A group of cybercriminals has developed a successful attack on banks that is helping them funnel millions of dollars from their choice of accounts rather than targeting individual customers. By taking over a privileged user account with access the payment switch used to carry out wire transfers, the hackers can exercise full administrative control over transfers and take as much money as they can get away with unnoticed, according to Gartner analyst Avivah Litan.
Such heists have unfolded over the past few months, masked by low-level distributed denial-of-service attacks meant to divert attention, Litan recently told SCMagazine.com. The attacks are not related to a string of hacktivism-oriented DDoS attacks last fall, but are rather entirely financially motivated. The total amount of losses incurred so far “added up to millions [lost] across the three banks,” she said, declining to identify the banks in question.
Most financially motivated digital attacks target banking customers, typically stealing their login credentials and siphoning money out of their accounts. This attack, however, directly targeted the banks, and it could ultimately result in greater losses to the companies, Litan told SCMagazine.com.
Carrying out the attacks
The incidents are also notable in their use of DDoS attacks to mask what was actually happening, Litan wrote in a blog post. By carrying out a persistent attack on the bank, the hackers were able to ensure their actions went unnoticed for longer.
“Once the DDoS is underway, this attack involves takeover of the payment switch (e.g. wire application) itself via a privileged user account that has access to it,” Litan wrote. “Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.”
It remains unclear how the hackers gained access to the wire payment switch in the first place, but phishing emails containing malware designed to steal employee credentials are likely to blame, SCMagazine.com reported. The attacks closely resemble a series of incidents the FBI Financial Services Information Sharing and Analysis Center and Internet Crime Complaint Center issued an alert on last fall.
In those cases, cybercriminals used Dirt Jumper, a $200 crimeware kit, to carry out DDoS attacks while attempting transfers of amounts ranging from $180,000 to $2.1 million. Through the use of remote access trojans and keystroke loggers, the attackers were able to obtain administrative credentials that gave them access rights to handle all aspects of wire transfers, permissions that sound familiar to the ones exploited in this most recent incident, SCMagazine.com noted.
“In at least one instance, actor(s) browsed through multiple accounts, apparently selecting the accounts with the largest balance,” the FBI report stated.
Preventing switch attacks
Litan recommended that banks respond to this attack trend by decreasing the speed with which transfers are performed while the institution is experiencing a DDoS attack. Such times are the most likely to coincide with fraudulent activity, Limor Kessem, a cybercrime expert at RSA FraudAction Research Lab, told SCMagazine.com.
“The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first,” she explained. “That’s when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.”
Another useful prevention strategy can be to limit access to wire switches more in the first place, the FBI alert noted. By setting specific time windows in which or machines from which wire transfers can be carried out, financial institutions might be able to reduce the effectiveness of a remote attack. Additionally, wire switches could be coded to include automated alerts for anomalous or large transfers.
One way to build in better protections against such attacks is through the use of source code analysis to reduce the likelihood of exploitable vulnerabilities reaching release in such sensitive systems. Using tools such as static analysis software, organizations can catch exploitable flaws and potentially prevent millions of dollars in losses due to fraudulent activity.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.