Tuesday, March 23, 2010

Hackers Targetting Commercial Online Bank Accounts

Submitted by Ryan Barnett 3/23/2010

There have been a number of stories in the past few months that outline a growing trend with cyber-criminals - targeting the online banking accounts of businesses. As the cartoon on the right shows, stealing money from online banks is an optimal choice for savvy cyber-criminals as the yield is potentially very high and the risk of physical harm associated with attempting to rob a brick-and-mortar bank is removed.

Two such stories come from ComputerWorld and outline how two companies had money transferred out of their accounts to foreign countries. The first one tells how the TD Bank account of the town of Poughkeepsie, NY was breached by hackers and approximately $378,000 was transfer out of the account. The other example describes how Plano, TX Hillary Machinery Inc had approximately $800,000 transferred from its PlainsCapital online account.

So, how were the cyber-criminals able to obtain access to these online bank accounts? Details are scarce however it appears that the criminals used valid credentials. A likely source would be a Man-in-the-browser (MitB) type of attack from something like Zeus which infects client computers and monitors web activity and can steal and even manipulate web data. Brian Krebs from the Washington Post has been following these trending stories for about 9 months now and this blog post seems to corroborate the attack method of MitB types of malware stealing banking credentials.

From a web application defense perspective, since the attackers used legit credentials during the transactions, other types of fraud/anomaly detection mechanisms should be employed. In both example incidents, the fact that these transactions were initiated from computers in other countries (Itally/Romania) and transferring money to over-seas accounts should have raised some sort of red-flags.

Bottom line - user must take extra precautions when accessing online banking accounts such as not using your standard web browser that you use for web surfing and instead using a sand-boxed web browser sessions (in an application such as VMware).

1 comment:

Benjamin Wright said...

Ryan: Plainscapital Bank v. Hillary Machinery is one of the most unusual lawsuits in the history of IT. The bank sued the (apparent) victim. But the victim struck back with powerful Internet PR. The case demonstrates the role of public communications in cyber-heist incidents.