What's the best way to steal millions from a number of banks across the nation without being detected? Try causing a diversion by launching a DDoS attack, and then take over the system that manages and executes wire transfers, AKA the payment switch. That's what Gartner VP and distinguished analyst Avivah Litan said has taken place over the last several months, noting that DDoS attacks are becoming increasingly popular.
"Until recently, most illegal money transfers were accomplished via account takeover – of either customer or employee accounts when the fraudsters moved money from customer accounts to their mules and eventually their own accounts," she said.
She reports that once the thieves launch a "low-power" DDoS on a specific bank – meaning the assault isn't meant to knock down the bank's website for hours or days -- they then attempt to siege the payment switch using a privileged user account that has access to that switch. Once the switch is held hostage, hackers have access to all accounts and can fraudulently wire transfer as much money as they can from as many accounts as they can until the bank, which was distracted by the DDoS, has discovered what's really going on.
Litan, who is an expert in financial fraud and banking security, did not explain how the thieves gained access to accounts that control the payment switches. Gaining access using phishing email presumably seems unlikely given the layers of security precautions financial institutions supposedly have in place to protect your money. Yet "cyberheists" such as these are a growing problem, and both phishing and brute account takeovers have been linked to many attacks in the past.
"Considerable financial damage has resulted from these attacks," Litan said. "One rule that banks should institute is to slow down the money transfer system while under a DDoS attack. More generally, a layered fraud prevention and security approach is warranted."
Litan told SCMagazine that at least three banks suffered from this kind of attack/theft over the last several months, but would not provide their identities. She said that these recent attacks have nothing to do with the wave of DDoS attacks that arrived last winter and spring to knock down Chase, Citigroup, Bank of America, Wells Fargo and many others.
Back in September, the Financial Services Information Sharing and Analysis Center, the Internet Crime Complaint Center and the FBI said in a joint statement (pdf) that the $200 Dirt Jumper DDoS toolkit was being used to divert bank employees' attention away from fraudulent wire transfers conducted with pilfered employee credentials. Then in April the Dell SecureWorks Counter Threat Unit issued a similar report (pdf), warning that hackers attempted fraudulent wire transfers of up to $2.1 million USD using the same DDoS smokescreen cover.
Surprisingly, the FBI's report clearly states that hackers are using spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee login credentials. Even more, the hackers primarily use spam and phishing emails. Once compromised, keyloggers and RAT's installed on the bank employee computer provide the hacker with complete access to internal networks and logins to third part systems.
And to think these people and institutions are managing your money. Honestly, it seems that the consumer can't win: the government wants to spy on your online and offline identities while hackers want to steal them. Still, we have to ask this: why aren't banks providing better protection against phishing attacks?