What vorVzakone originally proposed in his Sept. 9, 2012, message to the cybercriminal underground was a novel mass attack that would organize previously unorganized cells of the cybercriminal community. The idea was to collaborate in exploiting the US banks' vulnerabilities in authenticating wire transfers.
“The goal – together, en-masse and simultaneously process large amount of the given material before antifraud measures are increased,” vorVzakone wrote in his message, according to a translation by cybersecurity blogger Brian Krebs.
The McAfee findings largely confirm and expand on earlier findings by RSA, the Bedford, Mass.-based cybersecurity division of EMC Corp., which published its findings on Project Blitzkrieg on the company's security blog in October.
McAfee and RSA agree that vorVzakone sought to put the prospective participants into a "boot camp-style process" in which "accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims’ accounts into mule accounts controlled by the gang," RSA researchers blogged in October.
"To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits. The gang and a long list of other accomplices will also reap their share of the spoils, including the money-mule herder and malware developers."
A key feature of the plot was to purchase computerized "phone flooding" equipment so that banks seeking to call or text victims to verify whether a wire transfer was real or not, would not be able to reach them by phone because the digital pathways to the phones would be blocked. Meanwhile, the fraudster can call the bank, claiming to be the accountholder approving the transaction.
The planned attack, both RSA and McAfee agree, is built on a particularly nasty piece of a malicious software called Prinimalka, which is itself a previously little-known private variant of a better-known piece of criminal malware called Gozi that was specifically designed to steal banking login credentials.