Comments on: DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists

By: Slightlyoutofit

Slightlyoutofit — Fri, 09 Dec 2011 23:36:54 +0000

The scammers don’t just DDOS banks to smokescreen their activities. They’ll hit anyone who they deem a threat. We run an anti-scam site and recently discovered an Eastern European gang using fake Amazon sites to further their scams. When one was posted on our forum at 419eater.com, we were knocked offline with a DDOS attack. We’re still under it as I write this. They then hit our sister site scamwarners.com and a couple of others which were carrying details of the scam and knocked them offline too. To cap it all, they’ve also sent us a threatening email promising further “aggressive action” if we don’t back off.

By: TJ

TJ — Sat, 03 Dec 2011 07:01:03 +0000

To quote Brian Krebs:

“Every victim I’ve ever interviewed was running anti-virus software. All of the products failed to detect the malware until the victim had lost money.

“Anti-virus software is next to useless against these ZeuS Trojan attacks. The malware tends to be uniquely packed for each target and usually slips past AV detection for the first 24-48 hours, the most crucial time, unfortunately.”

By: matt

matt — Sat, 03 Dec 2011 03:44:28 +0000

I’m old school. I recommend two banks. One is used for any online banking and only the money needed to pay bills goes there.
The money comes from a single monthly check written from an account where the real money is that is *never* exposed online.

Yes, it’s less flexible, but the only money exposed is the monthly bills amount and even that may not be in the account when they try to hit it.

By: Doug

Doug — Fri, 02 Dec 2011 17:31:05 +0000

I’d highly suggest changing your bank password too!

And you should change any other passwords that are financially relevant (trading accounts, work-related access from that computer, etc.). Then consider changing any other passwords that you might or might not care about (Amazon, eBay, {your-favorite-blog-site}, etc.)

Safe surfing!

By: chris

chris — Fri, 02 Dec 2011 10:56:23 +0000

I’m seeing a lot of “ACH transfer failed” and “IRS” mails lately, as well as “DHL Express Delivery Notification” mails.

These always contain a ZIP file with a lengthy filename and all in all look like amateur work. I’ve seen far better.

By: Mike Angelinovich

Mike Angelinovich — Fri, 02 Dec 2011 08:16:31 +0000

I agree that a Smart card & Reader is the way to go but the Banks do not need to spend the money to achieve the exact same result as the software solution is currently providing for almost nothing per user. This software was designed to do exactly what a Smart card does. After the user enters their Password the software is automatically triggered to generate a new onetime only dynamic authentication credential from the users PC and sends it automatically to the Bank’s authentication server for validation with the user’s credentials. Once it is validated, the server sends the user a new virtual token to be used for the next time the user logs into their online bank account. What is even more secure than the Smart card solution is that the new virtual token must be returned to its original source before it grants access into that online account and it is monitored at both the server end and the user’s PC end. This is very strong MFA and is fully portable and flexible to the point that a user can elect to use it as a hardware solution without the Bank issuing any hardware. The user can elect to store the new virtual token in their own USB Memory Stick and take it with them to access their online account securely from any PC or Mac anywhere. Anheuser-Busch Employees’ Credit Union and their online banking users across the nation describe it as leading edge security technology. So why should a Bank spend tons of money on issuing Smart cards & Readers? Plus users must carry those readers with them if they wish to access their account from a different computer and that is cumbersome.

By: YankDownUnder

YankDownUnder — Fri, 02 Dec 2011 06:46:11 +0000

“Microsoft Windows is safe and easy to use!” – as per Microsoft marketing.

Why businesses – of any size – depend on the least secure product on the market to perform vital tasks like banking is beyond my ken – 20 years of proof…c’mon…

By: jg

jg — Fri, 02 Dec 2011 04:29:23 +0000

Too expensive? We’ll see. They don’t have to be too cumbersome. Personally I just think the banks have not been motivated enough. But a few widespread attacks like this on consumers (for which the bank has to eat all or a large part of the losses) will hopefully change the trend.

By: dcx2

dcx2 — Fri, 02 Dec 2011 00:33:01 +0000

I personally have a netbook which has ubuntu on it. It is my bank machine. Any banking information at all goes through that netbook and nothing else. I even remove the battery while not in use – not for paranoia, but because the battery holds a charge for much longer when it’s disconnected.

By: helly

helly — Thu, 01 Dec 2011 23:24:51 +0000

Correct in part about the servers occasionally being in countries that are difficult to work with. In addition there are a huge volume of these malicious sites out there, making it extremely time consuming to try and track and shut down all of them.

Also the sites really only need to be up for a short while to be effective. If I’m a bad guy I hack into a legit web server, put up my malicious page and send out my emails. This could take place of a couple of hours really, and still be very profitable.

In short it is an extremely difficult task to simply shut these down pro-actively unfortunately!