Attackers Mix Online, Offline Exploits to Mask Financial Fraud
Cybercriminals split the attack cycle into pieces that may appear unrelated in order to evade detection
September 30, 2008
The most sophisticated targeted attacks aren’t all about the hack -- they start with clever reconnaissance, both online and offline, to learn as much about the victim as possible. And financial institutions are increasingly getting burnt by seemingly unrelated activities on- and offline that blended together to execute major fraud.
It isn’t just about someone siphoning your password with a keylogger or phishing attack. Professional cybercriminals are deploying multichannel attacks that split the attack cycle into pieces that may not look like they're related -- snooping on an account online to study a banking customer’s signature and then forging that signature in a fax request to wire funds from the customer’s account to the attacker’s, for instance, says Diana Kelley, partner with Security Curve, a security consulting firm.
This combination of offline and online activity lets the attacker stay under the radar of forensics or other incident tracking, for instance, using wire transfers and ATM transactions as well rather than a pure online transaction with a bank.
“It’s hard for financial institutions to trace [this]... [when] somebody gets into an account online and looks around for information on an account” but doesn’t actually make any transactions, Kelley says. “They can then use a lot of that information to start doing more effective offline attacks. If you know how much money a victim has in [an] account” you could withdraw that offline, says Kelley, who this week published a white paper on the subject on behalf of Guardian Analytics, which provides online fraud and risk management products.
Multichannel-type attacks are nothing new. They can also include physical security and social engineering breaches, like the brand of security assessments “red team” experts like Chris Nickerson employ for their clients. Nickerson, CEO of Lares Consulting, says you need red-team testing to get the complete security picture. (See Tiger Team Member Attacks Developers, Not Apps.)
Nickerson infiltrates the application development team in a company before ever looking at their applications for vulnerabilities. “I can get into the application from the back side while on the outside, without touching” the app, says Nickerson.
Security Curve’s Kelley, meanwhile, focused specifically on financial institutions in her research. She says a rise in offline financial fraud seemed intriguing given the rise in keyloggers and other crimeware. “Is there a tie here?” she asks. “We’ve got this increase in multichannel fraud… why are they getting on people’s systems?... It may not necessarily be to get into your account directly.”
One example of this type of attack is the Coreflood botnet Trojan, which is notorious for performing reconnaissance on its victims, she says. Coreflood has stolen user account information, Webpage content, digital credentials, and browser cookies, for instance. And it made sure the server it used appeared to be from the same geographic location as the victim.
“Coreflood is trying to steal financial information, and has stayed under the radar pretty well. It’s not in-your-face sending out emails,” said Joe Stewart, director of malware research for SecureWorks, in a recent interview. Stewart, who has tracked Coreflood closely for some time, says Coreflood’s attackers know a lot about their victim, including his or her company’s name, and their Windows machine’s registration information, for instance. “They are very aware of who[m] they are infecting,” Stewart said. (See Malicious Botnet Stole Bank, Credit Union Credentials.)
Kelley says banking customers can protect themselves from these multipronged -- and often silent -- attacks with the usual best practices: updated antivirus and anti-spyware, patching your machine, and never clicking on an email purportedly from a financial institution. “And talk to your financial institution about what they are doing” for anti-fraud, she says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like