Security firm McAfee on Thursday released a report warning that a massive cyberattack on 30 U.S. banks has been planned, with the goal of stealing millions of dollars from consumers’ bank accounts.
McAfee’s research upheld an October report from RSA, the security wing of IT giant EMC Corp (EMC, Fortune 500).
RSA startled the security world with its announcement that a gang of cybercriminals had developed a sophisticated Trojan aimed at funneling money out of bank accounts from Chase (JPM, Fortune 500), Citibank (C, Fortune 500), Wells Fargo (WFC, Fortune 500), eBay (EBAY, Fortune 500) subsidiary PayPal and dozens of other large banks. Known as “Project Blitzkrieg,” the plan has been successfully tested on at least 300 guinea pig bank accounts in the United States, and the crime ring had plans to launch its attack in full force in the spring of 2013, according to McAfee, a unit of Intel (INTC, Fortune 500). (McAfee was founded by John McAfee, who is wanted for questioning as part of a Belize murder investigation, but he no longer has any ties to the company.)
Project Blitzkrieg began with a massive cybercriminal recruiting campaign, promising each recruit of a share of the stolen funds in exchange for their hacking ability and busywork. With the backing of two Russian cybercriminals, including a prominent cyber mafia leader nicknamed “NSD,” the recruits were tasked with infecting U.S. computers with a particular strain of malware, cloning the computers, entering stolen usernames and passwords, and transferring funds out of those users’ accounts.
The scheme was fairly innovative. U.S. banks’ alarm bells get tripped when customers try to access their accounts from unrecognized computers (particularly overseas), so banks typically require users to answer security questions. Cloning computers lets the cybercriminals appear to the banks as though they are the customers themselves, accessing their accounts from their home PCs — thereby avoiding the security questions.
And since most banks place transfer limits on accounts, recruiting hundreds of criminals to draw smallish amounts out of thousands of accounts is a way to duck those limits. The thieves could collectively siphon off millions of stolen dollars.