names to the public, but mentioned a casino in Gulfport, MS (almost certainly the Island View Casino Resort), several law firms and various construction contractors throughout the country as victims.
Cyber crime groups offering “Crime as a Service”
Though the GozNym cyber crime group is novel in its size and scope, this is hardly the first example of hackers offering “crime in a box” packages through underground venues. These services are very frequently centered in Russia and offered via Russian-language “dark web” forums. The Russian government has an established history of being willing to overlook cybercrime so long as it is committed by citizens who keep it outside of national borders and away from the country’s close allies.
Cyber crime groups have been doing this sort of business since at least the late 2000s. Their customers are generally given a set of stock phishing emails to send to their intended victims; links in the emails take them to malware sites at “bulletproof” hosting services that willingly facilitate cyber crime. Most of these hosting services are found in or around Russia and China. The criminals then use a network of international “money mules” to rapidly launder the money in small chunks that are unlikely to raise red flags and are difficult to trace.
Coordinating the international law enforcement actions needed to break up cyber crime groups like GozNym is no small feat, which is part of what makes this case so remarkable. GozNym’s cybercrime network is out of the picture at this point, but the threat is far from over – particularly if you are a small business owner.
Protecting small businesses from bank fraud
It’s no coincidence that most of the GozNym targets were relatively small and locally-focused businesses. Cyber crime groups expect that smaller businesses will have less robust defenses, which is particularly appealing to non-technical criminal actors purchasing prefab hacking packages such as this one.
Everything usually begins with a phishing link. Criminals need to load malware onto your systems to create an opening to capture login details. Company-wide awareness is key; criminals are adept at sending emails that appear to be coming from a legitimate source, like a shipping company or a vendor.
The first and most basic defense against phishing emails is regular updates of operating systems and software (to ensure they have the latest patches against vulnerabilities) and the use of a quality spam filter and anti-malware tool. Employee mishaps will happen no matter how much training you do or how many memos you send out, but this first line of defense can cover you when they do.
In terms of specific protection against banking fraud, two-factor authentication (2FA) will go a very long way toward stopping “hacking-in-a-box” services like GozNym from stealing money. You have some choices when it comes to 2FA, but for something as critical as bank information it’s best to use an authenticator app or even a hardware key rather than the standard text message.
Advanced phishing protection services are available that make use of machine learning techniques to automatically recognize elements of emails that are unusual or out of place. These advanced services are most useful when the attacker is posing as a trusted partner of the company. They build profiles on each organization and individual that you regularly communicate with, and are able to spot and flag unusual and uncharacteristic behaviors.
GozNym #cybercrime product estimated to be sold to at least 200 criminal clients and infected over 41,000 victims. Click to Tweet
The balance of attack preferences has gradually shifted from large businesses to small-to-medium enterprises (SMEs) over the last decade. SMEs may not have the same budget for cybersecurity that larger businesses do, but they are at much greater risk for a crippling or even fatal blow to business operations if their bank accounts are accessed by attackers. In addition to the fundamental protections described above, supplementary insurance against phishing may be a wise investment for companies that are unsure if their policy fully covers indirect losses from funds transfer fraud.