Bank man: System’s down, let’s have coffee. Oh SNAP, where’s all the CASH?
Cybercrooks are running distributed denial of service attacks as a smokescreen to distract bank security staff while they plunder online banking systems, according to a researcher.
Avivah Litan, vice president at Gartner Research, reports that cyber criminals looking to attack financial institutions are getting more ambitious by targeting the internal wire applications of entire banks, instead of individual accounts, and covering their tracks using simultaneous denial of service attacks against bank systems as a distraction.
Fraudulent money transfers have traditionally been pulled off by taking over a mark’s bank account and moving money into accounts of “money mules”. The stolen cash is then passed around between mules until it ends up in the accounts of the cyber criminals. However, Litan says that the latest evolution of these attacks uses DDoSes as a cover for much more damaging attacks:
A new much more ominous attack type has emerged over the past few months – and uses DDoS as its cover. Once the DDoS is underway, this attack involves takeover of the payment switch (eg, wire application) itself via a privileged user account that has access to it. Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.
Considerable financial damage has resulted from these attacks. One rule that banks should institute is to slow down the money transfer system while under a DDoS attack. More generally, a layered fraud prevention and security approach is warranted.
Litan, an expert in financial fraud and banking security who has been covering the sector for years, said that three unnamed US banks lost millions through just this type of distraction-based cyberheist over against payment switches recent months.
“It was a stealth, low-powered DDoS attack, meaning it wasn’t something that knocked their website down for hours,” he told SC Magazine.
One popular DDoS toolkit, dubbed Dirt Jumper, which has been linked to extortion-based DDoS attacks against gambling sites, has recently been used in attacks against banks that occurred shortly after fraudulent wire transfers.
A report by Dell SecureWorks published in April 2013 explains that Dirt Jumper creates a botnet of compromised machines that can be used to swamp targeted websites with junk traffic. Dirt Jumper (or later variants dubbed Pandora) is readily accessible online through underground forums for around $200.
Banks are often in the firing line of Dirt Jumper-powered DDoS attacks, Dell SecureWorks explains:
Working with organizations affected by Dirt Jumper DDoS attacks revealed a threat scenario in which the threat actor first performed a short-lived “test” DDoS attack to determine if the actor’s botnet could make the targeted site unusable. If the test was successful, then the threat actor performed another DDoS attack in the near future, but this time the DDoS attack occurred shortly after an unauthorized wire or Automated Clearing House (ACH) transfer out of a compromised account. DDoS attack patterns revealed that short-lived attacks were an indicator of an unauthorized wire transfer, while longer attacks, which could last hours to days, were indicators of a fraudulent ACH transfer. The fraud attempts were non-trivial and were usually in the six-figure range, with some attempts in the millions of dollars. Transfers were being made to banks located in Russia, Cyprus, and China.
Eventually the “test” DDoS attack was phased out. Visibility on these attacks proved to be quite useful — in some cases, the DDoS attack was the initial notice that high-dollar fraud was occurring. Some of the fraud attempts and losses are staggering, with total dollar values of attempted fraud ranging from $180,000 to $2.1m.
Separately the FBI-affiliated Internet Crime Complaint Centre warned(PDF) that cybercrooks were targeting financial institution employee credentials to conduct wire transfer frauds back in September 2012.
Recent FBI reporting indicates a new trend in which cyber criminal actors are using spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee log in credentials. The stolen credentials were used to initiate unauthorized wire transfers overseas. The wire transfer amounts have varied between $400,000 and $900,000, and, in at least one case, the actor(s) raised the wire transfer limit on the customer’s account to allow for a larger transfer.
In most of the identified wire transfer failures, the actor(s) were only unsuccessful because they entered the intended account information incorrectly.
The attacks largely focused on small- to medium-sized banks or credit unions but a few large banks have also been affected.
“In some of the incidents, before and after unauthorised transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public websites and/or Internet Banking URL,” IC3 reports.
IC3, like Dell SecureWorks, reckons that the Dirt Jumper Trojan is the main vector of these DDoS smokescreens. The attacks reported by Litan appear to employ much the same tactics and tools, but targeting wire application systems rather than seeking to compromise trusted user accounts. As such, it represents an escalation in how banking attacks are run.
All this is carried out under the cover of denial of service attacks. However there’s no suggestion that a recent run of apparently politically motivated DDoS attacks against large US banks, claimed by the Izz ad-Din al-Qassam Cyber Fighters, is linked to this financial fraud. Hackers launched packet-flooding attacks against Wells Fargo, Bank of America, Citibank and many other US banking organisations using compromised WordPress installations, employing a hacker tool called Itsoknoproblembro.
Spooky US intelligence types suggested that the attacks were so sophisticated that they must be the work of a nation state, before pointing the finger of blame towards Iran. Security experts countered that the attack is well within the scope of ordinary hackers, and that the involvement of Iran is not supported by any hard evidence. ®