Advanced malware puts high net worth individuals at greater risk

Hackers, using ‘crime as a service’ model, put financial institutions, wealthy clients in cross-hairs

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ahead of many oth­er sec­tors in cyber­se­cu­ri­ty matu­ri­ty, the finan­cial indus­try con­sis­tent­ly faces chal­lenges from hack­ers’ abil­i­ty to cir­cum­vent data secu­ri­ty. One of the bad guys’ lat­est tac­tics is to tar­get finan­cial insti­tu­tions that can­not rely on tra­di­tion­al fraud-detec­tion mechanisms.

Accord­ing to researchers at F5 Labs, that’s the case with the Trick­Bot bank­ing Tro­jan, which is heav­i­ly tar­get­ing finan­cial insti­tu­tions like pri­vate banks and wealth-man­age­ment firms that cater to high net worth indi­vid­u­als and cor­po­rate clients.

Relat­ed video: How hack­ers are tar­get­ing high net worth individuals

F5 Labs, part of net­work­ing sys­tems sup­pli­er F5 Net­works, has been mon­i­tor­ing the fast-evolv­ing Trick­Bot cam­paigns for the past few months. One of the pat­terns researchers observed in one of the most recent cam­paigns is that 50 of the 177 finan­cial insti­tu­tions tar­get­ed were spe­cial­ty pri­vate and pub­lic firms like wealth-man­age­ment ser­vices, retire­ment and invest­ment firms, and banks with com­mer­cial accounts.

Sara Bod­dy, F5 Labs lead

Sara Bod­dy, F5 Labs lead, says that tra­di­tion­al retail banks that cater to the gen­er­al pub­lic use fraud detec­tion tech­niques. For exam­ple, if a customer’s U.S. trans­ac­tion is imme­di­ate­ly fol­lowed by an attempt­ed wire trans­fer orig­i­nat­ing over­seas, that trans­ac­tion would get flagged.

The rich are different

Wealthy and cor­po­rate clients, on the oth­er hand, may have mul­ti­ple account users who are con­duct­ing high-dol­lar trans­ac­tion around the world. For those insti­tu­tions, “it becomes hard­er to imple­ment those basic fraud-detec­tion con­trols,” Bod­dy says.

Attack­ers prob­a­bly know that, and that’s prob­a­bly a rea­son they’re tar­get­ing these pri­vate bank­ing firms,” she says.

Trick­Bot uses malver­tis­ing and phish­ing to get users to install mal­ware on their com­put­ers. From there, har­vest­ed cre­den­tials are used to access accounts for activ­i­ty such as large wire transfers.

These kinds of cam­paigns can con­tin­ue for years. “So they (the bad guys) can get mil­lions and mil­lions of dol­lars. It’s a very lucra­tive busi­ness,” Bod­dy says.

If it works, don’t fix it

While the Trick­Bot cam­paign has evolved quickly—going through five or six new con­fig­u­ra­tions in just a month and a half—the tar­gets have remained con­sis­tent. F5 Labs found that most of the URLs are the same that were once tar­get­ed by Dyre, which is believed to be a pre­de­ces­sor to TrickBot.

If they’ve always been tar­get­ing spe­cif­ic users like pri­vate banks that are hard to do fraud detec­tion on, maybe they con­tin­ue to do the same thing because it’s work­ing,” Bod­dy says.

While these cam­paigns are tar­get­ing pri­mar­i­ly Euro­pean institutions—many of them in the U.K. and Sweden—it’s notable that Pay­Pal is among the tar­gets. Bod­dy thinks that’s like­ly because users now keep mon­ey in their accounts, and wire trans­fers are a com­mon Pay­Pal trans­ac­tion that wouldn’t be flagged.

While researchers can only spec­u­late why the cam­paign is focused on Europe, the threat is still global.

This [list] just hap­pens to be part of the Trick­Bot authors’ attack plan,” Bod­dy says. “This attack pat­tern can hap­pen to any bank.”

Mal­ware get­ting more sophisticated

Ed Cabr­era, chief cyber­se­cu­ri­ty offi­cer with Trend Micro, says the com­mon pat­tern is the increas­ing com­plex­i­ty and capa­bil­i­ty of the bank­ing Tro­jans. The crim­i­nal under­ground, he says, uses col­lec­tive intel­li­gence capa­bil­i­ty to improve the mal­ware and the attack methods.

The advanced mal­ware that we’re see­ing today is high­ly mod­u­lar and can be tai­lored quite eas­i­ly,” he says.

In a “crime-as-a-ser­vice” mod­el of sorts, the mal­ware cre­ators can cus­tomize the pay­load and the out­come based on the needs of their “cus­tomers.”

They under­stand the crim­i­nal con­sumer, so to speak,” Cabr­era says.

In anoth­er exam­ple of how quick­ly threats evolve, Trend Micro recent­ly dis­cov­ered a new attack vec­tor for the GootK­it Trojan—it can drop a Tro­jan when users sim­ply hov­er over hyper­linked text and images in Pow­er­Point. The mal­ware is deliv­ered via spam email that mas­quer­ades as a pur­chase order or invoice, which indi­cates it’s tar­get­ing busi­ness­es rather than indi­vid­ual consumers.

Mouse-over threat emerges

This is believed to be the first instance of mal­ware that uses the mouse-over method, although GootK­it (also known as OTLARD) has been around for five years.

The cam­paign Trend Micro observed was affect­ing a cross-sec­tion of indus­tries like edu­ca­tion, man­u­fac­tur­ing and logis­tics. But tra­di­tion­al­ly, GootK­it had been used for har­vest­ing bank­ing cre­den­tials, tar­get­ing Euro­pean finan­cial institutions.

The mouse-over capa­bil­i­ty is quite unique because what we tell every­one is not to click on a link or attach­ment if you feel even remote­ly sus­pi­cious of that email,” Cabr­era says.

Hov­er­ing over a link or image, on the oth­er hand, is gen­er­al­ly con­sid­ered safe.

Going deep­er and hav­ing that [new] capa­bil­i­ty to be able to infect those intend­ed tar­gets is quite telling,” he says.

Cabr­era says that despite its cyber matu­ri­ty, the sec­tor is still vul­ner­a­ble because it relies on defense mod­els that are reactionary—focusing on inci­dent response rather than threat response.

They have to be proac­tive in devel­op­ing ways to go after and pre­vent these types of attacks,” he says. “They need to build hunter teams that can not only find the tac­tics and strate­gies that the cyber crim­i­nals use with­in the crim­i­nal under­ground, but also iden­ti­fy their own [orga­ni­za­tions’] vulnerabilities.”

More sto­ries relat­ed to hack­ers’ targets:
High net worth indi­vid­u­als have crit­i­cal need to guard against iden­ti­ty theft, fraud
$81 mil­lion cyber heist offers lessons for finan­cial institutions
Attack­ers reel in cash rewards from large finan­cial firms 

Posted in Featured Story