November 30, 2011

The FBI is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to prevent victims from noticing simultaneous high-dollar cyber heists.

The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves who are using a modified version of the ZeuS Trojan called “Gameover.” The rash of thefts come after a series of heavy spam campaigns aimed at deploying the malware, which arrives disguised as an email from the National Automated Clearing House Association (NACHA), a not-for-profit group that develops operating rules for organizations that handle electronic payments. The ZeuS variant steals passwords and gives attackers direct access to the victim’s PC and network.

In several recent attacks, as soon as thieves wired money out of a victim organization’s account, the victim’s public-facing Internet address was targeted by a network attack, leaving employees at the organization unable to browse the Web.

A few of the attacks have included an odd twist that appears to indicate the perpetrators are using money mules in the United States for at least a portion of the heists. According to an FBI advisory, some of the unauthorized wire transfers from victim organizations have been transmitted directly to high-end jewelry stores, “wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).”

The advisory continues:

“Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as ‘pending’ and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.”

The attackers also have sought to take out the Web sites of victim banks. Jose Nazario, manager of security research at Arbor Networks, a company that specializes in helping organizations weather large cyber attacks, said that although many of the bank sites hit belong to small to mid-sized financial institutions, the thieves also have taken out some of the larger banks in the course of recent e-heists.

“It’s a disturbing trend,” Nazario said.

Nazario said the handful of attacks he’s aware of in the past two weeks have involved distributed denial-of-service (DDoS) assaults launched with the help of “Dirt Jumper” or “Russkill” botnets. Dirt Jumper is a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground, and is made to be surreptitiously installed on hacked PCs. The code makes it easy for the botnet owner to use those infected systems to overwhelm targeted sites with junk traffic (KrebsOnSecurity.com was the victim of a Dirt Jumper botnet attack earlier this month).

Security experts aren’t certain about the strategy behind the DDoS attacks, which are noisy and noticeable to both victims and their banks. One theory is that the perpetrators are hoping the outages will distract the banks and victims.

“The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found),” the FBI said.

That strategy seemed to have worked well against Sony, which focused on weathering a DDoS attack from Anonymous while information on more than 100 million customers was being siphoned by hackers.

“In the chaos of a DDoS, typically network administrators are so busy trying to keep the network up that they miss the real attack,” said Jose Enrique Hernandez, a security expert at Prolexic, a Hollywood, Fla. based DDoS mitigation company. “It’s a basic diversion technique.”

Another theory about the DDoS-enhanced heists holds that the thieves are trying to prevent victim organizations from being able to access their accounts online. One crime gang responsible for a large number of cyber heists against small to mid-sized U.S. businesses frequently invoked the “kill operating system” command built into the ZeuS Trojan after robbing victims.

Organizations that bank online should understand that they are liable for any losses stemming from cyber fraud. I have consistently advised small to mid-sized entities to consider using a dedicated computer for online banking — one that is not used for everyday Web surfing — and preferably a non-Windows system, or a “live CD” distribution.


23 thoughts on “DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists

  1. Huh?

    Some of our users got hit with this:

    From: Lillian Hurst [mailto:ierv_chapas@firstbuscanada.com]
    Sent: Tuesday, November 29, 2011 10:16 AM
    To: XXXX
    Subject: Direct Deposit payment was rejected

    This notification is related to the ACH transaction (ID: 920532306465) that was recently sent from your banking account.

    The current status of the above mentioned transaction is: failed due to the technical error. Please view the details in the report
    below:

    hxxp:// omiomi.com.ar/d3cc9f/ index.html

    Yours truly,
    Lillian Hurst
    2011 NACHA – The Electronic Payments Association
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171

  2. BrianKrebs Post author

    Hey Huh, do me a favor and next time don’t post a full, live and clickable download link to a ZeuS trojan server? I edited your comment to make it unclickable. Thanks.

    1. Huh?

      Very sorry for doing that, I really wish I could have edited that after I hit submit (submitted remorse). Next time I will be more careful!

    2. Kirk

      My wife got an email similar to the one mentioned and unfortunately she clicked on the link (looking at the email she clicked on it went to some goo.gl/gibberish url shortener site that did heaven only knows what). I have updated all my anti-virus stuff and scanned everything but nothing showed up. Any suggestions for things to look for or products to scan to see if my pc is infected with this thing?

      1. TJ

        To each his own…but I would backup all my data, reformat and and wipe the drive, and then reinstall Windows. Luckily (or unluckily), I learned my lesson years ago and now keep pristine disc images that make the whole process much less tedious.

        1. TJ

          To quote Brian Krebs:

          “Every victim I’ve ever interviewed was running anti-virus software. All of the products failed to detect the malware until the victim had lost money.

          “Anti-virus software is next to useless against these ZeuS Trojan attacks. The malware tends to be uniquely packed for each target and usually slips past AV detection for the first 24-48 hours, the most crucial time, unfortunately.”

      2. Doug

        I’d highly suggest changing your bank password too!

        And you should change any other passwords that are financially relevant (trading accounts, work-related access from that computer, etc.). Then consider changing any other passwords that you might or might not care about (Amazon, eBay, {your-favorite-blog-site}, etc.)

        Safe surfing!

  3. Ed

    Do you happen to know which source code version of zeus game over is using? was it 2.0.8.9 or a never version which i believe isnt as public?

    1. BrianKrebs Post author

      No, sorry I don’t but I can try to find out. I believe, but am not certain, that this is a custom version developed by a specific crime gang, and that it is not being re-sold.

  4. Scott

    I knew that I had certainly been seeing a lot of the NACHA phishing attempts lately.

    I saw something earlier as well that they were using Zeus to target Facebook users. Have you heard anything about this?

    Thanks Brian!

  5. Kent

    Why is it again that it’s so hard to bring down the sites purveying the crimeware ?

    They’re in some country with lax laws or enforcement ?

    1. helly

      Correct in part about the servers occasionally being in countries that are difficult to work with. In addition there are a huge volume of these malicious sites out there, making it extremely time consuming to try and track and shut down all of them.

      Also the sites really only need to be up for a short while to be effective. If I’m a bad guy I hack into a legit web server, put up my malicious page and send out my emails. This could take place of a couple of hours really, and still be very profitable.

      In short it is an extremely difficult task to simply shut these down pro-actively unfortunately!

  6. Kevin

    We’ve been getting the NACHA emails at work for weeks. Today we got three very, very similar emails that were allegedly from irs.gov.

  7. Mike Angelinovich

    Make sure your Bank or Credit Union provides an Authentication solution that uses the Login credentials you enter plus a Login credential you do not enter. Why? Because Zeus uses a real-time Keylogger to steal your Login credentials as you enter them. If you have another credential that you do not enter then Zeus can not steal it and will not be able to access your online bank account.

    Most of these types of Authentication solutions are too expensive for Banks to issue and cumbersome for the end users, such as a Smart-card & Reader or a USB token. However, there is a Software solution available that evolved from the Smart-card and has been protecting online banking for some time. This type of solution is highly affordable for a Bank to deploy to the masses and is user friendly.

    1. jg

      Too expensive? We’ll see. They don’t have to be too cumbersome. Personally I just think the banks have not been motivated enough. But a few widespread attacks like this on consumers (for which the bank has to eat all or a large part of the losses) will hopefully change the trend.

      1. Mike Angelinovich

        I agree that a Smart card & Reader is the way to go but the Banks do not need to spend the money to achieve the exact same result as the software solution is currently providing for almost nothing per user. This software was designed to do exactly what a Smart card does. After the user enters their Password the software is automatically triggered to generate a new onetime only dynamic authentication credential from the users PC and sends it automatically to the Bank’s authentication server for validation with the user’s credentials. Once it is validated, the server sends the user a new virtual token to be used for the next time the user logs into their online bank account. What is even more secure than the Smart card solution is that the new virtual token must be returned to its original source before it grants access into that online account and it is monitored at both the server end and the user’s PC end. This is very strong MFA and is fully portable and flexible to the point that a user can elect to use it as a hardware solution without the Bank issuing any hardware. The user can elect to store the new virtual token in their own USB Memory Stick and take it with them to access their online account securely from any PC or Mac anywhere. Anheuser-Busch Employees’ Credit Union and their online banking users across the nation describe it as leading edge security technology. So why should a Bank spend tons of money on issuing Smart cards & Readers? Plus users must carry those readers with them if they wish to access their account from a different computer and that is cumbersome.

  8. dcx2

    I personally have a netbook which has ubuntu on it. It is my bank machine. Any banking information at all goes through that netbook and nothing else. I even remove the battery while not in use – not for paranoia, but because the battery holds a charge for much longer when it’s disconnected.

  9. YankDownUnder

    “Microsoft Windows is safe and easy to use!” – as per Microsoft marketing.

    Why businesses – of any size – depend on the least secure product on the market to perform vital tasks like banking is beyond my ken – 20 years of proof…c’mon…

  10. chris

    I’m seeing a lot of “ACH transfer failed” and “IRS” mails lately, as well as “DHL Express Delivery Notification” mails.

    These always contain a ZIP file with a lengthy filename and all in all look like amateur work. I’ve seen far better.

  11. matt

    I’m old school. I recommend two banks. One is used for any online banking and only the money needed to pay bills goes there.
    The money comes from a single monthly check written from an account where the real money is that is *never* exposed online.

    Yes, it’s less flexible, but the only money exposed is the monthly bills amount and even that may not be in the account when they try to hit it.

  12. Slightlyoutofit

    The scammers don’t just DDOS banks to smokescreen their activities. They’ll hit anyone who they deem a threat. We run an anti-scam site and recently discovered an Eastern European gang using fake Amazon sites to further their scams. When one was posted on our forum at 419eater.com, we were knocked offline with a DDOS attack. We’re still under it as I write this. They then hit our sister site scamwarners.com and a couple of others which were carrying details of the scam and knocked them offline too. To cap it all, they’ve also sent us a threatening email promising further “aggressive action” if we don’t back off.

Comments are closed.