The FBI is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to prevent victims from noticing simultaneous high-dollar cyber heists.
The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves who are using a modified version of the ZeuS Trojan called “Gameover.” The rash of thefts come after a series of heavy spam campaigns aimed at deploying the malware, which arrives disguised as an email from the National Automated Clearing House Association (NACHA), a not-for-profit group that develops operating rules for organizations that handle electronic payments. The ZeuS variant steals passwords and gives attackers direct access to the victim’s PC and network.
In several recent attacks, as soon as thieves wired money out of a victim organization’s account, the victim’s public-facing Internet address was targeted by a network attack, leaving employees at the organization unable to browse the Web.
A few of the attacks have included an odd twist that appears to indicate the perpetrators are using money mules in the United States for at least a portion of the heists. According to an FBI advisory, some of the unauthorized wire transfers from victim organizations have been transmitted directly to high-end jewelry stores, “wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).”
The advisory continues:
“Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as ‘pending’ and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.”
The attackers also have sought to take out the Web sites of victim banks. Jose Nazario, manager of security research at Arbor Networks, a company that specializes in helping organizations weather large cyber attacks, said that although many of the bank sites hit belong to small to mid-sized financial institutions, the thieves also have taken out some of the larger banks in the course of recent e-heists.
“It’s a disturbing trend,” Nazario said.
Nazario said the handful of attacks he’s aware of in the past two weeks have involved distributed denial-of-service (DDoS) assaults launched with the help of “Dirt Jumper” or “Russkill” botnets. Dirt Jumper is a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground, and is made to be surreptitiously installed on hacked PCs. The code makes it easy for the botnet owner to use those infected systems to overwhelm targeted sites with junk traffic (KrebsOnSecurity.com was the victim of a Dirt Jumper botnet attack earlier this month).
Security experts aren’t certain about the strategy behind the DDoS attacks, which are noisy and noticeable to both victims and their banks. One theory is that the perpetrators are hoping the outages will distract the banks and victims.
“The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found),” the FBI said.
That strategy seemed to have worked well against Sony, which focused on weathering a DDoS attack from Anonymous while information on more than 100 million customers was being siphoned by hackers.
“In the chaos of a DDoS, typically network administrators are so busy trying to keep the network up that they miss the real attack,” said Jose Enrique Hernandez, a security expert at Prolexic, a Hollywood, Fla. based DDoS mitigation company. “It’s a basic diversion technique.”
Another theory about the DDoS-enhanced heists holds that the thieves are trying to prevent victim organizations from being able to access their accounts online. One crime gang responsible for a large number of cyber heists against small to mid-sized U.S. businesses frequently invoked the “kill operating system” command built into the ZeuS Trojan after robbing victims.
Organizations that bank online should understand that they are liable for any losses stemming from cyber fraud. I have consistently advised small to mid-sized entities to consider using a dedicated computer for online banking — one that is not used for everyday Web surfing — and preferably a non-Windows system, or a “live CD” distribution.