GozNym banking malware spotted in Europe

IBM's X-Force reported today the actors behind the hybrid GozNym banking trojan have released a new configuration that is targeting European banks using redirection attacks.

The recent targets include 17 Polish banks and one in Portugal. However, a new twist has been included, using redirection attacks targeted at customers using these banking institutions. IBM reported the GozNym gang have created about 200 URLs that point a victim to what they believe is their bank website, but in fact it is one controlled by the bad guys.

“By keeping the victim away from the bank's site, the fraudster can deceive them into divulging critical authentication codes on the replica site, all without the bank knowing that the customer's session has been compromised,” said Limor Kessem, executive security advisor at IBM.

Kessem believes the Dridex gang is behind the GozNym attacks as it is the only cyber-gang known to use redirection attacks, although, she added, there are rumours that Neverquest have also started using redirection attacks.

IBM noted that most of these attacks start with a phishing attack that includes a malware laden attachment.

A specific amount of money lost in Europe has not yet been reported, but Kessem expects GozNym to grow into a major threat to financial institutions with more direct attacks and redirection schemes.

The original version of GozNym first struck in early April, but by 14 April it had already stolen an estimated $4 million (£2.8M) from 24 banks – 22 in the US and two in Canada. GozNym was created by combining some of the source code from the older Nymaim and Gozi IFSB banking malware to create an even more dangerous piece of software. 

Sign up to our newsletters