Instead of targeting the bank accounts of individuals or organizations, criminals recently took over the wire payment switch at several U.S. banks to steal millions from their choice of accounts, according to a security analyst.
Avivah Litan, vice president and distinguished analyst at research firm Gartner, told SCMagazine.com in an interview that at least three banks were struck in the past few months using “low-powered” distributed denial-of-service (DDoS) attacks meant to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring.
Last week, Litan wrote a blog post on the attack method, which could have resulted in the banks losing much more money than they did, though the fraudulent transactions were in the “millions,” she said in a follow-up interview with SCMagazine.com.
Litan declined to reveal the names of the victim banks, but said that the attacks didn’t appear to be linked to the flood of hacktivist-launched DDoS attacks that hit these institutions last fall and winter. These new incidents are entirely financially driven, she said.
“It wasn’t the politically motivated groups,” she said. “It was a stealth, low-powered DDoS attack, meaning it wasn’t something that knocked their website down for hours.”
Litan told SCMagazine.com via email that the attacks “added up to millions [lost] across the three banks.”
The concern with the wire payment switch – a system that manages and executes wire transfers at banks – being targeted is that it could result in much more costly loss scenarios for banks. Traditionally, digital crooks stealing from banks have opted to compromise the computers of banking customers in order to obtain their bank login credentials, access the accounts and then funnel out money.
In this case, the vandals went directly after the banks, according to Litan.
While it’s unclear how the attackers gained access to the wire payment switch at banks, saboteurs could have targeted bank staff with phishing emails, an easy way to plant credential-stealing malware on target machines.
Researchers at another security firm have called attention to the trend of DDoS attacks being used as a cover for fraudulent activities at banks.
In April, Dell SecureWorks Counter Threat Unit (CTU) released its “2012 Threatscape Report,” (PDF) which highlighted notable trends that developed last year among cyber attackers.
The SecureWorks research team noted that fraudsters have been utilizing Dirt Jumper, a $200 crimeware kit that launches DDoS attacks, to draw bank employees’ attention away from fraudulent wire and ACH transactions ranging from $180,000 to $2.1 million in attempted transfers.
Last September, the FBI, Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3), issued a joint alert about the Dirt Jumper crimeware kit being used to prevent bank staff from identifying fraudulent transactions.
In the alert (PDF), the organizations said criminals used phishing emails to lure bank employees’ into installing remote access trojans (RATs) and keystroke loggers that stole their credentials.
In some incidents, attackers who gained the credentials of multiple employees were able to obtain privileged access rights and “handle all aspects of a wire transaction, including the approval,” the alert said – a feat that sounds daringly similar to recent attacks on the wire hub at banks.
“In at least one instance, actors browsed through multiple accounts, apparently selecting the accounts with the largest balance,” the alert said.
Litan suggested that financial institutions “slow down” their money transfer system when experiencing DDoS attacks in order to minimize the impact of such threats.
In a Tuesday email to SCMagazine.com, Limor Kessem, a cyber crime and online fraud expert at RSA’s FraudAction Research Lab, said her firm hadn’t seen the wire payment switch attacks in the wild, but that RSA’s customers had shared information about this threat with the research team.
“The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first,” she said in an email. “That’s when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.”