Small banks, credit unions on front lines of cybersecurity war
By Byron Acohido, ThirdCertainty
Cyber criminals who specialize in stealing from online accounts are increasingly taking aim at specific financial institutions, especially small banks and credit unions. Attackers also are directly targeting the business customers these local institutions cater to.
That’s a distinct shift from five years ago when individual online banking customers were the prime target.
This development has been confirmed in a number of detailed reports on the modus operandi of criminal hacking groups targeting financial institutions of all sizes.
Free IDT911 white paper: Breach, Privacy and Cyber Coverages: Fact and Fiction
“Attackers today are increasingly targeting the banking or financial institutions directly for quicker, larger gain,” says Corey Nachreiner, director of security strategy at Watchguard, a network security firm.
On the cutting edge is a gang using a version of the “Bugat” banking trojan. Some researchers refer to Bugat as “Dridex.” This particular gang has tuned Bugat to seek out Automated Clearing House (ACH) payment systems long used by banks to execute wire transfers of large sums of cash to and from commercial customers.
Researchers at Dell SecureWorks have discovered copies of Bugat collecting account names and numbers, passwords and PINs from the ACH accounts of commercial customers of small- and mid-sized financial institutions. Such data can put the attackers in position to set in motion six- and seven-figure wire transfers from the accounts of commercial clients.
Rich pool of easy targets
The commercial customers of smaller banks and credit unions are being targeted because together they comprise a pool of thousands of comparatively poorly defended targets. What’s more, the attackers have mastered the use of networks of compromised computers—referred to as botnets—to automate attacks against the smaller financial companies.
“What we’re seeing is a push down into the small banking space,” says Jeff Williams, director of security strategy for Dell SecureWorks CTU research team. “The criminals responsible are looking at new targets that may not have the same levels of security personnel and anti-fraud systems as the big banks. So they see greener targets and a higher chance of success.”
Dell SecureWorks is actively following the escapades of this particular Bugat gang. A report on trojans such as Bugat/Dridex which target the banking industry is forthcoming later this month at the RSA cybersecurity conference in San Francisco.
ThirdCertainty has learned that Dell SecureWorks will disclose details of how cybercriminals are using botnets to target attacks against traditional banking websites, and harvest data which can facilitate schemes to tap into ACH systems used in the U.S. and Single Euro Payments Area (SEPA) systems used in Europe. Financial institutions rely on ACH and SEPA to carry out credit transfers and handle transactions for corporate bank accounts and payroll systems.
Over the past few years banking botnets have become more widespread, resilient and evasive, integrating multiple back-up solutions in order to stay active even after a bank’s defensive technologies knock down a command-and-control server.
Bugat/Dridex first appeared in January 2010 and has steadily advanced in sophistication since then. Dell SecureWorks is tracking the fifth generation of this malware family, each possessing a distinct message data structure and encryption scheme.
Trojan leaves some SMBs in Dyre straits
Meanwhile, IBM Security recently reported details of the clever innovation implemented by a gang leveraging the Dyre banking trojan. The so-called Dyre Wolf gang has been taking aim at small and mid-size businesses, doing intelligence gathering to figure out who the SMBs bank with and what kind of transactions they do online. The gang then uses a combination of techniques to trigger wire transfers of $500,000 to $1 million.
Starting last year, these criminals began targeting people working in certain companies and sending them phishing emails crafted to get them to click on an attachment carrying a variant of the Dyre malware.
Dyre stays dormant until the victim navigates to a bank website. It then loads a spoofed page with a faked alert that the bank’s site is having problems. The victim is then instructed to call the displayed phone number.
An English-speaking operator—part of the criminal gang—is standing by with a script to talk the victim into divulging account details needed to quickly trigger a large wire transfer.
Free resource: Stay informed with a free subscription to SPWNR
IBM Security’s disclosure of the Dyre Wolf ring’s modus operandi followed helpful details disclosed by Kaspersky Lab of a gang making hay with the Carbanak banking trojan. The Carbanak gang has pilfered an estimated $1 billion from more than 100 banks globally, including smaller U.S. financial institutions.
The Carbanak gang patiently conducted methodical hacking techniques, commonly used in cyber espionage, to penetrate the networks of targeted banks. That put them in position to reprogram servers, and do things like remotely triggering ATMs to spit out cash into the hands of accomplices.
Even the most sophisticated attacks often begin with tricking a specific bank employee or bank customer to fall for a phishing ruse. However, another shift taking place is the automation of attacks against the Web applications of smaller financial institutions, says Stephen Pao, security business general manager at next generation firewall vendor Barracuda Networks.
“Web applications really tend to be a particular area of weakness for smaller financial services companies,” Pao says.
Cyber attackers will exploit weak security
If the latest website feature that a local bank or credit union may roll out as a customer convenience has any security flaws, you can be sure an attacker will quickly find it and exploit it.
“Maybe you decide to add some feature to your loyalty program for marketing reasons,” Pao says. “An attacker will try to leverage the fact that there may be some shared database objects between critical customer data, like Social Security numbers or account numbers. They will try to take advantage of a weak application that shares access to a database holding critical data.”
This shift of criminal focus puts a burden on smaller financial companies to pay closer heed to customer security and privacy, especially as more banking services move into the Internet cloud and mobile payments. Here are three basic approaches to better security:
Know your systems. Obtain working knowledge of all software applications used to conduct banking services. Stay current on all security patches. “If you don’t know what systems you have, what versions of software you’re running, it’s very, very difficult to know where your weaknesses are,” says Williams, of Dell SecureWorks.
Be alert for transaction anomalies. This requires good system knowledge. “If you see a large data transfer to a site where you’ve never seen that before, or a wire transfer that’s not normal, that should raise alarm bells and you should begin an investigation,” Williams says.
Err toward being secure. Two-factor authentication reduces convenience, but big banks routinely require proof of identity beyond username and password for high-net-worth clients to conduct high-dollar transactions. Smaller institutions should at least consider disabling wire transfer capability for all new online accounts, forcing the customer to take a proactive step to enable this service. Many routinely enable wire transfers automatically, making it easier for an attacker.