FBI Issues Fraud Alert – Bank Cyber Security

September 24, 2012

Last week, we wrote about a cyber attack on Bank of America. The FBI, in association with the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3), has issued a Fraud Alert which provides more details about the attacks.

FBI Bank Cyber Fraud Alert

The Fraud Alert provides details on the attack methods:

The actor(s) primarily used spam and phishing e-mails to target their victims. Once compromised, keyloggers and RATs installed on the financial institution employee’s computer provided the actor(s) with complete access to internal networks and logins to third party systems. Variants of ZeuS malware were used to steal the employee’s credentials in a few reported incidents.

In some instances, the actor(s) stole multiple employee credentials or administrative credentials to third party services and were able to circumvent authentication methods used by the financial institution(s) to deter fraudulent activity. This allowed the intruders to handle all aspects of a wire transaction, including the approval.

The unauthorized transactions were preceded by unauthorized logins that occurred outside of normal business hours  using the stolen financial institution employees’ credentials. These logins allowed the actor(s) to obtain account transaction history, modify or learn institution specific wire transfer settings, and read manuals providing information and training on the use of US payments systems.

In at least one instance, actor(s) browsed through multiple accounts, apparently selecting the accounts with the largest balance.

This cyber attack is very successful in stealing money,  failing only when the attackers entered the wrong bank account numbers.  Jaikumar Vijayan, writing in Computerworld notes that this attack is different from previous attacks that stole customer funds.  In previous attacks, the criminals used credentials stolen from the customers; in this attack, the credentials were stolen from the banks.

In order to distract bank personnel from discovering the fraudulent transfers in time to stop them, the attackers sometimes used denial of service attacks before or after the fraudulent transfers.  The attackers used Dirtjumper, commercial crimeware that can be purchased on criminal forums for $200.

The alert lists 17 specific actions that can be taken to thwart this attack. While these 17 actions are all sound advice, the point of attack — deceiving bank personnel with fake emails — is addresses with this advice:

Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited e-mails

Regrettably, the bad guys know that employees are trained to avoid unsolicited emails.  That is why, as Fox reported, the attack includes fake emails that masquerade as bank administrators. How can employees distinguish between real and fake internal emails? Being aware of the danger does not help the employee make this distinction. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.


Bank of America Hit In Spearphishing Attack

September 20, 2012

Fox Business News is reporting that cyber hackers, apparently from Eastern Europe, are stealing money from Bank of America customer accounts in coordinated cyberattacks.  The hackers use spearphishing emails to steal employee credentials.   Using the stolen credentials they steal customers’ money.  They then send fake emails posing as bank administrators approving the wrongful transfers.  Finally, the hackers mount a denial of service attack on the bank’s website to distract to stop the bank from catching the fake wire transfers.  In same instances the criminals have stolen up to $1,000,000.

You can view the news report here:

How can a spearphishing attack be prevented?  What is needed is a method to deprive the attacker of his ability to deceive. Spearphishers deceive by masquerading as trusted senders.  At Iconix we identify trusted senders. Our identification system makes it easy for users to distinguish trusted senders from attackers masquerading as trusted senders.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.

Nitro Spearphishing Attacks Resume

September 14, 2012

In October of 2011 Symantec discovered the Nitro Attacks, a series of spearphishing emails that installed command and control software to steal intellectual property from chemical companies.

Symantec is now reporting on a new series of Nitro Attacks.  In the first round of Nitro Attacks, the hackers sent highly targeted emails which delivered a malicious attachment.  Symantec has found:

In these latest attacks, the attackers have developed a somewhat more sophisticated technique. They are using a Java zero-day, hosted as a .jar file on websites, to infect victims. As in the previous documented attacks, the attackers are using Backdoor.Darkmoon, re-using command-and-control infrastructure, and even re-using file names such as “Flash_update.exe”.  It is likely that the attackers are sending targeted users emails containing a link to the malicious jar file. The Nitro attackers appear to be continuing with their previous campaign.

Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.

FireEye Reports on Advanced Threats

September 7, 2012

On September 4,  2012, FireEye released its Advanced Threat Report 1H 2012.  The report had five key findings.

  1. The amount of malware that is by-passing traditional malware defenses is exploding.
  2. Some industries are being attacked more than others.
  3. Email based attacks use both malicious attachments and malicious links, favoring the methods that most effectively evade detection at any given time.
  4. The use of throw-away domains to send spearphishing emails is becoming the prevalent attack profile.
  5. Cybercriminals are changing the malware delivered in malicious attachments more quickly in order to avoid detection.

While all of these trends are alarming, let us focus on the fourth trend — the use of throw-away domains.

(click to enlarge)

The predominate email attack profile is now a single use domain created specifically for that attack. This method of attack renders reputation and blacklist based defenses useless because the attacking domain — having been created for the attack and then abandoned – will not have a reputation and will not be on any blacklists.

How can you defend against a domain that evades reputation and blacklist defenses?  By adopting SP  Guard from Iconix.  SP Guard provides the ability to distinguish real email from spearphishing attacks using methods that do not rely on reputation or blacklists.  Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.