Alert: Banks at High Risk of AttackAgencies Warn of New Threats to Institutions, Employees
U.S. financial institutions are now at high risk of cyberattack, according to the Financial Services Information Sharing and Analysis Center, which alerted member institutions on Sept. 19.
Citing "credible intelligence" about the potential for distributed denial of service and other attacks against institutions, the FS-ISAC raised its cyberthreat level from "elevated" to "high."
"Members should maintain a heightened level of awareness, apply all appropriate updates and update AV and IDS/IPS signatures, and ensure constant diligence in monitoring and quick response to any malicious events," the alert says.
This news comes one day after Bank of America reportedly experienced periodic website outages, and two days after FS-ISAC, the FBI and other entities issued a fraud alert warning institutions that their own employees are increasingly targeted by fraudsters.
According to published reports, Bank of America's online banking site experienced intermittent slowdowns on Sept. 18, and a hacker group claimed responsibility for the problems. Those claims could not be verified.
"In response to the group's claims, I can assure you that our customer and client information, our online banking platform and the related systems remain safe and secure," Mark Pipitone, a BofA spokesman, says. "Our online banking services have been, and are up and running. The vast majority of our customers did not experience any issues."
What can be verified, though, is the trend of heightened attacks against institutions and their employees.
In the fraud alert issued on Sept. 17, FS-ISAC, the FBI and the Internet Crime Complaint Center described cyberschemes that have a goal of ultimately draining thousands of dollars from online accounts via unauthorized wire transfers.
Within the alert, these agencies also offer 17 tips for mitigating the risks involved.
Security researchers have warned of attacks aimed at institution administrators for several months, says George Tubin, a financial fraud expert and security strategist for online security provider Trusteer. "I think the FBI issued this alert because the volume they're now seeing indicates these attacks are not just a blip; this is a trend," he says.
These attacks aimed at employees are concerning for a number of reasons, he adds. "Once an employee account is compromised, you can see how devastating it can be for the bank, because they have access to so much information and to other accounts. Many employees have the ability and are authorized to schedule transfers and access sensitive information."
FBI investigators say cyberthieves use hacking techniques such as spam, phishing, keyloggers and remote-access Trojans to attack and compromise bank and credit union networks and intercept employee login credentials, the alert explains. Using those log-in credentials, hackers can schedule wire transfers and payments. They also can access an institution's internal networks as well as logins to third-party systems.
In some cases, hackers have stolen multiple employee and administrative credentials to third-party services and were able to circumvent internal authentication controls, according to the new alert. After getting around those controls, cyberthieves control all aspects of the wire transaction, including the approval.
Denial of service attacks also are launched in some cases before and after unauthorized transactions. These DDoS attacks are waged against the banks' and credit unions' public and Internet-banking sites and are believed to be used by the hackers as a way to distract the institution from immediately identifying fraudulent wires.
"One Botnet that has been used for this type of distraction is the Dirtjumper Botnet," the alert states. "Dirtjumper is a commercial crimeware kit that can be bought and sold on criminal forums for approximately $200."
Stolen credentials have been traced back to numerous unauthorized overseas wire transfers, most of them ranging between $400,000 and $900,000, according to the alert. Although most of those attempted transfers were unsuccessful, the FBI says those failures resulted from cyberfraudsters incorrectly entering compromised account information, and because banking institutions were catching and blocking the transactions.
Anomaly Detection is Critical
The alert offers an important reminder to banking institutions that they need to rely on basic security functions, says Wesley Wilhelm, lead fraud subject matter expert at financial-fraud solutions provider NICE Actimize. Those include dual-authorization for payments initiation and confining wire transfer and ACH activity to a dedicated PC.
Banking institutions should "use anomaly detection systems and include employee wire-transfer-system, monetary and administrative activity in their employee fraud-detection systems as well as in their wire transfer fraud-detection systems," Wilhelm says.
One critical recommendation, Wilhelm says: Banking institutions should consider changing rules in anomaly detection systems to detect internal attacks and send administrators alerts when wire-transfer limits are modified.
Mode of Attack
The FBI says hackers primarily use spam and phishing e-mails to target employees at banking institutions. Whether the attacks are directed at specific employees, such as via spear phishing attacks, is not specified in the FBI's alert. But the alert does note that variants of Zeus are used in some cases to steal the affected employees' credentials.
"This all comes back to malware," Tubin says. "Remote-access tools, Zeus variants - it's the same problem we have seen on the customer-device side. The root cause of all of this is malware. If the bank could just focus on addressing the root cause - blocking the malware and making sure the malware does not do what it's designed to do - we could stop this."
Some of the unauthorized wires also are preceded by unauthorized logins that occur outside normal business hours. Using stolen employee login credentials, hackers can access account transaction history, modify or learn about an institution's specific wire-transfer settings, and read manuals that offer information and training about U.S. payments, providing them with tools to exploit the system.
"In at least one instance, actor(s) browsed through multiple accounts, apparently selecting the accounts with the largest balance," the alert states.
Most of the attacks focused on small-to-medium sized banks and credit unions.
Among the 17 recommendations that the FBI, FS-ISAC and IC3 offer for mitigating risks are:
- Educate employees about phishy e-mails and suspicious attachments;
- Restrict web browsing from PCs used by the institution for wire and ACH transactions;
- Monitor employee log-ins for suspicious file access or log-in times;
- Implement dual approval for wire transfers that exceed a specified amount;
- Remove instructional manuals from online access;
- Monitor site traffic spikes, which could indicate a DDoS attack;
- Limit employees' ability to remotely access internal networks and work-related e-mails from personal devices.
Tubin says remote employee access and bring-your-own-device practices should be among institutions' primary focuses in addressing malware attacks.
"Fraudsters are going to target bank employees because they can get access to so much information," he says. "The perfect combination for them is to target an employee, and employee who works remotely is an easier target than a customer. ... Vendors have been telling banks this for a long time, but it sometimes takes an alert like this to get their attention."