FBI Warns of New Fraud ScamZeus Variant Can Defeat Two-Factor Authentication
The Zeus variant used: a malware called Gameover, which the FBI says is able to defeat several forms of dual-factor authentication.
To protect themselves, the FBI suggests consumers and businesses pay attention to suspicious e-mails. In the case of the Gameover attacks, e-mails purporting to come from NACHA-The Electronic Payments Association contained malicious links. NACHA does not traditionally send e-mails directly to businesses or consumers. Receipt of a direct e-mail from an organization such as NACHA should raise a red flag.
But according to the FBI's Denver Cyber Squad, it's not just phishy e-emails and dual-factor get-arounds that have made the Gameover attacks forces to be reckoned with. As it turns out, the fraudsters behind this scheme combined a number of tactics, including the use of money mules and denial of service attacks, to con businesses and banks out of funds.
"After the accounts are compromised, the perpetrators conduct a distributed denial of service (DDos) attack on the financial institution," the FBI states. "The belief is the DDoS is used to deflect attention from the wire transfers, as well to make them unable to reverse the transactions."
Over the past two weeks, since the Gameover scheme was discovered, the FBI has tracked fraudulent wire transfers routed to high-end jewelry stores. And here is where the scheme takes its twist. Money mules, which've been hired to visit these stores, where funds have been fraudulently transferred, go to pick up jewels worth the amount of the fake wire.
"A money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as pending and releases the merchandise to the mule," the FBI states. "Later on, the transaction is reversed or cancelled ... and the jeweler is out whatever jewels the money mule was able to obtain."
Connecting the Dots
Fraudsters' ingenuity in the Gameover scheme is concerning.
"We've gotten fairly good at the Red Flag rules and detecting money mules, so the attackers are now figuring out they need to stall for time to get the cash," says Mike Smith, an online security expert with Akamai Technologies.
To do that, fraudsters are launching DDoS attacks against the banking institutions, just to distract them long enough to get the money and run.
"These attacks kill the interface that the customers are used to seeing, as well as the interface the banks use, like the APIs they use to do their transfers between each other," Smith says.
Cybercriminals have figured out how to connect the dots. They are committing cross-channel fraud.
The scam relies on traditional phishing and spear-phishing tactics to get in the door. Spear-phishing e-mails are sent to executives, who oftentimes are identified via social networking channels like LinkedIn and corporate databases. Additionally, the fraudsters send massive phishing e-mails to every employee in an organization, just waiting for one with access to the corporate online banking account to click a link.
Once the malware is launched, the fraudsters can monitor keystrokes and the online bank sites those infected PCs visit.
But it's the DDoS and money mule additions that bring the fraud full circle.
"You usually see one of three things in a DDoS attack," Smith says:
- A protection racket scam, which involves an attack against an ecommerce site that blackmails the site into paying a few to stop the attack;
- An activist threat, like the ones the industry has seen waged by groups such as Anonymous against entities for social reasons;
- A political threat, which could be waged against a corporation or country by a nation state.
"This is an entirely different scenario," Smith says. "What you're seeing is that the attack is designed to slow down the businesses being defrauded and slow down the bank's response."
Dave Jevans of the Anti-Phishing Working Group says financial institutions have two theories about the reasoning behind the attacks: to shut down access and distract bank security and IT. For large institutions, the attacks likely only serve as distractions.
"For smaller banks, both are probably true," Jevans says. "But large banks have DDoS mitigation strategies in place and can ensure that customers get to their account information even during a DDoS attack."