Reporting from the ISACA Security and Risk Management Conference in Las Vegas, we have breaking security news this morning.
Organized cyber criminals have added a new damaging element to an already viscous cyber attack. Yuval Ben-Itzhak, CTO of Finjan spoke by phone with the Data Security Podcast about a frightening new twist to the surge of bank account stealing Trojan attacks.
First some background: This news program, and other media outlets, have been reporting in the last few months about a wave of bank account Trojans that have been stealing money from small and medium sized businesses, and local governments. Theses well organized cyber criminals have been combining web drive-by attacks, with unauthorized electronic funds transfers. The cyber criminals then use innocent money mules to launder the money. The mules are typically lured into popular “make cash at home” schemes.
A construction company in Maine lost $588,000 from a recent attack, and they are now suing their bank. It’s important to note that while consumers generally have 60 days to “unwind” an unauthorized electronic funds transfer, businesses accounts are only protected if the bank is alerted within 48 hours of an unauthorized transfer. On The Data Security Podcast earlier this week, we interviewed the lawyer representing the construction company that suffered the $588,000 loss, see link below.
The Data Security Podcast can now report a dangerous new element to these attacks. Ben-Izthak tells the Data Security Podcast that Finjin security researchers have seen the cyber criminals actually alter the “account view” online screens that a victim sees. Of course the altered screen views do not show suspicious transactions. This means that a business will probably lose the chance to catch unauthorized transactions within the 48 hour window.
Here’s the process – The business uses a computer(s) to do online business banking, and uses that same computer to do web activities, email, and other standard business internet tasks. The attackers use those normal internet activities to plant a version of Zeus banking Trojan onto the business computer systems. These attacks are designed to by-pass most firewalls and many popular anti-virus programs.
The Trojan captures log-in info, challenge question/answers, and account numbers, right from the business computer systems…all the info the criminals need to conduct unauthorized electronic funds transfers.
Here’s the new twist: The attackers are now altering the web screens that display business account information. The bank’s computers are not altered, but rather the business customer’s view of their own accounts, as seen from their own computers. This is known in security-speak as an integrity attack: when authorized persons are unable to trust the accuracy of their own information
Ira Victor, Co-Host of The Data Security Podcast, is covering the ISACA Las Vegas Conference and had an exclusive sit-down interview with well-known data security researcher and penetration testing expert ‘Famous Peter Woods’ (as he is known), about this new attack. Peter Woods is the COO of First Base, a security company in the UK. Mr. Woods is also a keynote speaker at the conference.
Peter Woods characterized this new variation of the Zeus bank Trojan “as a disaster.” Mr. Woods recommended that business engage is a serious round of new user awareness training. When we asked Mr. Woods about technical counter-measures the banks could undertake, he questioned the willingness of many banks to invest in counter-measures that would truly be effective against these types of attacks. He thought that many banks would be more likely to add new legal disclosures in an attempt to indemnify themselves from financial loss.
Indeed, some banks are now putting new warnings on their web sites that encourage customers to “update anti-virus” and to “update system-patches.” Other speakers at the ISACA conference in Las Vegas generally agree that while that those measures are good for stopping certain attacks, they are mostly insufficient to thwart these newer types of attacks.
In Data Security Podcast Episode 71, Samantha Stone has an eye-opening interview with the attorney of the Maine construction company that lost $588,000 in a cyber attack, and is suing their bank. The cause of action? The plaintiff claims the bank breached it fiduciary duty when it failed to protect against the loss of the $588,000. We suspect that a variant of the Zeus banking Trojan attack was used to steal the money.
Be sure to listen to subscribe to our RSS feed and listen Data Security Podcast Episode 72. When that show posts, it will include our interview with Yuval Ben-Yitzhak of Finjan. Here is the link to the Finjan Report on the new Zeus bank Trojan.