Hackers are targeting UK banks with a fresh wave of attacks, using what security experts consider to be one of the most advanced banking trojan currently active in the wild. Dubbed Gootkit, the malware was spotted launching a more advanced attack at high-profile financial institutions, to steal banking credentials and other such data.
Security researchers noted that the hackers operating the Gootkit malware have begun launching redirection attacks on banks' web applications. Such redirection attacks have recently been employed by other prominent banking trojans such as TrickBot and Dridex, both of which are considered to be proliferate and highly effective.
According to IBM X-Force security researchers, the Gootkit Trojan has been around since 2014. Researchers said it is not uncommon for such advanced banking malware to be operated by organised cybercrime gangs. UK banks are generally prime targets for such redirection attacks from prominent banking trojans, they added. This is because the cybercrime community holds the security of UK's financial sector in high regard.
"Because the UK is considered to be an advanced threat protection geography, it is where we encounter the elite gangs with the more advanced capabilities," IBM executive security advisor Limor Kessem told ZDNet. In other words, UK has become like a testing ground for such attacks. For hackers, successful attacks on UK banks mean they can use the same techniques to infiltrate global organisations as well.
Why redirection attacks?
Kessem explained that traditionally, banking trojans use webinjection attacks. This kind of attack allows hackers to "control and modify" what victims see on their screens and also allows attackers to "socially engineer victims in real time to gain access to their bank accounts or influence them to unknowingly approve a fraudulent transaction".
However, webinjection attacks are not without weaknesses, especially given how they are relatively simple for security researchers to uncover. On the other hand, redirection attacks allow hackers more advanced options.
"This crafty M.O. is used to bypass bank security measures by hijacking victims to a malicious website before they ever reach the bank's site," Kessom wrote. "By keeping victims away from the legitimate site, fraudsters can deceive them into divulging critical authentication elements on the replica site without the bank knowing or discovering the flow of events on the fake site.
"Redirection attacks are most often identified with the resources and capabilities of organized cybergangs with in-house developers because of the extra setup required to maintain unique site replicas for each target."
Gootkit, the work of Russian cybergang
According to IBM X-Force, Gootkit was developed and operated by a Russian-speaking cybergang "who keeps the code private". Researchers said that the hacker group has limited its activities, launching attacks in a small number of countries in Europe. Apart from UK, France, Spain and Italy have also been targeted by the trojan.