The UK government is to test the resilience of major banks in coping with cyber attacks. A joint team at the Treasury and the Bank of England will conduct the tests and benchmark UK banks on cyber readiness. Banks have already identified that cyber attacks are the greatest threat to their business, and are an obvious target for criminals as well as politically motivated groups wanting to wreck havoc in the economy.
Distributed Denial of Service (DDoS) attacks are now being used as a smokescreen to divert the attention of bank security staff from fraudulent activity. Criminals are conducting the DDoS attack, which then serves to hide the real fraud while they syphon funds from victims’ bank accounts. I’ve previously described how DDoS attacks work here. DDoS attacks have previously only been used in politically-motivated attacks, but are now being employed to hide financially-motivated cyber fraud.
Short-lived DDoS attacks are being used to mask a bank wire payment switch takeover. This type of attack was recently highlighted by Gartner’s Avivah Litan. In a wire payment switch takeover, funds can be transferred from many accounts at once. It is conducted at the level where bank wire transfers occur, thus at a higher level than the individual account level. The DDoS attack is used to prevent bank staff immediately identifying the fraudulent transaction, so that by the time it is noticed, the funds have been withdrawn and it is too late to reverse.
Wire payment switch takeovers require administrator access, generally obtained through spear phishing attacks or from a key logging attack on in-house system administrators.
It has been reported that these DDoS smokescreen attacks are becoming increasingly popular, with 3 banks having become victims recently, and losses of several millions of dollars. DirtJumper is the $200 crimeware kit most frequently used in these DDoS attacks.
Longer DDoS attacks are being used to cover up fraudulent Automated Clearing House (ACH) transfers. These are where the criminal has obtained an individual’s bank account information by phishing or key logging the victim.
To safeguard against these attacks, administrator accounts should be protected with specific anti-spear phishing and anti-key logging measures, as well as frequent login changes, and two-factor authentication.
Retail banking customers need to be protected at the end point from account takeover attacks. Bank login details of private customers are particularly vulnerable to key logging and phishing attacks. In addition, credit card details of private customers are also vulnerable to key logging and phishing attacks whenever they are shopping online. Banks should ensure their retail customers have adequate end point protection against these threats wherever they are online, and not only when the customer is logged into the bank. Commercial bank customers require even greater security, and banks should ensure commercial customers conduct their financial affairs in a completely isolated environment, secure from all threats.
UK banks experienced a 12% increase in account fraud during 2012. The days of simply relying on end point signature-based antivirus software for protection are long gone. I encourage the Treasury and Bank of England to also include bank-supplied customer end point protection when they test and benchmark the banks.