For banks, cyberattacks lurk as constant threat
- Article by: JENNIFER BJORHUS , Star Tribune
- Updated: November 10, 2012 - 9:24 PM
A threat known as Gozi Prinimalka is the latest -- and it takes aim at customer accounts.
When denial-of-service cyberattacks were jamming up major bank websites in September, the public disruption made headlines.
But in the sketchy recesses of the underground Web, something potentially much more damaging was apparently brewing. IT security company RSA noted in an Oct. 4 blog post that a cybergang linked to Eastern Europe was recruiting about 100 botmasters for a planned "blitzkrieg-like series of Trojan attacks" on 30 U.S. financial institutions. The weapon was dubbed Gozi Prinimalka, a mutation of the Gozi financial malware that has bedeviled banks for several years now.
RSA analyst Mor Ahuvia, in Israel, blogged that if the project materialized it would be "the largest coordinated attack on American financial institutions to date."
The Gozi rumblings illustrate the significant challenge banks face defending against myriad shifting cyberthreats. The denial-of-service attacks inconvenienced customers and made a statement. But Gozi, like its older cousin Zeus and other financial malware, is about draining money right out of accounts. It's a subject banks have been loath to discuss.
RSA, the security division of tech giant EMC Corp. in Massachusetts, wouldn't release the list of targets. However, Internet security firm Trend Micro Inc. in Cupertino, Calif., provided a list that includes 26 companies including Charles Schwab and Scottrade as well as several of the country's top banks, including Minnesota's top two lenders: Wells Fargo & Co. and U.S. Bancorp.
Wells Fargo and U.S. Bank declined to comment for this story.
The Gozi cyberheist isn't targeting bank networks. It goes after customers banking online, and siphons money from accounts by essentially taking them over without victims knowing it. Gozi allows cyberthieves to steal a company's online banking credentials to gain access to their business accounts, impersonating both the victim and the financial institution. Detection is very difficult.
"It's the scariest way that they commit fraud," said Ryan Elmer, an account executive at Total Networx Inc., an IT security company in Burnsville focused on banks.
The malware can lurk in e-mail attachments, for instance, or be embedded in poisonous websites that victims unwittingly browse.
Cyberthieves looting company bank accounts by taking them over -- dubbed corporate account takeover -- is a top fraud concern of banks. Gozi is the latest tactic in corporate account takeover, according to Total Networx. Increasingly, attacks target small-business bank customers.
They're an attractive target. Small companies typically lack the IT resources and controls of large ones. And unlike individual bank customers with a checking account, businesses wire large sums of money around and use the electronic Automated Clearing House to handle such transactions as payroll.
Corporate account takeovers caused losses of at least $45 million last year, according to the FDIC. The FBI says it's investigating about 230 reported cases of such fraud, involving the attempted theft of more than $255 million, with actual losses around $85 million.
Last month, hackers stole more than $400,000 from a Bank of America account held by the town of Burlington, Wash., near Seattle.
Ahuvia, at RSA, said the thieves behind the purported Gozi campaign are targeting U.S. financial institutions partly because they don't use a second layer of authentication -- an added security measure beyond a login and password -- for private banking customers to the extent banks in Europe do. Federal bank regulators last year recommended banks use multiple layers of authentication, but it's not a mandate.
What's notable about the latest Gozi version, she said, is the degree to which it can impersonate an account holder, duplicating the victim's complete PC settings in an attempt to deceive the bank's back-end security systems. The scheme involves phone-flooding software to block victims from getting a call or text message from the financial institution that would verify online account activity.
Krebs aptly described him as a "stocky bald guy in sunglasses."
Tech security circles have buzzed about the timing of the potential Gozi spree, which was expected to hit as early as this month. There are plenty of skeptics. In an interview this week, Daniel Cohen, RSA's head of business development for Online Threats Managed Services, said the Gozi blitzkrieg may be off altogether.
But in the sketchy recesses of the underground Web, something potentially much more damaging was apparently brewing. IT security company RSA noted in an Oct. 4 blog post that a cybergang linked to Eastern Europe was recruiting about 100 botmasters for a planned "blitzkrieg-like series of Trojan attacks" on 30 U.S. financial institutions. The weapon was dubbed Gozi Prinimalka, a mutation of the Gozi financial malware that has bedeviled banks for several years now.
RSA analyst Mor Ahuvia, in Israel, blogged that if the project materialized it would be "the largest coordinated attack on American financial institutions to date."
The Gozi rumblings illustrate the significant challenge banks face defending against myriad shifting cyberthreats. The denial-of-service attacks inconvenienced customers and made a statement. But Gozi, like its older cousin Zeus and other financial malware, is about draining money right out of accounts. It's a subject banks have been loath to discuss.
RSA, the security division of tech giant EMC Corp. in Massachusetts, wouldn't release the list of targets. However, Internet security firm Trend Micro Inc. in Cupertino, Calif., provided a list that includes 26 companies including Charles Schwab and Scottrade as well as several of the country's top banks, including Minnesota's top two lenders: Wells Fargo & Co. and U.S. Bancorp.
Wells Fargo and U.S. Bank declined to comment for this story.
The Gozi cyberheist isn't targeting bank networks. It goes after customers banking online, and siphons money from accounts by essentially taking them over without victims knowing it. Gozi allows cyberthieves to steal a company's online banking credentials to gain access to their business accounts, impersonating both the victim and the financial institution. Detection is very difficult.
"It's the scariest way that they commit fraud," said Ryan Elmer, an account executive at Total Networx Inc., an IT security company in Burnsville focused on banks.
The malware can lurk in e-mail attachments, for instance, or be embedded in poisonous websites that victims unwittingly browse.
Cyberthieves looting company bank accounts by taking them over -- dubbed corporate account takeover -- is a top fraud concern of banks. Gozi is the latest tactic in corporate account takeover, according to Total Networx. Increasingly, attacks target small-business bank customers.
They're an attractive target. Small companies typically lack the IT resources and controls of large ones. And unlike individual bank customers with a checking account, businesses wire large sums of money around and use the electronic Automated Clearing House to handle such transactions as payroll.
Corporate account takeovers caused losses of at least $45 million last year, according to the FDIC. The FBI says it's investigating about 230 reported cases of such fraud, involving the attempted theft of more than $255 million, with actual losses around $85 million.
Last month, hackers stole more than $400,000 from a Bank of America account held by the town of Burlington, Wash., near Seattle.
Ahuvia, at RSA, said the thieves behind the purported Gozi campaign are targeting U.S. financial institutions partly because they don't use a second layer of authentication -- an added security measure beyond a login and password -- for private banking customers to the extent banks in Europe do. Federal bank regulators last year recommended banks use multiple layers of authentication, but it's not a mandate.
What's notable about the latest Gozi version, she said, is the degree to which it can impersonate an account holder, duplicating the victim's complete PC settings in an attempt to deceive the bank's back-end security systems. The scheme involves phone-flooding software to block victims from getting a call or text message from the financial institution that would verify online account activity.
Russian hacker
Cyber security expert Brian Krebs blogged that he thinks RSA's
findings are linked to a Russian hacker nicknamed "vorVzakone" who
communicated on underground forums in September that he was planning
Project Blitzkrieg. Curiously, a man claiming to be vorVzakone posted a
gloomy video of himself on YouTube driving a Toyota Land Cruiser and
giving a tour of a two-level suburban-style house he said was his home.Krebs aptly described him as a "stocky bald guy in sunglasses."
Tech security circles have buzzed about the timing of the potential Gozi spree, which was expected to hit as early as this month. There are plenty of skeptics. In an interview this week, Daniel Cohen, RSA's head of business development for Online Threats Managed Services, said the Gozi blitzkrieg may be off altogether.
No comments:
Post a Comment