Snippet: Since the beginning of April, banks in the US and Canada have been plagued by a sophisticated new strain of malicious software called GozNym. The name is an amalgamation of Gozi, a well-known and feared banking trojan, and Nymaim, a dropper (which downloads and installs malware automatically) that also functions as ransomware.

Since the beginning of April, banks in the US and Canada have been plagued by a sophisticated new strain of malicious software called GozNym. The name is an amalgamation of Gozi, a well-known and feared banking trojan, and Nymaim, a dropper (which downloads and installs malware automatically) that also functions as ransomware. The elder of GozNym’s “parents” has been around for some time: in its heyday (2007 to 2010), Gozi infected more than a million computers and caused losses worth millions of dollars. Nikita Kuzmin, one of its creators, was recently indicted and fined $6.9 million in an attempt to offset the damages, having already served 37 months in prison to boot.

Traditionally, malware was only activated as a result of a user opening an infected file such as an email attachment or .exe download. Unfortunately, GozNym makes use of so-called “drive-by download” attacks, which deliver malware to a user’s device without their knowledge when they visit an infected website. The malware can be present in code hidden within website content, banners, and advertisements, which means that the act of visiting a site alone is enough to get a PC or device infected. The user remains unaware that the drive-by malware has been downloaded and installed, giving the fraudster access to the entire device. When the user then logs on to mobile or Internet banking, the fraudster grabs all of their personal details – and the SMS OTP they enter as a supposed security measure – in a single stroke.

What makes GozNym even worse than traditional malware is the fact that its inherited Nymaim genes enable it to also function as ransomware. This means that GozNym can not only capture a user’s credentials and use them for banking fraud, but can also “lock” the user’s PC or device and demand money in return for reopening it, multiplying fraudsters’ revenue streams.

Early in April, GozNym enabled cybercriminals to steal $4 million from 24 large US and Canadian banks and credit unions. Of their targets, 28 percent were from the business banking industry, 27 percent were credit unions and 17 percent were retail banks. After this attack, the malware moved on to target 17 banks in Poland and one in Portugal. There does not seem to be any geographical pattern to GozNym’s attacks, which means that any country could be next on its hit list. What is clear is that financial institutions are the primary target.

GozNym is an example of how malware is evolving to circumvent standard security measures such as passwords and OTPs. In a threat landscape like this, financial institutions cannot afford to ignore solid defenses already available on the market. Out-of-band, multifactor authentication makes the execution of fraudulent transactions impossible without the consent of the account holder (banking user). Push notifications received over a secure channel between the bank and the user can add to this protection by alerting the user of activity in their account.

If this seems like a lot of technology to add to a simple banking app, just think of the alternative: unsecured transactions, compromised data and account takeover fraud. Fraudsters are clearly not backing down in terms of innovation, and neither should banks.

Subscribe to our blog.


Jolette Roodt

WRITER/ANALYST

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.