Gozi Hits Bulgaria Banks

A well know Trojan, that has been around for five years in different guises is called Gozi/ISFB has now added nine major banks in Bulgaria to its list of targets. An article posted on SecurityIntelligence.com says ” a new Gozi Trojan configuration file that is, according to our data, the first one dedicated to exclusively targeting Bulgarian banks,” while previous versions have been focused on the US, UK, Australia, Saudi Arabia, or the Persian Gulf.

Unfortunately, Bulgaria is a known for not being able to resist cyber crime, the article notes citing last year’s report by the European ATM Security Team (EAST) which describes the country has home to a “significant Bulgarian organized crime network suspected of a variety of crimes, including large-scale ATM skimming, electronic payment fraud and forgery of documents.”



The Gozi Trojan is a computer virus that steals personal bank account information, including usernames and passwords for online banking. It was discovered in January 2007 and was previously unrecognized by antivirus programs. Since 2007, the virus has infected over one million victim computers around the world, including those in the UK, Australia, and the US, most notably a number of computers on NASA’s networks. It has also been responsible for causing tens of millions of dollars in losses to customers and banking institutions. Security Intelligence has discovered that a new variant of the virus is targeting banks in Bulgaria this summer for the first time.

The virus initially infected users through altered PDF documents but methods of transmission change according to the target population. Even in its infancy the virus was being regularly refined to acquire targets in different countries through new methodologies and to avoid detection by antivirus programs. Ultimately, all variations of the virus collect user data, including usernames and passwords, by directing users to fake banking login pages and then transmitting login credentials to servers controlled by cyber criminals, who subsequently transfer funds out of the victim’s bank account. Some variations of the fake landing pages also ask for additional information, including Social Security numbers and mothers’ maiden names, potentially facilitating additional fraud and identity theft.