With online heists once again hitting the headlines, DOROS HADJIZENONO explains how banks and their customers should protect themselves against similar attacks.
When the prolific criminal Willie Sutton was asked why he specifically targeted banks, he purportedly replied: “Because that’s where the money is.” So it’s no surprise that cybercriminals have made banks a focus for online heists. Following the recently-reported series of Carbanak cyber-thefts that taken up to a billion dollars from banks worldwide, a new survey* of 175 heads of financial organisations showed that they rated online attacks as their second-biggest perceived danger to their industry.
The reason why banking executives are so worried about cyberattacks is because of their sophistication. Recent online robberies have gone undetected for weeks or even months, because the criminals manipulate the banks’ own business-as-usual processes to stealthily move cash and siphon it away from accounts without attracting attention. In many cases, the transactions made by the hackers appear to be legitimate from the bank’s point of view – making cyber-heists a true ‚Äòinside job,’ devised by people with in-depth understanding of how both business and consumer banking systems work.
An inside job
In the most recent series of thefts, hackers breached the banks’ systems using spear phishing techniques, tricking employees into clicking on malicious downloads by using crafted, targeted emails. This malware gave hackers access to banks’ internal networks, where they could quietly explore and gather information on the organisation’s systems and procedures, and work out the best method for stealing money.
In some cases, this involved quietly transferring funds between various accounts, and even crediting accounts with large sums before withdrawing identical amounts, so that the theft looked like an erroneous transaction.
In other cases, hackers used malware to target networks controlling ATM machines, triggering them to dispense cash at specific times so that associates could take it from the machine. When an individual bank became aware it was being targeted and took steps to stop the fraudulent transactions, the attackers would have already stolen substantial sums, and simply moved on to their next victim.
Hijacking customers’ accounts
It isn’t just banks’ networks that are targeted by hackers. 2012’s ‚ÄòEurograbber’ attack targeted mobile banking services to steal nearly R583M from the accounts of over 30,000 customers of over 30 banks in four European countries, using malware that targeted and infected both the PCs and mobile phones of customers.
This sophisticated 2-stage attack allowed hackers to intercept the unique SMS-based authentication codes generated by banks to authorise transactions. The criminals could then steal money from individuals’ accounts by making transfers to a series of external ‚Äòmule’ accounts. The fraudulent transactions were completely transparent to customers, and from the banks’ viewpoint, appeared legitimate as they used the appropriate authorisation codes. The attackers even restricted the maximum amount stolen per transaction to a percentage of the account’s balance, helping them to remain undetected.
Securing the human factor
So how should banks secure themselves against such online threats? A common factor across all of these attacks is that no matter how sophisticated the malware or mechanism of action, the starting point is a simple, targeted phishing email, typically containing a file attachment with the malware payload. Once the bank employee (or customer) clicks the attachment, or a link directing them to an infected website, the security of the bank or the customer’s PC is compromised.
In a majority of cases, these targeted emails are able to evade conventional security defences because the attackers use obfuscation tools to conceal the malware’s identity from traditional signature-based antivirus solutions. This means that even older, known malware can be disguised and slip under the security radar. To mitigate this risk, organisations can add an extra layer of defence against malware using a technique known as threat emulation or ‚Äòsandboxing.’ This analyses the files carried in emails for virus-like behaviour, and isolates any suspicious files before they arrive in employees’ email inboxes and risk infecting networks through an accidental click.
Employee education about email- and web-based infections is also an important step. Teaching staff to watch for vital email social-engineering clues – such as misspelled emails, unexpected email attachments or links – can make a big difference in reducing the risks of a hacking attempt being successful.
As we’ve seen with the Eurograbber theft, online bank fraud can also target the banks’ customers. As such, the best protection against possible future attacks is to ensure that banking customers have up-to-date protection on the PC or devices they use for online banking.
Users should be encouraged to have up-to-date antivirus software and a firewall on their home PCs. Cost is not an issue here: there are free solutions from ZoneAlarm and others that deliver protection matching leading paid-for products. Another key preventative measure is for users to regularly install software updates and patches, to keep security as current as possible. It’s also worth reiterating to online banking users that their banks should never send an unsolicited email, and so the user should not respond to these as they are likely to be phishing mails.
In conclusion, even the most sophisticated attacks against banks start with the same, simple steps that try to exploit peoples’ weaknesses. Stopping these attacks requires a mix of employee (and customer) awareness, and updated, comprehensive security protections on both bank networks and their customers’ computers. With these measures, there’s the best possible chance that future attempts at cybercrime won’t pay.
* Doros Hadjizenonos, Sales Manager Check Point South Africa
* Follow Gadget on Twitter on @GadgetZA