Colombian police arrest Gozi malware suspect after 8 years at large

By Paul Ducklin, Sophos

July 1, 2021

More than eight-and-a-half years ago, we wrote about the US indictment of three cybercrime suspects.

The troika was wanted for allegedly operating a bank-raiding crimeware “service” known as Gozi, based on zombie malware that used a technique known as HTML injection to trick victims into revealing personal information relating to their on-line banking.

As we explained at the time [original text slightly edited]:

Adding to or altering the content of a bank’s online login form is tricky if you want to make the modifications on the server side or while the content is in transit. […]

But if you can plant malware on the victim’s PC, you can use what’s known as an MiTB attack, or “manipulator in the browser”.

Then, you wait until a suitable online transaction form has been securely delivered and decrypted for display in the browser. Only then do you inject content into the HTML in order to modify the form, for example to request additional security information that wouldn’t normally be needed at that point.

Finally, you exfiltrate the extra data entered by the victim by sending it somewhere other than the bank.

By leaving the genuine fields in the web form alone, and allowing data in the genuine parts of the form to flow to the regular banking site as usual, HTML injection attacks generally don’t interfere with the original transaction.

That means there is no tell-tale error message or failed transaction that the crooks need to disguise, and there is no tell-tale fake URL in the address bar that an observant user might notice.

Using the stolen data, the Gozi crooks could then raid the victim’s bank account, with the US Department of Justice (DOJ) noting at the time that there were at least 17,000 Gozi malware infections in the US alone, including 160 at NASA.

It seems that rocket scientists aren’t aren’t just people of interest to cybercrooks for the latest spaceplane plans – their bank account details are valuable, too.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement