Last week, we wrote about a cyber attack on Bank of America. The FBI, in association with the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3), has issued a Fraud Alert which provides more details about the attacks.
The Fraud Alert provides details on the attack methods:
The actor(s) primarily used spam and phishing e-mails to target their victims. Once compromised, keyloggers and RATs installed on the financial institution employee’s computer provided the actor(s) with complete access to internal networks and logins to third party systems. Variants of ZeuS malware were used to steal the employee’s credentials in a few reported incidents.
In some instances, the actor(s) stole multiple employee credentials or administrative credentials to third party services and were able to circumvent authentication methods used by the financial institution(s) to deter fraudulent activity. This allowed the intruders to handle all aspects of a wire transaction, including the approval.
The unauthorized transactions were preceded by unauthorized logins that occurred outside of normal business hours using the stolen financial institution employees’ credentials. These logins allowed the actor(s) to obtain account transaction history, modify or learn institution specific wire transfer settings, and read manuals providing information and training on the use of US payments systems.
In at least one instance, actor(s) browsed through multiple accounts, apparently selecting the accounts with the largest balance.
This cyber attack is very successful in stealing money, failing only when the attackers entered the wrong bank account numbers. Jaikumar Vijayan, writing in Computerworld notes that this attack is different from previous attacks that stole customer funds. In previous attacks, the criminals used credentials stolen from the customers; in this attack, the credentials were stolen from the banks.
In order to distract bank personnel from discovering the fraudulent transfers in time to stop them, the attackers sometimes used denial of service attacks before or after the fraudulent transfers. The attackers used Dirtjumper, commercial crimeware that can be purchased on criminal forums for $200.
The alert lists 17 specific actions that can be taken to thwart this attack. While these 17 actions are all sound advice, the point of attack — deceiving bank personnel with fake emails — is addresses with this advice:
Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited e-mails
Regrettably, the bad guys know that employees are trained to avoid unsolicited emails. That is why, as Fox reported, the attack includes fake emails that masquerade as bank administrators. How can employees distinguish between real and fake internal emails? Being aware of the danger does not help the employee make this distinction. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.