Small banks, credit unions on front lines of cybersecurity war

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Cyber crim­i­nals who spe­cial­ize in steal­ing from online accounts are increas­ing­ly tak­ing aim at spe­cif­ic finan­cial insti­tu­tions, espe­cial­ly small banks and cred­it unions. Attack­ers also are direct­ly tar­get­ing the busi­ness cus­tomers these local insti­tu­tions cater to.

That’s a dis­tinct shift from five years ago when indi­vid­ual online bank­ing cus­tomers were the prime target.

This devel­op­ment has been con­firmed in a num­ber of detailed reports on the modus operan­di of crim­i­nal hack­ing groups tar­get­ing finan­cial insti­tu­tions of all sizes.

Free IDT911 white paper: Breach, Pri­va­cy and Cyber Cov­er­ages: Fact and Fiction

Attack­ers today are increas­ing­ly tar­get­ing the bank­ing or finan­cial insti­tu­tions direct­ly for quick­er, larg­er gain,” says Corey Nachrein­er, direc­tor of secu­ri­ty strat­e­gy at Watch­guard, a net­work secu­ri­ty firm.

On the cut­ting edge is a gang using a ver­sion of the “Bugat” bank­ing tro­jan.  Some researchers refer to Bugat as “Dridex.” This par­tic­u­lar gang has tuned Bugat to seek out Auto­mat­ed Clear­ing House (ACH) pay­ment sys­tems long used by banks to exe­cute wire trans­fers of large sums of cash to and from com­mer­cial customers.

Researchers at Dell Secure­Works have dis­cov­ered copies of Bugat col­lect­ing account names and num­bers, pass­words and PINs from the ACH accounts of com­mer­cial cus­tomers of small- and mid-sized finan­cial insti­tu­tions.  Such data can put the attack­ers in posi­tion to set in motion six- and sev­en-fig­ure wire trans­fers from the accounts of com­mer­cial clients.

Rich pool of easy targets

The com­mer­cial cus­tomers of small­er banks and cred­it unions are being tar­get­ed because togeth­er they com­prise a pool of thou­sands of com­par­a­tive­ly poor­ly defend­ed tar­gets. What’s more, the attack­ers have mas­tered the use of net­works of com­pro­mised computers—referred to as botnets—to auto­mate attacks against the small­er finan­cial companies.

Jeff Williams, director of security strategy at Dell SecureWorks
Jeff Williams, direc­tor of secu­ri­ty strat­e­gy at Dell SecureWorks

What we’re see­ing is a push down into the small bank­ing space,” says Jeff Williams, direc­tor of secu­ri­ty strat­e­gy for Dell Secure­Works CTU research team. “The crim­i­nals respon­si­ble are look­ing at new tar­gets that may not have the same lev­els of secu­ri­ty per­son­nel and anti-fraud sys­tems as the big banks. So they see green­er tar­gets and a high­er chance of success.”

Dell Secure­Works is active­ly fol­low­ing the escapades of this par­tic­u­lar Bugat gang. A report on tro­jans such as Bugat/Dridex which tar­get the bank­ing indus­try is forth­com­ing lat­er this month at the RSA cyber­se­cu­ri­ty con­fer­ence in San Francisco.

Third­Cer­tain­ty has learned that Dell Secure­Works will dis­close details of how cyber­crim­i­nals are using bot­nets to tar­get attacks against tra­di­tion­al bank­ing web­sites, and har­vest data which can facil­i­tate schemes to tap into ACH sys­tems used in the U.S. and Sin­gle Euro Pay­ments Area (SEPA) sys­tems used in Europe. Finan­cial insti­tu­tions rely on ACH and SEPA to car­ry out cred­it trans­fers and han­dle trans­ac­tions for cor­po­rate bank accounts and pay­roll systems.

Over the past few years bank­ing bot­nets have become more wide­spread, resilient and eva­sive, inte­grat­ing mul­ti­ple back-up solu­tions in order to stay active even after a bank’s defen­sive tech­nolo­gies knock down a com­mand-and-con­trol server.

Bugat/Dridex first appeared in Jan­u­ary 2010 and has steadi­ly advanced in sophis­ti­ca­tion since then. Dell Secure­Works is track­ing the fifth gen­er­a­tion of this mal­ware fam­i­ly, each pos­sess­ing a dis­tinct mes­sage data struc­ture and encryp­tion scheme.

Tro­jan leaves some SMBs in Dyre straits

Mean­while, IBM Secu­ri­ty recent­ly report­ed details of the clever inno­va­tion imple­ment­ed by a gang lever­ag­ing the Dyre bank­ing tro­jan. The so-called Dyre Wolf gang has been tak­ing aim at small and mid-size busi­ness­es, doing intel­li­gence gath­er­ing to fig­ure out who the SMBs bank with and what kind of trans­ac­tions they do online. The gang then uses a com­bi­na­tion of tech­niques to trig­ger wire trans­fers of $500,000 to $1 million.

Start­ing last year, these crim­i­nals began tar­get­ing peo­ple work­ing in cer­tain com­pa­nies and send­ing them phish­ing emails craft­ed to get them to click on an attach­ment car­ry­ing a vari­ant of the Dyre malware.

Dyre stays dor­mant until the vic­tim nav­i­gates to a bank web­site. It then loads a spoofed page with a faked alert that the bank’s site is hav­ing prob­lems. The vic­tim is then instruct­ed to call the dis­played phone number.

An Eng­lish-speak­ing operator—part of the crim­i­nal gang—is stand­ing by with a script to talk the vic­tim into divulging account details need­ed to quick­ly trig­ger a large wire transfer.

Free resource: Stay informed with a free sub­scrip­tion to SPWNR

IBM Security’s dis­clo­sure of the Dyre Wolf ring’s modus operan­di fol­lowed help­ful details dis­closed by Kasper­sky Lab of a gang mak­ing hay with the Car­banak bank­ing tro­jan. The Car­banak gang has pil­fered an esti­mat­ed $1 bil­lion from more than 100 banks glob­al­ly, includ­ing small­er U.S. finan­cial institutions.

The Car­banak gang patient­ly con­duct­ed method­i­cal hack­ing tech­niques, com­mon­ly used in cyber espi­onage, to pen­e­trate the net­works of tar­get­ed banks. That put them in posi­tion to repro­gram servers, and do things like remote­ly trig­ger­ing ATMs to spit out cash into the hands of accomplices.

Even the most sophis­ti­cat­ed attacks often begin with trick­ing a spe­cif­ic bank employ­ee or bank cus­tomer to fall for a phish­ing ruse. How­ev­er, anoth­er shift tak­ing place is the automa­tion of attacks against the Web appli­ca­tions of small­er finan­cial insti­tu­tions, says Stephen Pao, secu­ri­ty busi­ness gen­er­al man­ag­er at next gen­er­a­tion fire­wall ven­dor Bar­racu­da Net­works.

Web appli­ca­tions real­ly tend to be a par­tic­u­lar area of weak­ness for small­er finan­cial ser­vices com­pa­nies,” Pao says.

Cyber attack­ers will exploit weak security

If the lat­est web­site fea­ture that a local bank or cred­it union may roll out as a cus­tomer con­ve­nience has any secu­ri­ty flaws, you can be sure an attack­er will quick­ly find it and exploit it.

Maybe you decide to add some fea­ture to your loy­al­ty pro­gram for mar­ket­ing rea­sons,” Pao says. “An attack­er will try to lever­age the fact that there may be some shared data­base objects between crit­i­cal cus­tomer data, like Social Secu­ri­ty num­bers or account num­bers. They will try to take advan­tage of a weak appli­ca­tion that shares access to a data­base hold­ing crit­i­cal data.”

This shift of crim­i­nal focus puts a bur­den on small­er finan­cial com­pa­nies to pay clos­er heed to cus­tomer secu­ri­ty and pri­va­cy, espe­cial­ly as more bank­ing ser­vices move into the Inter­net cloud and mobile pay­ments. Here are three basic approach­es to bet­ter security:

Know your sys­tems. Obtain work­ing knowl­edge of all soft­ware appli­ca­tions used to con­duct bank­ing ser­vices. Stay cur­rent on all secu­ri­ty patch­es. “If you don’t know what sys­tems you have, what ver­sions of soft­ware you’re run­ning, it’s very, very dif­fi­cult to know where your weak­ness­es are,” says Williams, of Dell SecureWorks.

 Be alert for trans­ac­tion anom­alies. This requires good sys­tem knowl­edge. “If you see a large data trans­fer to a site where you’ve nev­er seen that before, or a wire trans­fer that’s not nor­mal, that should raise alarm bells and you should begin an inves­ti­ga­tion,” Williams says.

Err toward being secure. Two-fac­tor authen­ti­ca­tion reduces con­ve­nience, but big banks rou­tine­ly require proof of iden­ti­ty beyond user­name and pass­word for high-net-worth clients to con­duct high-dol­lar trans­ac­tions. Small­er insti­tu­tions should at least con­sid­er dis­abling wire trans­fer capa­bil­i­ty for all new online accounts, forc­ing the cus­tomer to take a proac­tive step to enable this ser­vice. Many rou­tine­ly enable wire trans­fers auto­mat­i­cal­ly, mak­ing it eas­i­er for an attacker.

More on emerg­ing threats:
Cor­po­rate use of cloud apps spikes risk of breaches
Word­Press emerges as a cyber­crime hotbed
Mali­cious ads pose insid­i­ous, elu­sive threat