Robbers Loot $78 Million from Banks, via Software Hacks
If you ever decide that you want to rob a bank, better work on your software skills. Security firms McAfee and Guardian Analytics have released a new report that details the skillful software exploits of modern-day bank robbers. According to Reuters, which broke the news, the superhacks, which stemmed from the Zeus and SpyEye malware, resulted in $78 million stolen from customers in Europe, Latin America, and the US in the past year alone.
A link to the pdf of the report, “Dissecting Operation High Roller,” can be found here, via the McAfee website.
I’ve selected a few passages from the report that might be relevant to all of you out there in the software world.
From the report:
On the location of the cyber-criminals:
Once we knew the attack patterns to look for, we found evidence of other attacks at other European and Latin American banks. These attacks, built on the code found in Italy, adapted for each specific bank. For the first time, we knew this fraud was global in nature, and we suspected that other regions might be affected. Our suspicions were confirmed when we subsequently found evidence of active campaigns in Colombia and the United States.
On the use of server-side automation to perform hacks:
The attack also has adopted sophisticated server-side automation to conceal the actual methodology as to how the system interacts with the victim’s online banking platform to create the fraudulent transaction. Unlike the initial malware discovered in Europe, the updated attacks found in the Netherlands and the United States move fraudulent transaction processing from the client to the server. Fraudulent activities—including the actual account login—are performed from a fraudster’s server that is located at a “bullet proof” ISP (one with crime-friendly usage policies), locked down against changes, and moved frequently to avoid discovery. After each move, the web injects are updated to link to the new location.
Methods used to bypass security software:
Extensive customizations secure the code and the attack infrastructure. Rootkits help the client-side malware burrow deep into the system to avoid detection by antivirus scans. In addition, the actual binaries (the payloads tailored for each bank and injected into the browser) have very limited distribution to a small number of victims. Once our researchers began tracking the binaries using the McAfee® Global Threat IntelligenceTM database, the relatively small population of infected systems (such as the 5016 accounts compromised in the Netherlands) confirmed that fraudsters wanted the attack to stay under the radar of detection systems.
The links and code are obfuscated—encoded, packed, and encrypted—within the web injection to prevent detection and hinder inspection. And some of the web servers move dynamically so that blacklisting and reputation-centric technologies are not effective. For example, the server-side components—both the command and control servers and the fraudulent transaction servers—are hidden to avoid classification by reputation-based systems. This allows servers to remain online for longer periods.