Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States.
The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.
Over the next four business days, the thieves initiated another three fraudulent batch payments to money mules. Some transfers went to money mules who owned businesses, such as a $14,750 payment to Mission Viejo, Calif. based Art Snyder Software. Most money mules were sent payments of less than $5,000.
Pittsford town supervisor William Carpenter said the FBI is investigating the incident, and that many of the details of how the attackers got in remain unclear. He said the FBI told him the thieves most likely stole the town’s online banking password using a banking Trojan. He added that the town has recovered just $4,800 of the stolen funds, the proceeds of a single transfer. I left a message with the FBI field office in New York but haven’t yet heard back.
“We have good firewalls and anti-virus software, and we weren’t at all lax in our security systems,” Carpenter said. “We thought we were pretty secure.”
Carpenter said the fraud went undetected for days. He said the town normally does its direct deposit payroll bi-weekly on Wednesdays, and that the first fraudulent transfers happened during a non-payroll week.
The attack happened shortly after Pittsford opened an account with Canandaigua National Bank & Trust (CNB), a regional institution based in Canandaigua, N.Y. Carpenter said that prior to banking at Canandaigua, the town held its online accounts at a different bank, where all transactions had to be approved by at least two town officials. But he said the town hadn’t yet established these dual controls over their account at Canandaigua at the time of the fraud.
Carpenter said he was not fully versed in the security mechanisms in place for the bank’s commercial customers, but a review of the security procedures displayed on Canandaigua’s Web site indicate that they include a user name, password, a set of security questions. Customers also have the option of registering their computers, which involves downloading a CNB certificate or cookie. According to the bank’s site, “when you log in from a registered computer you are not required to answer a security question to complete the process.”
CNB spokesman Steve Martin declined to respond to any specific questions about the incident, but he confirmed the information about the bank’s authentication procedures.
The question of how far commercial banks should go to authenticate their customers was the subject of a court battle I wrote about earlier this week. The lawsuit was brought by a Maine construction firm that lost $345,000 in May 2009 when thieves used the ZeuS Trojan to steal the company’s online banking credentials and defeat their bank’s online security measures, which were eerily similar to CNB’s: passwords, secret questions and registered computers. That case also involved a series of fraudulent transfers that took place over the course of a week. A magistrate in that case issued a recommended decision earlier this month that said the bank’s security measures were sufficient to meet federal guidelines on ebanking authentication.
The proliferation of commercial banking thefts involving the ZeuS Trojan and other sophisticated attack tools underscores the asymmetry between the attackers and defenders. As I have detailed in more than 75 stories on this topic, ZeuS allows attackers to manipulate the victim’s browser and to log in to the victim’s bank account using the victim’s own PC, effectively negating any security that a device fingerprint or registered computer may provide.
Unfortunately, these attacks will continue; I’ve been in touch with three other organizations in the past week that have experienced losses from ebanking thefts but have asked not to be named. There are millions of towns, cities, nonprofits, churches and small businesses that remain dangerously exposed to this type of attack, and far too many banks that are not doing enough to educate their customers about the threat and to implement systems capable of detecting the attacks when they occur.
One additional layer of protection that most ACH professionals recommend is an out-of-band authentication method to verify outgoing wires/ACH transactions. E.g., have the customer send a fax to the bank’s bookkeeping department after initiating the transaction. Use a previously agreed upon letterhead stating the date/time/amount of the origination. Bookkeeping can then release the funds or call the customer for additional confirmation. Slower? Yes. A little more inconvenient? Yes. But perhaps a deterrent to such PC based attacks.
Out of band is good, but what you suggest with the faxes would only work with banks that have small Origination customer bases. Imagine trying to match up paper and ACH files for thousands of files a day for a semi large regional bank and it is no longer a feasible alternative.
Sometimes it is the Bank which is breached, not the customer, as in the latest news about Citi Bank … 1 % of 21 million customers is still a big #.
http://www.bankinfosecurity.com/articles.php?art_id=3730&pg=1
http://www.bankinfosecurity.com/articles.php?art_id=3724
I believe in statistics: There were too many coincidences at this case: Change of bank, not having the two-man rule in effect, using a non-payout week. I suggest, someone knew exactly how and when.
So two options: Either someone from the town office or the bank was directly involved. Or someone from the outside must have spied for a long time on a relevant user machne to understand the habits of the town office.
It wasn’t insiders. I spoke with several of the money mules. They were all recruited by specific and known money mule recruitment gangs. Check out some of the other stories I’ve written on this topic. This was a textbook outsider attack that leveraged malware that lets the bad guys act as insiders.
Also, the thieves in past attacks have taken more care to case the joint before making their move. Most of the time they check out the payment and transaction history for the compromised accounts, and try to push through transactions on or around payroll day, often deleting the legitimate payroll batch before substituting their own. Why they didn’t do that in this case is beyond me. Perhaps they didn’t think anyone would notice. Turns out they were right.
How about a different bank notification policy for small businesses? Have withdrawls over $10,000 automatically texted to 5-10 people in a company 10 minutes before they are put through.
Of course, criminals would just lower the amount. Maybe the threshhold could be set higher or lower depending on the size of the business. The banks would be happy because small businesses could no longer argue they had no idea the transactions were made.
Small businesses would get a double benefit. Not only could the withdrawls be stopped, but it would give them a heads up they have malware they need to take care of.
Use an Iron Key USB device with Firefox built in to only do online transactions. Banks also have the ability to do what you are talking about. That is a great idea!
I guess I’ll have to research that again; but I though other posters here have posted links that seem to prove IronKey worthless against Zues variants. I’ll just have to read up on it.
We are starting to use the Iron Key USB devices with Firefox built into the shell of the USB stick. It is getting nuts out there! Thanks again Brian for great reporting!!
@ scott just wondering how do you like the ironkey device ?
As longs as the banks aren’t financially responsible as long as they implement the most rudimentary security this is going to continue. As we have seen this past week, the courts aren’t going to press it, so it is up to the legislatures to put an end to it by requiring banks to put stronger security in place or pay up. It is their system, and every single customer cannot be expected to become a security expert to connect to it.
The banks most definitely have a vested interest in fraudulent transactions that affect their customers and their balance sheet. If the bank doesn’t protect the customer then customers will / should vote with their feet.
The customer / bank relationship is a security partnership. If the bank safeguards customer funds on their end but the customer engages in online risky behaviour that leads to account compromise, why should the bank be left holding the bag?
As I posted some time past when theses business intrusions began going up in numbers. The person/s responsible for banking and bookkeeping the company money should get off their lazy azz and make deposits in person. Most businesses are in close proximity to their bank or should be. Do the drive-in if they are too lazy to walk in. I’m beginning to side with the crooks.
I have visitor from Holland a couple of years ago. They were flabbergasted that we don’t have multipart authentication. When they try to use a credit card, they have to enter a number that is shown ont he lcd screen of the credit card. Just like an RSA, Alladin, or PayPal Verign SecureID. Yes, I know about the compromise of the RSA seed. Still, all fund transfers and logins to any type of secure site should require multipart authentication in my opinion.
Multi-factor authentication has no benefit.
If the client machine has malware, then the malware controls the transaction. Once the user logs on to the banking server, the malware can perform any action.
It seems to me that online banking is broken.
The ACH (Automated Clearing House) system can not be used safely.
You are completely incorrect.
The infected machine will not have access to the other authentication factor(s). That’s the whole POINT of multi-factor authentication.
If a pc is infected, and the username and password compromised, then the someone you are, something you know, are compromised. However, unless the criminal has also compromised the key fob or redirected the phone factor, they haven’t pwned the something you have.
That companies often use the same login to change the mobile device for SMS authentication that they use for regular login is a FAIL in their implementation of multi-factor, not a characteristic of the fundamental idea.
That RSA was compromised is a fail on one of the factors, but the relationship between that factor, and the other credentials, still needs to be compromised.
The complexity of gaining access to accounts is a combination of the complexities of the factors. Adding just ONE additional independent factor creates a geometric increase in difficulty of stealing the account.
The key here is INDEPENDENT. A SMS code to a phone number that can be changed from your web login to your bank account is not an independent factor.
You need to investigate the issue further.
Multi-factor authentication does not provide any security when the clients computer is controlled by malware.
The malware will “piggyback” with the client, when the client logs on to the server. The malware controls what the client sees on the client computer. This can include the logoff sequence.
What you describe is possible, but is not how these particular thefts occurred, at least from what has come out publicly. What happens in most cases is that the malware compromises the machine, giving the criminals access to keystrokes and a record of what sites were visited when, etc. The criminals then use a different computer, typically one remotely controlled, to perform the actual thefts.
Zeus and like malware steal the passwords. They don’t act as full web proxies. I’m sure there are some out there that do, and blocking hidden and anonymous proxies is an effective tool against those attacks.
Tom – Have you never heard of BackConnect? I assure you that ZeuS often does allow the criminals to proxy their connections through the victim’s machine. Certain versions of the malware come with a plugin that opens up a connection on the victim machine that connects back to an IP that the attacker controls, allowing him to remotely control the victim PC and use their Internet connection to log in to the bank’s site.
Yep, I’ve even demoed it with an SSL remote shell exploit in a SANS tutorial about SSL cloaking of attacks to avoid IDS detection years ago. Usually, it winds up being some variant of a remote desktop or VNC. The sort of stealthiness “StillFiguring”mentioned about serving up a fake logout page is much harder, and more prone to detection or error. Occams razor says it’s therefore less likely.
I don’t know exactly which variant was used here, but it’s simply easier, in most cases, for the miscreants to steal the credentials, and then use a different machine that they have set up as a hidden proxy to do their work through.
In any case, blocking the call home and identifying the hidden proxies are the only real effective protection. Once the initial egg gets past whatever defenses are there, the custom binary will be hard to detect for AV, and the communications channel to the controller is encrypted.
It’s not a matter of either/or, but that we have to come at this fro ALL angles.
Goldi is correct – set up a PC that ONLY does these kinds of transactions. Don’t use it for ANYTHING else. It sounds hard, but you could actually do this with a Virtual Machine pretty easily. Every time you go to do something with the bank, you fire up a clean VM and do the work. When you are done, toss it out. I prefer this to the IronKey solution because while the browser is clean when you start it, it runs on a potentially infected host, not its own VM. The host can tap into everything the browser is doing. So the malware on the host just needs to infect the browser at startup, and away you go with cyber-criminals in tow. With a VM, the malware has to jump the VM and get into the guest OS. That is a harder thing to do, and monitoring within the Guest OS can help prevent it.
As for reputation-based tools (like ThreatPost, FireEye, NetWitness, etc.) they only work if you know one of the following: ALL of the GOOD IP addresses/Software Signatures you need to connect to/use, or ALL of the BAD IP addresses/Malware Signatures in the world. The first option is a major pain, and not really workable in an enterpise, so no one implements it.
The second option is laughable. How do you know that a previously “good” site has not been hacked? (London Stock Exchange, anyone?) How do you know that a “good” application hasn’t been pwnd? (Acrobat, anyone?)
Anyone telling you they can identify bad sites or malware BEFORE they infect you, is BS’ing you, and almost certainly trying to sell you something.
As scary as it sounds, we need admit to ourselves that infections CANNOT be stopped. Communications with bad sites CANNOT be stopped. Until we accept that and start looking for answers with a new paradigm, we will not be successful.
When I find fault with something, I try to provide a solution or altternative, so here’s mince: one possible solution is to let a disposable environment, one with no data in it, get infected and then throw it away. (Invincea, anyone?)
With all due respect, you’re wrong on reputation. While it isn’t a panacea, if someone has been “made” as bad, and the rep is propagated quickly to others, and aged, it can be very effective. It isn’t the ONLY tool you can use, and some attacks will get through, but as a first filter, and a last hope, it both reduces the load on the deeper filters, and catches things they may not.
It’s worked very well on SPAM for years, with RBLs cutting out about 60-80% of spam, and therefore allowing more intensive scrutiny at content without overloading the filters.
We have real customer data showing that this approach DOES work, and reduces load on the other security infrastructure (and network), catches things that otherwise would have got through, and tends to take the P out of Advanced Persistent Threats, by disrupting their command and control channels.
The work on IP rep for firewalls goes back to the Internet Storm Center, and has been significantly enhanced by SRI, and there are several well reviewed papers on the subject. Get familiar with Phil Porras’ work in this area, and you will see the benefits to the approach.
It’s not a catch all, but it helps, a lot.
Hmmm,
Correct me if I am wrong, but certain Cisco VPN clients can essentially ‘close down’ all network connections except the traffic going over the VPN tunnel..if so configured. Its a security feature.
What if the banks employed that technique?!
Add a VPN Client type app in their online banking offering that is required to be running (automatically runs) only at the client transaction approval step.
As the end user moved to the approval stage ONLY network connections back to the bank’s online gateways would be allowed. Period. Any 3rd party remote control via a Zeus back door would be shut down.
To make it even safer, lets add some time outs before and after the transaction approval. The assumption is that the client has an RSA key fob. So, the final step is for the client to enter the number from their RSA key fob, which by design/purpose of the timeout preceding the transaction (1 minute ?), has advanced to a new number. After the transaction is approved a second timeout is enforced to ensure that the number used to approve the transaction is no longer valid (ie the FOB has advanced the number). AND then the VPN type connection tool deconfigures itself and the client’s system returns to its regular network config…complete with active Zeus trojan / remote control. Which could not communicate with its controller and could not transmit the valid RSA key fob info back to the controller in a time frame that it was still valid.
The VPN client type software doesn’t even have to impose any encryption overhead on the client or bank. It can be encrypted using a ‘null’ algorithm. All it has to do is control connections.
Scott
I like that idea, but the banks would need to negotiate with VPN provider for different pricing.
At my day job, we have a VPN license based on the number of concurrent users. If we are full, and next person tries to sign on, they cannot get VPN connection. Management won’t authorize higher # because of $$$$.
VPN-connect does not use browser. We switched from Cisco to another outfit, where users have to key in password every time. With Cisco, the laptop or whatever can “remember” the password, and some were concerned about laptops getting swiped, although in my opinion, changing VPN password at host end is real easy fast, but notifying all users is a pain.
The version of VPN we using, EVERYONE … all the employees & clients … is using same password to access the VPN connection … another thing the banks would want to be different.
Uhhh,
I didn’t propose adding a ‘real’ VPN client nor the cost/complexity. Just that one bit of functionality that shuts down all other network traffic.
Anything that requires a user to install software over the web is problematic from two standpoints:
1: It’s bound to not work (properly) on some combination of hardware and software, and be a support nightmare.
2: It teaches users bad behavior: installing software; that can be used by the bad guys to compromise security.
Imagine if users are told to install software, and their computer is ALREADY compromised. Now the bad guys have a trusted proxy (they and use a NDIS shim that is higher in priority than your VPN client).
There are plenty of systems with the Cisco VPN client that are trojaned. In fact, earlier versions of the basic tool used by these VPN clients, the DNE network extender, have been vulnerabilities.
What you describe may well be valid, but I have seen multiple variations on the story.
The crooks are in Russia, or some other nation, it does not matter. They need to get the money out of USA to their nation. The bank has SOME kind of security that blocks the transfer if it is going to Mexico, or some nation not authorized in advance by the customer, so the Russian crooks use American mules.
The bank has some thresh-hold to stop and check transactions for over $ 1.00. The crooks do a billion transactions for 99 cents, which claim to be some kind of service charge.
The local bank that handles my business account sends an immediate email indicating the amount and destination of any withdrawal. This is done for all DBA accounts but not for personal accounts. Sign-in requires a password, a correct answer to three questions previously selected from a list by the account holder, and verification of a previously selected image. These identifiers are prompted to be changed monthly.
John – a trojan will allow me access to your acct details and computer. Something for you to think about and ask your bank, can I, the bad guy, pull enough information from those sources to pretend to be you and change your email address with the bank?
There are two things at play here.
First, the security of end users is currently inadequate to deal with these data exfiltration based attacks, and the vast majority of available options too expensive and cumbersome to implement for most organizations. Data Loss Prevention tools, Web Filtering with SSL reverse proxies, botnet detection systems and Intrusion detection/prevention systems are all expensive, complex, and require well trained, expensive acolytes to manage. Using a cloud hosted filtering service requires a lot of configuration of the network, can be bypassed by advanced malware, and often breaks performance sensitive or complex network applications.
Second, there’s an agency problem. The banks, who were originally created on the basis that it was a safer place to keep your money than at home, when security was relatively inexpensive (vault and guard) on a per subscriber basis (since it was spread over all the depositors) and made their money lending the deposits out; have no incentive to protect their subscribers in an era where they make their income on transaction fees, and security is expensive (because each customer has to be secured), and a friction to transactions.
So, the people who have the resources to address the problem, or could do so by requiring proper two-factor authentication (forget the hacked RSA fob: send a code to a registered mobile device or use dial-back to the Accounts Payable clerk, as examples), have no incentive to.
Since the problem is the result of two issues, it has to be attacked from two angles. First, a shameless plug: my company, ThreatSTOP provides a way for the vast majority of firewalls to block connections to known botnet C&Cs, drop boxes, crime hosters, countries with rampant cybercrime, etc.; making the sort of defenses that large companies have available to everyman. We blogged about this very issue today.
Second, Banks have to be held liable for the losses from fraud during some reasonable window, so that they have an incentive to stay on top of usage patterns. The credit card issuers have done this pretty effectively, due to their liability for fraud, so there’s no reason the banks can’t too.
What about holding the money mules responsible?
I’m sure they will be, criminally, but they are often unwitting dupes with not much money or resources.
That’s a third leg of the “agency” problem.
We all need to do more to protect ourselves, and each other, online, but the banks, if they want to maintain their fundamental reason for existing: a safe place to put your money, need to step up their game too.
The guilt of the money mules is on a par with the guilt of people, whose computers get infected then used as bot servers.
If we all spend our time on assigning blame, guilt, and naming and shaming, then we will never get anywhere, and only enrich lawyers.
That having been said, the mules are active participants in the crime: the people who get their money stolen are the victims.
The people who sign up for too good to be true “make money at home” schemes need to be held accountable, because they should know better, and go to the police when approached for what is obviously money laundering.
We each need to do what we can, and the regulatory environment needs to incent that. That’s why I think that there should be some limited time within, or “normal deviation” outside of, which the bank is liable.
Bank clients also need to do more to protect themselves.
I created ThreatSTOP to give the tools large organizations already have to the masses. It’s not perfect, but it is pretty effective at blocking Zeus and the other current bank credential stealing trojans.
I just can’t figure how a bunch of mules can be so simply added to the list of accounts payable. This activity must be a big warning sign.
No bank should accept as valid a list of new accounts. New accounts should be triple checked. Perhaps added in person at the bank.
Such inconvenience would be well worth the effort.
When the malware has penetrated the accounting person’s PC with a keylogger, the remote crook PC now sees how to do all sorts of financial transactions, in addition to those communicating to the bank.
Add phony vendors who are to be paid by ACH.
Add phony employees who get direct pay.
Copy social security #s of all the employees, to use in other pilfering activities.
Download credit card info of customers from the e-commerce site.
Copy bank routing info associated with OTHER organizations which this one is doing business with, so that they also can be targeted.
Perhaps I am missing something critical, but wouldn’t it be prudent for businesses to set up and utilize a separate dedicated pc for their critical financial transactions? That machine could somehow be set up to only be allowed to connect directly with the financial institution, with all the proper security protocals implemented. Maybe that isn’t “high-tech” enough (and I’m not suggesting that other measures shouldn’t continue to be pursued as well), but it seems like it could help to limit the potential for picking up the malware in the first place, or accidently broadcasting sensitive information. As a (former) accounts payable clerk, I would not have had a problem with having to live with 2 systems at my desk.
@goldi;
Using a LiveCD is one way of doing just that. Just remember to reboot between sites, so the chance of cross infection can’t happen. I would still use a dedicated PC – perhaps with no hard drive, to do this however. This technique has been discussed many times on Brian’s site. Google > LiveCD banking, would probably get you a lot of hits.
A LiveCD only works if it doesn’t have a vulnerability that gets exploited before the bank web login. Given the number of Malvertisements out there, and the fact that the LiveCD can’t easily be patched (if basically has to be reburned for every new patch rev), that’s dubious at best.
If you use Puppy Linux Live CD, the Firefox browser is included. After joining the network, the operating system immediately updates both the OS and the browser. Refreshing to a new CD occasionally would also be wise.
However, if you bank site is compromised; you are pretty much screwed anyway, wouldn’t you think?
I wonder how long this whole e theft thing will go about? every now and then we have a new story on some internet blog about the same but still its too common to read another story. what i am trying to say is, will this e theft stuff going to be over or will remain in place?
Many banks do not even allow strong passwords! for example, Chase asks for 6 to 10 characters, no punctuation or spaces…only letters and numbers.
SSDD
As long as businesses and those that run them (or anyone that uses online banking) continues to be ignorant to the threats out there and how to mitigate them, this issue will go on ad nauseum.
The simplest method to prevent this issue is to avoid getting malware (trojan horse to be specific) on the system you are using for anything of sensitive nature. Whether that be a dedicated hardened system of any OS flavor or a LiveCD. Because in the end, an ounce of prevention is worth a pound of cure!
You can’t outrun malware, just like you can’t outrun a bear. All you can do is to try and run faster than the other guy, or risk getting eaten. So the question is, how do I run faster than the other guy? Well – layers. Recognize that the victim’s pc was infected with malware, and that once that happend the whole system was compromised. Every system is built on a relationship, which is a part of a community, and every community contains multiple stakeholders. He’s my quick synopsis 1.) outside of making sure that you have some level of security on your pc and thinking before clicking- customers should ask their bank what security measures are in place; 2.) Banks should tell their customers what the current risks are 3.) Banks should question new payees and unusual ACH batches, and authenticate with originator (customer). 4.) Customers should review their accounts daily. 5.) The mule’s banks need to be on top of strange credits immediately followed by a guy walking in an asking for cash. 6.) The money service businesses (WU and MG) need to recognize these mule transactions and stop them before money leaves – they are really the last part of the system in the US, and probably the most important as they are currently the least common denominator (there are a lot less money transmittors than banks and bank customers). It’s odd for american businesses to send even $ transfers to E Europe – they need to get on the mules – even if the mules are unwitting dupes in this money laundering phase!
All of these elements are part of the sysem that was compromised, it just happens that the human that was compromised sat on the bank customers side. As soon as people start recognizing that all the system parts need to work together, maybe we can get somewhere:-)
I dont know alot about this topic, but it seems to me that most of Brians articles are about US banks being compromised, rather than banks in Western Europe, do banks in Western Europe have better security measures in place for dealing with these kinds of threats?
Brian is in USA.
I would not be surprised if he has counter part(s) in Europe reporting on other crimes against similar targets there.
It is about the same. I see more targets of UK and Espana (Spain) than some of the other western European countries. Brazil is also popular. You are looking at a world-wide problem, not a US problem.
What I don’t understand is the mules. How are they recruited, what is their understanding of their role and what is monetary gain in all this?
John
John
I think I understand the mules. They get an advertisement where some foreign company is to be paid by USA customers, but they need US employees to get the money out of USA because of some non-explained hassles for foreign companies establishing bank accounts in the USA. So YOU are a legal resident of the USA, no problem you having a bank account in USA. We will arrange to have our customers send the money to accounts of our employees in USA, you transfer money from bank account to Western Union, take out your commission. Not explained is how come our customers can’t send direct via Western Union in first place. This scam is also used to steal from the bank accounts of the “US employees” of the foreign company.
There are many variants on the above scheme.
In the beginning, mules are people whose resume’s are on the web … they are job hunting, and they are sent some weird offer. They need the money, don’t ask many questions.
Quite possibly they are selected because from their resume’s the crooks determine that these people are NOT QUALIFIED to figure out what’s going on in the schemes.
he said the town hadn’t yet established these dual controls over their account at Canandaigua at the time of the fraud.
And why didn’t they set that up while they were setting up the accounts?
because the sad truth is that its human nature to initiate, engage, and then figure it out as we go. Think about last time you bought a new computer, or even tv. We don’t read about all the bells and whistles before we start playing, BUT, we need to – great question – thought provoking
Is there any word of how they got the machine infected? The reason I query about which service is used is because phish stick out like a sore thumb if you are using Thunderbird. Thunderbird makes no effort to render the Javascript / HTML so those mouse over commands that show a substitute safe URL for the malicions real URL when you mouse over the link are rendered useless. You see the bogus real URL because it isn’t hidden any more. I realize a lot of people like other add-on security measures but you still have something that makes getting infected even with firewalls up to date, AV running, etcetera possible. Local Hwy 443 and Interstate 80 easily bypass the firewalls. The trojans are always permuting and are avoiding detection by AV programs. I would like to know if they had been running Linux on their machines rather than Windows, at least for all the financial transactions if anything at all would have happened. Look people, I have analyzed well over 3000 pieces of Windows malware during the past ten years. During that same time period I have only saw two toolbars that don’t properly uninstall that would affect Linux. Don’t go to Macs for protection either – why doesn’t Apple change it to require a password no matter what for privileged file space software installs on OS-X? An even more important question was that if they were satisfied with the security of their old bank’s way of doing things and it would have protected them from this, why did they switch? It really does sound like they switched from a far more secure way of doing things to something that obviously didn’t work. From what I read at SANS, the previous bank required approval from at least two town officials before a transfer could be made.
If banks required you to type in a code text messaged to your mobile phone upon login (much like Chase does), and then again upon any sort of transfer or action that involves moving money around, wouldn’t that stop this sort of crime?
Those 2-factor auth methods stop one kind of attack – where the user’s credentials are stolen. So it’s a good first step. and addresses credential compromise not only from infections, but also from phishing, dumpster-diving, and other physical means of compromise.
However, once you have a nasty banking trojan on your PC, it doesn’t matter what type of authentication you have, because it can change the transaction AS YOU POST IT. That means you think you are paying your Sears bill, and approve it, but the trojan actually sends the payment to Ivan in Belarus.”You need a way to be certain that the browser is clean before you post transactions. Virtualization is one good way to accomplish this.
That is true Eric – at least in my limited knowledge – for banking attacks. I believe it is referred to as session riding; or at least with session riding the criminals can do other hijinks while you are doing regular business, perhaps unaware of this at all!
Thanks Eric & JCitizen! I was going to write a response but I thought others will give a much better answer. I was correct, but I will add a few more points. There is no substitute for a clean OS. People and companies that are classified as business have far less protection from the banks than an ordinary person has. That is what happened here. You can achieve virtualization by using Windows 7 Pro or Ultimate and probably should use virtualization most of the time if you are a Windows user. That makes what ever infection you get transitory and you can throw it out when you shut the virtual down by not saving state (my own generic terminology). Just be sure to use a brand new virtual for banking and close that virtual when you are done. The other way to achieve a clean environment is to boot from a LiveCD. Another OS like OpenBSD, Linux, or a Macintosh can also be used but there is some malware for Macintosh and Linux now. Also, most banks won’t ask for that secondary authorization unless you delete their cookies, or in the case of the major banks, their flash super-cookie which all browsers that use flash share. But as Eric and JCitizen just pointed out this safe-guard and in general all other safe-guards can be bypassed if the hacker has control of your computer. I don’t know for sure, but people who are classified as businesses may even not have the option of that SMS or email secondary authorization. If they do they force the issue of having either an SMS or email secondary authentication if they use a never used virtual or a LiveCD. But the advice given to small businesses applies equally well to individuals even though banks give individuals greater protection. Do all your on-line business transactions using either a virtual, a LiveCD, or if you want to live with the extra risk, OpenBSD, Linux, or Macintosh (listed in most preferred to least preferred order). I will bet most Macintosh and many Linux owners don’t even know what BASH is or how to check their BASH source files to see if somebody tampered with them. But if the hackers can install software in the privileged Mac /Applications folder who cares? If the hackers installted their software in /Applications with no questions asked they now own your computer. There is no substitute for a clean OS.
This is great in theory, but impractical for the vast majority. It also misses several attack vectors.
Most basically, it suffers from the fundamental fallacy of relying on a potentially compromised endpoint to police itself. This is why Antivirus doesn’t actually work. It’s a basic logic FAIL. You are asking a potentially insane person if they are sane.
First, Virtual machines use the resources of the host, and so, if there is a network stack level shim on the host, you’re pwned.
Second, there are plenty of ways to use a VM to compromise the host, and therefore stay persistent after the revert to snapshot.
Last, but by no means least, your approach requires a level of sophistication most users do not have, and does not scale in any kind of business, where the vast majority of users have no tech expertise whatsoever, and the IT department are overwhelmed.
Only allowing access to banking using RDC/VNC to a Virtual system that is locked down, and actively monitored using something like the Network Security Toolkit MIGHT be a practical way to do what you advocate.
However, you’re still stuck with the “Quis custodiet ipsos custodes?” problem, since the ESXi host can also be compromised.
That can only be addressed by a totally different set of monitoring, and enforcement, tools. Most companies already have the basics of that, a firewall, and so that is where I think the failsafe needs to be.
First off, I appreciate the excellent dialog from all parties. This is the way problems get solved!
As for my earlier comments, there is no single answer, nor am I proposing one. You still need firewalls, and AV, and IDS/IPS. You just need more than that because the threat has evolved and we have passed the point of diminishing returns on those technologies. You cannot stop modern-day malware with reputation-based defenses (eg: AV signatures and IP address or site white/black-lists). Is the site you whitelisted yesterday safe to visit today? Not if the site admin “patched” it with a tojanized WordPress plugin!
However, I think that a couple of points of clarification are in order. First of all, ideally the endpoint needs to start out in a clean state. If it’s already infected, it’s hard to ensure the security of the VM. Having said that, there are ways using VMs that even if the local host is infected, it cannot read the network traffic or even tamper with the VM. Do things like run a VPN within the VM, use encryption of the VM and hashing to prevent tampering, etc. The browser windows and window handles will not be visible to keyloggers, so they don’t know when to start recording or what sites to ties keystrokes to. But it’s always safest to start clean.
But more importantly, using a VM without any sort of built-in detection provides only isolation, not protection. You really need to be able to determine if malware is trying to launch, or if the VM is misbehaving in a way that requires flushing it. Without that, the VM will get infected, and potentially move the infection to the host using Blue Pill or some variant thereof.
Finally, the end-user does not have to know anything about VMs, just as they don’t have to know anything about databases to use a call center application. The trick is building the environment so the user sees only what they need to see in order to do the task at hand. We are rapidly moving in that direction (See offerings like Invincea, Citrix, Moka5.)
The difference between using a PC with AV alone, and using a VM with detection, is that you have 2 hosts that must be compromised (and both at once, if the architecture is good), not just one. To paraphrase Tom Byrnes, you are asking the local host if the VM is still sane. That is a much more trustworthy path than the current alternative.
From what I have been tracking over the past many months, the only way to stop modern malware is to flush it when it shows up, not try to block it, or block protential sources of malware. And the easiest thing to flush is a virtual machine because it is the easiest and fastest thing to rebuild. After all, the user has to get back to work as soon as the infection clears up!
But even if you try to use some other architecture, you have to start thinking outside of the current (and 3 decades old) mindset of “Detect and Block” because that simply does not work anymore.
I generally agree with the need for a layered defense, but I think you are missing the point that IP reputation can be highly dynamic, in a way that signatures and other types of filters cannot. It’s a bounded search space, the IP address MUST be in the clear, and so also harder to evade.
It’s not either or, but about making everything work better.
As I said above, it’s been used, very effectively, for years on SPAM.
I agree that IP reputation is good against SPAM, but it does not STOP the SPAM, it just keeps it from continuing.
APTs, especially targeted attacks, are a different matter entirely. You have to get the FIRST one.
Besides, I see sites go up, launch the attack, and then shut down. How do you use reputation against that? I have seen C&C servers rotate from “known good” web servers in the UK, to infected PCs on a Comcast cable modem in Iowa. How do you stop that with reputation? The answer is: you cannot.
Once the malware gets in, it is too late to do anything with the originating IP. You have to stop infections at the point of attack or you are pwned. No perimeter devices or technologies that I have seen can do that against modern malware.
The game has changed, and so must our thinking.
Blocking the OUTBOUND connection to the C&C, dropbox etc. (which are widely known and actively pursued by multiple groups, including Shadowserver, the Conficker Working Group, SRI and lots of others) both alerts that the host is infected, and prevents it from being controlled.
Blocking access to the glue nameservers for fast-flux botnets also prevents the bot from contacting its peers.
These techniques do work. I agree that it’s better if you don’t’ ever get infected, but, as we have said, you need multiple layers of defense.
No, Eric is correct. I gave up on IP a long time ago (SecureMecca.com / HostsFile.org – my PAC filter can block by IP and does, but usually not malware) and IPv6 promises to be even worse than IPv4 to try blocking malware threats. How fast do these hosts come and go? Try every four to eight hours for some of the chained hosts schemes I see for Fake AV and other malware and many times they use just the IP address. But it isn’t just the host name that changes. The IP address is as volatile as the host name. The problem with this whole thread though is that the posters are all over the wall and they aren’t targeting the specific problem: 1. Some are positing solutions for larger businesses that don’t have any chance in a municipality like this one. Until they were struck, this municipality actually believed using Windows with AV and a firewall was good enough. I am not so sure they still don’t believe that. It is sort of like the Space Shuttle administrators still wanting to believe a two pound chunk of styrofoam couldn’t possibly damage the shuttle even after somebody showed how much damage it caused. 2. Some are trying to achieve the holy grail of no possible way for something to go wrong. Those solutions will never be implemented in a small business because they wouldn’t even know where to start. Even in a large business the CEO and CFO may even be joined by the CIO in running you out the door. They want to keep using their Windows machines to do their normal stuff (ORNL and RSA) and some even still want to do all of their their financial transactions on Windows. Having them use a VM rather than running Windows direct may not be an optimal solution but at least it is a step in the right direction. 3. Anybody dissing a Linux LiveCD is not helping anybody. I am sorry, but I have not saw any malvertisement targeting Linux. Everything I see targets Windows. Booting up fresh from even an older version of a Linux LiveCD, going no place but to achieve your business transactions, and then shutting down immediately would have protected this city and 99% of other business users from their funds being siphoned off. Why do think Brian Krebs keeps recommending the LiveCD solution? It works! It would do nothing to protect their email boxes from filling up with spam or the tracking what they do or anything else. But it would give them a quantum leap in security in guarding their bank accounts. 4. I still have nothing but two toolbars that don’t uninstall properly as my only Linux malware (there is more – I just haven’t got it), less than a dozen for Macintosh, but well over 3,000 malware for Windows analyzed over the past eight years. Whether you like it or not you will have to bite the bullet and shift from Windows to at least Linux for higher security. I don’t think most people would be happy with OpenBSD. It remains to be seen whether the hackers continue to go after Mac owners or if Apple finally realizes that asking for a password to install software and not auto-open and install packages in the browser makes good sense. Once Apple corrects those security holes it will be good enough for regular use again, but I would still want to use a LiveCD for business transactions, even with a Macintosh. I also think the LiveCD or maybe a VM on Windows will be about the only thing you can get a small business or municipality to use and you will be lucky to get them to use that. They remain unconvinced that there is a problem until it strikes them.
You may want to revisit the idea of doing IP filtering, using highly dynamic feeds. If nothing else, it is a good first filter to offload the proxies and other deep packet inspection tools.
Re linux or Livecd: How many of the accounting, CRM, or other line of business platforms that businesses and governments need to do their actual jobs work in that environment, or can interact with it?
A significant percentage of financial transactions are done directly in Quicken or Quickbooks, in the real world of small business.
What you advocate is viable for techy individuals (I, use VMs which I revert daily, and patch as needed, snapshot, and use the newly patched VMs as the revert next time, for all browsing) who have the time, and the rights to their machines. For the vast majority of people, and businesses, it isn’t’ practical.
Even if it is, you still should have network level IDS, IDP, URL filtering, SPAM filtering, antivirus for e-mail, and, in my experience (which is why I created ThreatSTOP, to automate something I was doing manually for myself and clients, that was helping), IP reputation can make all those work better.