During one of the days of November 29, 2024, known as Black Friday, online shoppers rushed to e-stores to snag the finest bargains of the calendar. While buyers were occupied loading up their carts, online felons were also taking advantage of the shopping enthusiasm to exploit the situation. Our system noted a significant rise in Gozi malware activities, with financial institutions in North America being the primary targets.

The Association with Black Friday

Black Friday sets a perfect stage for cyber perpetrators to flourish. The blend of soaring transaction numbers, a surge in online engagements, and often minimal awareness of security among users provides fertile ground for launching assaults. Gozi malware, a notorious banking Trojan, capitalizes on this seasonal turmoil to target unsuspecting users and financial institutions.

This year’s Black Friday episode raised alarms, showcasing a noteworthy upsurge in web-inject attacks. These advanced techniques breached online banking sessions, enabling the theft of critical information like credentials and financial data.

The assault is not anticipated to cease there. With the subsequent shopping frenzy leading up to the year-end, Gozi malware is set to continue its rampage. Cyber criminals are likely to exploit the urgency of last-minute shoppers hunting for the finest holiday offers, thereby expanding the reach and impact of the malware.

The continuous attacks underline the necessity for vigilance and preemptive security actions. Whether you are a consumer reveling in the ease of online shopping or a business managing the surge in transaction volumes, understanding the evolving strategies of cyber felons is pivotal to outmaneuvering the threat.

Understanding Gozi Malware

Gozi, alternatively referred to as Ursnif and ISFB, is a modular banking Trojan that has been operational since the mid-2000s. It is infamous for its capability to extract banking credentials, monitor user actions, and carry out sophisticated web-injects during online banking sessions. Over time, it has evolved to include functionalities like anti-debugging mechanisms and encrypted communication, ultimately used for precise attacks on specific regions and financial entities.

Insights from our Surveillance System

Our tracking during Black Friday uncovered the following trends:

  • Focused campaigns: Operators of Gozi seemed to concentrate on North American banks, aligning their initiatives with the prime shopping hours.
  • Surge in attack intensity: The utilization of the malware’s web-inject capabilities intensified, indicating a spike in compromised banking sessions.

Reasons Behind the Surge

The escalation in Gozi activities during Black Friday can be explained by:

  • Transaction loads: The sheer number of financial transactions elevates the likelihood of successful breaches.
  • Weakened defenses: Several businesses prioritize smooth user experiences, uptime, and sales during Black Friday, potentially delaying or compromising their security measures.
  • Human conduct: Rushing to grab deals makes consumers more prone to overlooking suspicious activities.

Discoveries

The provided script epitomizes a refined web injection attack employed to compromise online banking sessions. It dynamically inserts malicious code into the valid banking page, enabling assailants to control the session discreetly. The malevolent script operates in the background to pilfer sensitive details like credentials, designed to evade detection by instantly removing itself from the page after execution. By blending seamlessly with the authentic page and eradicating traces, the attack becomes nearly invisible to both users and traditional security measures. This accentuates the escalating sophistication of web-inject assaults, underlining the requirement for advanced monitoring systems and robust security protocols to detect and forestall such threats.

Figure 1: Sample of Gozi injection

From the screenshot provided below, it is evident that the attacker meticulously erased any traces, likely to ensure the efficacy of the mechanism:

Figure 2: Attacker preparation

We suspect that the web-inject is still a work in progress, with potential future enhancements and updates to the code.

If you wish to delve deeper into the realm of Gozi malware, further information can be found here.

Closing Remarks

As cyber wrongdoers persist in capitalizing on global occurrences like Black Friday, heightened awareness is more indispensable than ever. The resurgence of Gozi malware portrayal underscores the significance of proactive security measures for both entities and individuals. Although the current assaults predominantly target North America, we anticipate this tactic to soon extend to Europe, leveraging the holiday shopping season for greater impact.

While reveling in the convenience of online shopping, maintaining an acute awareness of the persistent cyber threats in the digital realm is essential. By embracing robust security methodologies and remaining cautious, we can mitigate risks and shield ourselves against these highly sophisticated assaults. Cybersecurity transcends being merely a technical hurdle—it is a shared responsibility.

Tips to Evade Gozi Malware

Here are some suggestions to dodge Gozi malware and safeguard yourself against analogous threats:

  • Exercise caution with email links. Refrain from hastily opening email attachments or clicking on links, especially if they originate from unfamiliar or questionable sources. Be particularly vigilant against phishing emails that might aim to deceive you into downloading malware.
  • Enhance your password security. Establish robust and distinctive passwords for all your online accounts, including cryptocurrency platforms and wallets. Avoid employing easily deducible data and ponder utilizing a trustworthy password manager to securely handle your passwords.
  • Stay attentive online. Be on alert for any anomalous behavior or unexpected requests while accessing websites, particularly those pertaining to finances or cryptocurrencies. Steer clear of suspicious pop-ups, requisitions for additional personal information, or alterations in website appearance, which could signal a web-inject attempt to deceive you.
  • Stay abreast of the latest cybersecurity perils and best practices. Educate yourself on common methodologies employed by cyber malefactors, such as phishing plots and social engineering, to evade falling prey to their stratagems.

One of the prime tools to unearth Gozi malware and fortify your establishment is IBM Security Trusteer Pinpoint Detect. This tool harnesses artificial intelligence and machine learning to fortify digital avenues against account takeovers and fraudulent transactions, while identifying user devices plagued by high-risk malware. Learn more here.

/usbank/inj[.]php

/in/sella/sella[.]php

/in/paypal/p[.]php

/in/ebay/ebay[.]php

/in/poste/po[.]php

/in/ubibanca/ub[.]php

/in/amazon/a[.]php

/in/clienti.chebanca/ch[.]php

/in/credem/cr[.]php

frcorporateonline/inj[.]php

hsbcnet/inj[.]php

/lancher/in