October 3, 2011

Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heists in the past two weeks, many small to medium sized organizations took the bait.

These fake NACHA lures were mailed the week of Sept. 19, even though the sent date on the message says Aug. 3. Source: Commtouch.

Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Using NACHA’s name as bait is doubly insulting because victims soon find new employees — money mules — added to their payroll. After adding the mules, the thieves use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds (minus a commission) overseas.

On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama. John Ziak, director of information technology at the center, said he suspects the organization’s accounting firm was the apparent source of the compromise. That means other clients may also have been victimized. He declined to name the accounting firm.

Ziak said the bank was able to block some of the fraudulent transfers, but that it was too soon to say how much the thieves got away with. But the center may have better leverage than most victims in convincing the bank to accommodate them: Many of its doctors are on the board of directors of the organization’s bank.

“We still don’t know how much is going to be coming back,” Ziak said. “We can chalk it up to lessons learned, but we’re going to be making some changes with the bank…forcing them to implement a higher level of security for our account.”

Last month, computer crooks also robbed the North Putnam Community School Corporation, which serves the children of six northern townships of Putnam County, Indiana.

Mary Sugg Lovejoy, superintendent of the K-12 school system, said thieves stole about $98,000 from school coffers, sending the money to numerous individuals who had no prior business with the school district. Fortunately for North Putnam, all of the fraudulent transfers were returned shortly after the attack, Lovejoy said.

In a separate attack on a public institution, malicious hackers last month struck the City of Oakdale, Calif., according to a story in the Modesto Bee. High-tech criminals stole $118,000 from a city bank account, the publication reported last week. Oakdale city officials are confident that its insurance carrier would reimburse the loss, minus a $2,500 deductible.

But that story ended on a sour note. The reporter quoted officials from the city’s bank, Oak Valley Community Bank, wrongly laying blame for the incident on a lack of technology and security.

“It’s the same story we hear from a lot of institutions,” Oak Valley President Chris Courtney said. “It’s about safekeeping the information on your computers, scanning for viruses and having a state-of-the-art security system.”

Blocking these attacks has little to do with state-of-the-art computer systems or scanning files with anti-virus. It’s not clear what malware family was used in any of these attacks, although the first two mentioned in this story involved a cyber gang that favors the ZeuS Trojan (the fraudulent NACHA messages in the screen shot above contained a malware dropper that installs ZeuS). But organizations should understand that these attacks have far more to do with social engineering and tricking humans than with defeating technology and security solutions.

As I’ve noted in past stories, all of the victims I’ve interviewed were running anti-virus software: Very few of them had protection against the malware used in the attack until after their money was stolen.

Most commercial banks have significant room for improvement in securing the transaction and authentication space for their customers. But businesses that rely on their financial institutions to detect fraudulent activity are setting themselves up for an expensive lesson.

No single approach or technology will stop all of these account takeovers, but preventing the theft of your online banking credentials is a critical first step. That’s why I continue to advise that small- to mid-sized organizations use a dedicated computer for online banking. Using a non-Windows PC — such as a Live CD or a Mac — is the safest approach, but not necessarily the most practical or affordable. An alternate approach is to access bank accounts from an isolated PC that is locked-down, regularly updated, and used for no other purpose than online banking.

Zeustracker.abuse.ch tracks antivirus detection rates for new variants of the ZeuS Trojan. The average detection rate is about 38 percent.

27 thoughts on “Monster Spam Campaigns Lead to Cyberheists

  1. brucerealtor

    The use of multiple AV programs that do not conflict with each other, i.e., Malwarebytes seems to often conflict where Superantispyware doesn’t, with a major commercial AV program in combination with running in user mode was apparently something the majority of those hacked were apparently not doing. 38% absolutely sucks for new variants of the Zeus Trojan.

    So I need a machine running Linux from a disc, or a completely dedicated machine for banking. I can imagine what you think of folks who use their cellphone software to access their bank accounts — ouch ???

    1. JCitizen

      LiveCD or other high assurance hardware is always best; but I’ve never had conflicts with MBAM testing with the better free and some of the popular paid AV brands.

      However, to get the best real time protection from MBAM and SAS, you also have to be logged in as Administrator, which is not the way to operate at all. At least they protect that account whilst doing maintenance.

      So far Spybot Search & Destroy and Ad-Aware are the only free AM solutions for folks who run as standard users. I don’t count on any of them catching Zeus style Trojans. Running several kernel based utilities that run well in infected environments is a good way to patch the armor. Adding a strictly behavior based utility that detects start-up folder injections is another.

      Using purely cloud based AV, is a good way to double up on AV capability without creating conflict. Lavasoft now gives away their AV with the anti-malware as a blend; so beware if using another such anti-virus that may conflict. I turn the AV off in the real time protection Ad-Watch console control.

      Of course these are only solutions that my SMB clients insist on. I usually can’t get them to go to LiveCD or Linux, so I got to convince them to go at least part of the way toward “Security” for Windows.

      1. truth_or_dare

        @JCitizen :

        You wrote

        Running several kernel based utilities that run well in infected environments is a good way to patch the armor. Adding a strictly behavior based utility that detects start-up folder injections is another.

        Can you give us some specific names of software that supplies these features. They sound really helpful.

        1. JCitizen

          Brian has some of them as advertisers here. Like Trusteer’s Rapport. I run it plus KeyScrambler Pro, and Mamutu. These get along with Avast very nicely, but I’m not sure about Comodo’s Defense +; I haven’t tried to run them together for a while. I use LastPass but a lot of other good password managers can help keep un-encrypted information off your hard drive, where spyware will surely detect it.

          Using Emisoft’s free firewall (Online Armor), may be just as well is using Mamutu, but I am very impressed with it’s performance, as it found all of my active DRM spies within 5 seconds. I had to exclude them so I could run my cable card and blu-ray.

          I think Prevx runs in the kernel space, and it can conflict with some solutions, but as long as you only use it as an alert source and don’t try to remove anything with it, it can be a good partner in a blended defense. It is cloud based, and a free version is available for Face Book customers. You can also run one other PC based AV with it, with no problems, so it is like doubling up you AV detection, and protecting your PC from the kernel up through the other software layers. Some anti-virus solutions now run in the kernel space, and can resist manipulation from malware as a result. These may conflict with Prevx.

          Some very knowledgeable security types still recommend WinPatrol as the old tried and true startup folder watchdog; but I’ve found it is pretty good at alerts only, and not stopping much of anything. I’ve only tested the free version, however.

  2. Neej

    IMO banks blaming their customers for these losses because they aren’t not running “appropriate” security software is a bit of a joke – surely not a funny one either should you be the victim in the situation.

    The fact is (as pointed out in the article) simply relying on software to provide protection is pretty much pointless these days not least because new malware instances are tested against the very same software to ensure it is not detected.

    No doubt banks are aware of this – at least at some level of personnel. If I was told I was to blame for this reason outlined expect me to change institutions if it’s at all practical to do so. The bank is obviously not interested in providing practical advice should this be the case and going to far with the whole “guardian of the money” role.

  3. Matthew Walker

    Id like to mention my own passwindow authentication plastic cards can do transaction authentication off any OS or mobile device securely adhering to the assumption there is already malware on the device and still able to provide providing mutual transaction authentication. The plastic cards only cost a few cents and are less than a blank CD. For businesses that means they can continue to run their essential MS based accounting software which is probably mandated by their accountant or bank right off their regular or mobile machines. There is also an online authentication version shieldpass.com where individuals or small user groups can plug the code directly into their websites. Felt I had to mention it as it seems more secure and practical for business than the LiveCD approach.

    1. JCitizen

      Have they solved the browser “session riding” problem with PassWindow? I know the developer told me they were working on a solution.

      For hardware(ATM/POS), I think PassWindow is possibly unbeatable.

      1. Matthew Walker

        Hi JCitizen, long time, yes solved by authenticating a specific user transactions not just the user’s initial session leaves malware with no option of authenticating a mule account or transfer, actually since we launched the shieldpass plugin people are using the mutual authentication ability to mutually authenticate all sorts of things beyond financial transaction control like internal encrypted messaging systems and even communicate secret numbers to users through the method. There is an example on the video of a destination account number.

        1. JCitizen

          Good news! I think VISA jumped the gun going to Chip & Pin(way too expensive)
          I really appreciate your response. Have a good week!

      2. Nick P

        I just looked at the PassWindow solution. First impression is that it’s a very clever card-present technique. I’ve been quite busy lately, so I don’t know if I have time to do a full security analysis. However, I plan to throw a bit of time at it in the future in the medium robustness sense to see how practical it would be against remote attackers, skimmers and other very common methods.

        One potential advanced attack that came to mind captures the random stream on the compromised pin pad & the resulting readable stream on a camera, then maybe uses an algorithm to figure out the visual transformation part. I’m sure there are more good attack ideas waiting to come out, but many of the authentication ideas we’ve discussed on these blogs increase the barrier to entry greatly. That’s good enough in itself. This 14 year old points, clicks, cons & receives money crap is kind of ridiculous, ya think? Shouldn’t be that easy…

        1. JCitizen

          Yes Nick; hardware assurance definitely needs looking into on any idea in this space. We appreciate any of your input on this.

  4. Nic

    People are upset by the amount of money stolen here, especially considering the victims — schools, cancer clinics, etc. So we rush to determine blame, thereby providing a path to a solution. (Haven’t we done that before already?)

    I’m not so sure it’s that simple, though. I don’t think there’s an easy fix because the problem isn’t a technical one. Allow me to explain.

    We know that most people will click through any warning. Right there, it stopped being a purely technical problem. Employing data from abuse.ch, spamhaus, hostexploit.com, Team Cymru, and other organizations _does_ help. It _should_ be done by administrators. But that’s not the end of it, because this isn’t a purely technical problem; we can’t control everything in a multi-everything environment.

    Personally I don’t like the banks due to their business practices. However, if I was in their shoes, seeing how ordinary users take no interest in computer security, I would find it difficult to impose truly secure expectations upon them. Multi-factor auth, Windows clients blocked (this can be done at the TCP level for example with p0f), etc. Yeah. That would be an instant national scandal followed by immediate apologies, lost customers, and backtracking.

    The root problem is that users have been conditioned to not develop computer skills. Think of all the non-computer people you know: in the last 10 years, what skills have they developed? I don’t mean using Firefox instead of IE — that’s not a skill; think of this as a car. I’m talking about, Have they learned to change their own oil? Can they replace spark plugs? Can they replace a tire now whereas 5 years ago they couldn’t? Those are real skills. They don’t need to design an engine/kernel, but given the importance of computing in our economic and personal lives, one would assume some real skills had been learned along the way. However in the computer world the only advancement we see is analogous to learning how to drive a Chevy “instead” of a Ford. That’s not a new skill learned.

    The amount of hand-holding by the OS is inversely proportional to the abilities developed by the user.

    The percentage of options found in pre-defined buttons is inversely proportional to the abilities of the user.

    The clarity of error messages is proportional to the problem-solving abilities of the user.

    Gaining skills and abilities takes time but it’s a natural process.

    IMHO the real solution is to treat users bit by bit, more and more as adults. That’s how they’ll gain skills and abilities, and that’s how the severity of these problems will shrink to an acceptable level.

    In the meantime I think live CDs are the best way to go.

  5. Lease Duckwall

    One of these letters we received said something like “If you feel you have received this message in error, please pass it along to the appropriate person in your organization…” Having been the victim of an ACH fraud last year, we use a dedicated non-windows device on a separate DSL line, among other measures.

    1. Matthew Walker

      Hi Lease, it would be great if you could give further details about your business size and specific accounting process. Every business I know of needs to run specific accounting software packages compatible with their accountants software package and their online business banking account download package list. Many of these have no non MS based versions and all would need writeable local media and some network even if just a printer. I cant imagine a business process where the accounting package isnt networked with the rest of the business terminals unless someone is going back and forth with a usb stick all day (which would then become the vector, even printers can become a vector now) and I cant imagine an accountant going along with that. The only option I can see would be to request the accountant to print out and manually re-enter every single account transfer all day into the isolated machine and even in that case the payment “list” could then be remotely tampered with further back up the chain especially if the accountant ends up working in a vacuum on an isolated box. I cant imagine any of the business victims in the article being able to go along with such a process, many look like they would have accounting teams with multiple employees having payment authorization rights probably at multiple locations too not just onsite but also at the accountants office. Even once the payments have been made the transaction payment references would need to be recorded which would have to be manually written out at the isolated terminal and then manually re-entered again back onto the live accounting package terminal. This is entirely impractical. Please obfuscate your personal details but explain the process and how it practically works with your accountant. For what its worth my own accountant’s IT security knowledge only went as far as checking AV is running and that “there is a gold padlock somewhere on the page”

  6. Yuri

    Fighting the lost battle.
    It is not me sarcastic/pessimistic, it is just theory of Broken Window here 🙂
    – Users are and will be the weakest link, those falling victims do not and will not run LiveCD . And I am talking here about growing generation as well- teenagers releasing too much information on FB, Myspace etc will be careless with their Visa/MasterCard later.
    – Technology lags behind, you’d be surprised how many of evasion techniques from http://vx.netlux.org/ work against AVs of 2011 (heuristic detections are mostly hype)
    – IF you follow closely the press you will have no choice but to notice that only minority of the masterminds are prosecuted, as the logical conclusion – “If others do why can’t I ?”
    – Threshold for entering the “field” is getting lower – who needs to be programmer when you have a building kit ?
    – As the result of all the above the once restricted field of highly technical criminals will be inundated with average Joe and Joanna Doe wishing to do some money on side
    – What should be done about all this? Nothing I guess, the heroes will fight , criminal anarchy on the Net will grow, and we (knowledgeable observers) can just watch from the safe distance all this. Usually good guys win, or rather bad guys just destroy themselves. It already happened with crime in NY – once capitol of crime now is just another US city after crime just ate itself in 90s. At worst people will stop using the Internet, not end of the world.

    1. JCitizen

      Good post and just FYI, New York had help taking a bite out of crime using criminology techniques I studied back in the mid ’70s. I give Rudy Giuliani’s crime fighting science quite a bit of credit there.

      1. Nic

        Respectfully, the claims of Guiliani’s efforts causing the decrease in crime were convincingly debunked in Freakanomics.

        1. JCitizen

          Also respectfully Nic:

          I majored in criminology, so I think I’m more qualified to issue an opinion of his anti-crime policies than ” Freakanomics”. One must realize that he came from the ground up – first as a local DA and worked his way up to mayor. I have no idea what he did for the economics of the state; only what he did for crime – which is probably saving the state and city a boatload of money.

          When one is is the system that long, it can make a lasting imprint.

          1. Nic

            JCitizen: So based on your background in criminology, how do discredit the argument made in Freakonomics? Giuliani’s background is not proof for or against the argument that his policies uniquely reduced crime.

            1. JCitizen

              Because of the fact that he did implement them by the standard, with only small changes that fit his community, and the fact that in every community where they implemented these changes, they benefited by a commensurate reduction of crime.

              You could argue that the collection of data is flawed, but my friends in New York believed in this system also. All my buddies in law enforcement believe in this system, and are trying to implement them where politically possible in their communities. When I see success like this, it makes a believer out of me; besides the plan makes common sense; I don’t need much more than that to believe in it anyway.

  7. Al

    One way to secure the online banking environment on a Windows machine is by using BitBox, which is now available in English and is free in the single user version.
    I have been using it for a while for some of my surfing and it works really well..

    See http://www.sirrix.com/content/pages/BitBox_en.htm

    Here is an excerpt from the page:
    The virtual surf environment BitBox has initially been developed by Sirrix on behalf of the German Federal Office for Information Security for use by all federal authorities. Now the solution is open for everyone and enables users to surf the Internet with confidence even when using most modern and comfortable web technologies without limitation despite otherwise usual advice.

    On the basis of a “Browser-in-the-Box” concept a virtual machine is provided with a reduced operating system and a web browser encapsulated therein. Malware can’t thus penetrate the host operating system and a potential damage in the separated virtual machine will vanish with each start of the browser by returning to a certified starting point. All of that is fully transparent to the user.

    1. Nick P

      “Malware can’t thus penetrate the host operating system and a potential damage in the separated virtual machine will vanish with each start of the browser by returning to a certified starting point.”

      Maybe, maybe not. This claim is interesting if you look at what the company has claimed it takes to trust software & then look at the level of complexity & lines of code in this solution. You can’t trust a claim about “can’t penetrate” or truly “separated” unless the systems designed to EAL6-7 levels. This requires a small, reduced TCB. The L4-based Micro-SINA VPN (using Sirrix technology) is an example. Turaya Desktop (also using partly Sirrix technology) takes a microkernel approach with trusted computing technology & paravirtualized Linux for the GUI parts. They say that kind of approach is what it takes. Then, they tell use this complex BitBox hosted on a monolithic, insecure OS is good enough. Which do you believe?

  8. Richard

    You wrote,

    “It’s not clear what malware family was used in any of these attacks, although the first two mentioned in this story involved a cyber gang that favors the ZeuS Trojan…

    “But organizations should understand that these attacks have far more to do with social engineering and tricking humans than with defeating technology and security solutions.”

    Well, both are part of the attack, and if the social engineering part is successful, where the unsuspecting user clicks to download the Transaction ID, protection in place will block the installation of Zeus. But not with the mainstream solution using AV, whose success rate is miserable, as you point out:

    “Zeustracker.abuse.ch tracks antivirus detection rates for new variants of the ZeuS Trojan. The average detection rate is about 38 percent.”

    However, many solutions exist to prevent the installation of any unauthorized executables like the ZeuS trojan.

    I don’t have a fake NACHA email to test, but I found a site that serves up the ZeuS trojan, using a JAVA exploit. Here is a screen shot of the executable being blocked:


    There are many security solutions available which catch any unauthorized executable payload, and so it’s always been a mystery to me why only AV is ever mentioned by those who cover the security scene.



    1. JCitizen


      As I say many times here, signature based detection has become obsolete for these kind of threats. And there are more an more kernel based and other types of behavioral blockers or startup alert utilities for such malware.

      The best work in an infected environment, and don’t have to remove anything to work well as part of a good blended defense.

  9. Dave

    $7.6 Mill USD, 2 years in prison… worth every minute behind bars.

  10. Charles

    Our company (a Coldwell Banker franchise ) switched to Postini email filtering as part of an ongoing switch to Google Aps. I saw the first of these ACH phishing emails last week. Today there were 25 of them in my Postini spam box!

    1. JCitizen

      I swear Postini is a major target for spammers! Partly because it is so popular as a service, and partly because it is so ineffective.

Comments are closed.