Robert (RJ) Jeffries | September 19, 2012
The Internet Crime Complaint Center (iC3) has released a Fraud Alert detailing increased fraudulent wire transfer activity observed across the financial services sector. Although we urge close review of the report and its recommendations, the Solutionary Security Engineering Research Team (SERT) provides a brief summary below.
The alert is based on FBI reports of increased activity of fraudulent wire-transfers occurring just prior to large-scale Distributed Denial of Service (DDoS) attacks against the websites of targeted victim institutions.
According to the report, the fraudulent wire transfers are being conducted using credentials stolen from financial institution employees. The credential theft is reported to occur as a result of malware infection and, in some cases, involved variants of Zeus malware.
The initial attack vectors involved are reported to include targeted spam and phishing emails. These malicious emails led to the infection of affected machines and allowed complete access to internal networks and systems. The actor(s) then used this access to steal credentials of others on the networks to gained detailed knowledge of the target network(s). Such knowledge and access allowed the actor(s) to bypass controls designed to prevent and identify fraudulent transfers, essentially giving near full control of transaction processing.
While the attacks were reported to target mostly small-to-medium sized financial institutions, larger banks were also targeted. In multiple instances, commission of the fraudulent transfers was preceded or followed-up by DDoS attacks. The report goes further to state that in some cases, the DDoS attacks have been performed using the DirtJumper botnet.
A comprehensive set of recommendations for financial institutions is provided in the report. Many of these echo recommendations discussed in previous Solutionary blog posts and in our Security Threat Reports.
A summary of these recommendations include:
- Educate users and personnel about the impact of mishandling spam and otherwise unsolicited email containing links and attachments.
- Segregate critical infrastructure such as those relating to payment systems and infrastructure from systems used for email and web browsing.
- Restrict, review and monitor access and activity related to financial payment systems and system accounts.
- Restrict access to administrative accounts and systems, and do not allow such access from remote systems such as home-user systems.
- Review incident response procedures and plans to ensure sufficient support for personnel who might be faced with this issue.
It is worth noting the report included detailed recommendations for wire transfer approval processes and other aspects of protecting the integrity of payment processing systems.
POST A COMMENT