Bank man: System's down, let's have coffee. Oh SNAP, where's all the CASH?

Hackers use DDoSes to distract staffers... while nicking MILLIONS

Top 5 reasons to deploy VMware with Tegile

Cybercrooks are running distributed denial of service attacks as a smokescreen to distract bank security staff while they plunder online banking systems, according to a researcher.

Avivah Litan, vice president at Gartner Research, reports that cyber criminals looking to attack financial institutions are getting more ambitious by targeting the internal wire applications of entire banks, instead of individual accounts, and covering their tracks using simultaneous denial of service attacks against bank systems as a distraction.

Fraudulent money transfers have traditionally been pulled off by taking over a mark's bank account and moving money into accounts of “money mules”. The stolen cash is then passed around between mules until it ends up in the accounts of the cyber criminals. However, Litan says that the latest evolution of these attacks uses DDoSes as a cover for much more damaging attacks:

A new much more ominous attack type has emerged over the past few months – and uses DDoS as its cover. Once the DDoS is underway, this attack involves takeover of the payment switch (eg, wire application) itself via a privileged user account that has access to it. Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.

Considerable financial damage has resulted from these attacks. One rule that banks should institute is to slow down the money transfer system while under a DDoS attack. More generally, a layered fraud prevention and security approach is warranted.

Litan, an expert in financial fraud and banking security who has been covering the sector for years, said that three unnamed US banks lost millions through just this type of distraction-based cyberheist over against payment switches recent months.

"It was a stealth, low-powered DDoS attack, meaning it wasn't something that knocked their website down for hours," he told SC Magazine.

One popular DDoS toolkit, dubbed Dirt Jumper, which has been linked to extortion-based DDoS attacks against gambling sites, has recently been used in attacks against banks that occurred shortly after fraudulent wire transfers.

A report by Dell SecureWorks published in April 2013 explains that Dirt Jumper creates a botnet of compromised machines that can be used to swamp targeted websites with junk traffic. Dirt Jumper (or later variants dubbed Pandora) is readily accessible online through underground forums for around $200.

Banks are often in the firing line of Dirt Jumper-powered DDoS attacks, Dell SecureWorks explains:

Working with organizations affected by Dirt Jumper DDoS attacks revealed a threat scenario in which the threat actor first performed a short-lived “test” DDoS attack to determine if the actor’s botnet could make the targeted site unusable. If the test was successful, then the threat actor performed another DDoS attack in the near future, but this time the DDoS attack occurred shortly after an unauthorized wire or Automated Clearing House (ACH) transfer out of a compromised account. DDoS attack patterns revealed that short-lived attacks were an indicator of an unauthorized wire transfer, while longer attacks, which could last hours to days, were indicators of a fraudulent ACH transfer. The fraud attempts were non-trivial and were usually in the six-figure range, with some attempts in the millions of dollars. Transfers were being made to banks located in Russia, Cyprus, and China.

Eventually the “test” DDoS attack was phased out. Visibility on these attacks proved to be quite useful — in some cases, the DDoS attack was the initial notice that high-dollar fraud was occurring. Some of the fraud attempts and losses are staggering, with total dollar values of attempted fraud ranging from $180,000 to $2.1m.

Separately the FBI-affiliated Internet Crime Complaint Centre warned(PDF) that cybercrooks were targeting financial institution employee credentials to conduct wire transfer frauds back in September 2012.

Recent FBI reporting indicates a new trend in which cyber criminal actors are using spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee log in credentials. The stolen credentials were used to initiate unauthorized wire transfers overseas. The wire transfer amounts have varied between $400,000 and $900,000, and, in at least one case, the actor(s) raised the wire transfer limit on the customer’s account to allow for a larger transfer.

In most of the identified wire transfer failures, the actor(s) were only unsuccessful because they entered the intended account information incorrectly.

The attacks largely focused on small- to medium-sized banks or credit unions but a few large banks have also been affected.

"In some of the incidents, before and after unauthorised transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public websites and/or Internet Banking URL," IC3 reports.

IC3, like Dell SecureWorks, reckons that the Dirt Jumper Trojan is the main vector of these DDoS smokescreens. The attacks reported by Litan appear to employ much the same tactics and tools, but targeting wire application systems rather than seeking to compromise trusted user accounts. As such, it represents an escalation in how banking attacks are run.

All this is carried out under the cover of denial of service attacks. However there's no suggestion that a recent run of apparently politically motivated DDoS attacks against large US banks, claimed by the Izz ad-Din al-Qassam Cyber Fighters, is linked to this financial fraud. Hackers launched packet-flooding attacks against Wells Fargo, Bank of America, Citibank and many other US banking organisations using compromised Wordpress installations, employing a hacker tool called Itsoknoproblembro.

Spooky US intelligence types suggested that the attacks were so sophisticated that they must be the work of a nation state, before pointing the finger of blame towards Iran. Security experts countered that the attack is well within the scope of ordinary hackers, and that the involvement of Iran is not supported by any hard evidence. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.