The 21st century Trojan War

David Jevans explains the growing challenge of protecting corporate online banking from next generation malware.

“Symantec detected over 70,000 variants of the Zeus Trojan in 2009”
-David Jevans

In 2009, organized cyber crime rings began to shift away from massive phishing attacks against consumer banking users, and instead target bigger fish - corporate banking users. The cybercriminals use advanced malicious software (malware) to attack the computers of finance professionals in companies and government agencies. If a computer that is used to access a commercial online banking services becomes infected, the attackers can effectively take over the corporate financial accounts in real time by hijacking active banking sessions, and issue commands for funds transfers.

Documented losses to corporate banking customers from fraudulent wire transfers initiated in the USA by next-generation malware on corporate computers have ranged from $10,000 to over $1,000,000 per incident. Much of this money was successfully transferred to 'money mule' accounts overseas, and was never recovered. It is far more lucrative for cyber criminals to make numerous $9000 transfers from a single corporate bank account, than to try to hijack thousands of consumer-based accounts and make small money transfers. It is also reasonable to expect that online corporate banking fraud will track historical online consumer banking fraud patterns, and will grow dramatically over the next several years.

Commercial online banking malware comprises a number of new families of malicious Trojans such as URLzone, Zeus, Zbot, SilentBanker, Bugat and Clampi. These Trojans target users who log into commercial online banking systems. Not only do they steal authentication credentials, but they defeat authentication processes by waiting until after a victim has logged into their account successfully, and then hijacking the live session. These 'man-in-the-browser' Trojans also will rewrite the web browser pages that a victim sees, and will often request secondary authentication credentials such as secret questions and answers that can be later used to change the login credentials.
 
By performing fraudulent transactions from a victim's own computer, and using live authenticated sessions, this next generation of corporate banking Trojan is able to defeat the security defenses that banks have employed to protect consumers against phishing fraud. Those consumer protection measures include device ID, computer fingerprinting, geo-location, challenge questions and lightweight multi-factor authentication.
 
In August 2009, members of the Financial Services Information Sharing and Analysis and Sharing Center (FS-ISAC) received a notification from NACHA (the Electronic Payments Association representing nearly 11,000 financial institutions) and the Federal Bureau of Investigation (FBI) warning: "In the past six months, financial institutions, security companies, the media, and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small- and medium-sized businesses."
 
Malicious Trojans exploit in-depth capabilities of the Windows operating system to perform their exploits. They monitor process tables for Internet Explorer and Firefox running processes, and use Windows operating system hooks to detect when the victim is visiting the website of a targeted financial institution. Man-in-the-browser injection is used to rewrite the web pages of the bank in order to trick users into divulging challenge questions and answers, and even one-time-passwords.
 
The malware on the users' computer rewrites the web page following the successful login, to request further information. That information is sent directly to the fraudster, and is not submitted to the banks' web banking system.

Routes of infection

Security firm Symantec detected over 70,000 different variants of the Zeus Trojan in 2009. This makes it extremely difficult for anti-virus products to accurately detect the malware, as there are thousands of new variants released by cyber criminals every month.
 
There are many vectors for finance professionals to get their computers infected with a corporate banking Trojan. The most common way is to receive email messages that appear to be legitimate, but that actually take a user to a website that installs the malicious software onto their computer. One example of such an email that was used to distribute the Zeus banking Trojan, was an email that looked like it came from Microsoft, urging recipients to click on a link to install a Microsoft Windows security update. Because the email looked similar to how Microsoft actually does report security updates on their website, many users were tricked into clicking on the link and installing the malware.
 
Another email scheme to get people to install malicious software is the use of fake news alerts. For example, when famous pop star Michael Jackson passed away in 2009, scammers sent billions of email messages about the event. If a finance professional received one of those emails, and clicked on the links inside the message to read about Mr. Jackson's death, they were taken to websites that downloaded and installed malware onto their computer.
 
What are the risks?

Because the actual losses for breaches of corporate online banking security are large, it is easy to focus on those as the tangible risk to financial institutions. But the reality is that there are larger risks and costs to financial institutions. If a corporate customer experiences a loss due to malware, they are likely to blame their bank, claiming that the bank does not have adequate security protections. In fact, recent months have seen numerous lawsuits being filed by companies that have suffered losses. Some of these lawsuits have been publicized in the media, and are drawing attention to the problem.
 
If a bank loses the business of a corporate customer to a competitor, either due to a fraudulent transaction against the customer, or due to fear that they may be defrauded if banking online, the losses to the bank in fee income from that corporate customer can far outweigh any fraud losses. Furthermore, the reputational loss to the bank can have dramatic repercussions in lost customers and a decrease in new business.
 
The NACHA guidance (see What can be done) provides sound recommendations for how to protect users of corporate online banking systems. However, it is unrealistic to think that all banking transactions in a company will be performed by a "standalone, hardened, and locked-down computer," even if a company had the security expertise to configure such a computer. Corporate controllers need the ability to read spreadsheets and payment requests on their computer when entering transaction information. Solutions are needed that isolate the corporate banking environment from the host PC, but allows controllers and finance professionals to still access their ERP and accounting systems on the host.

One potential solution may be the use of desktop virtualization. Inside a virtualized environment, a second operating system could be run that could be hardened against malware threats. This could allow finance professionals to avoid altering their daily workflow, yet could provide a secure separated environment for accessing commercial banking sites.
 
Combining virtualization with strong authentication and active anti-malware technologies may be a way to not only defeat current corporate banking malware, but could also provide a new platform for defending against future malware threats. What is certain is that cyber criminals are continuing to advance their technological capabilities and their social engineering techniques to raise Internet fraud to new levels. The computer security and operating system industries need to take a fundamentally new approach to jumping ahead of the criminal underground, instead of continually playing catch-up.

What Can Be Done?

A series of recommendations were issued by NACHA in December 2009 on ways that financial institutions can prevent corporate bank account fraud over the Internet. Those recommendations include:
 
1. Carry out all online banking activity from a standalone, hardened, and locked- down computer from which e-mail and Web browsing is not possible.
 
2. Deploy multi-factor authentication for business accounts that are permitted to initiate funds transfers.

For example:
     - Something the person knows (user ID, PIN, password)
     - Something the person has (password-generating token, USB token)
 
3. Ensure that all anti-virus and security software and mechanisms for all computer workstations and laptops that are used for online banking and payments are robust and up-to-date.
 
4. Require two users to initiate a transaction.
 
5. Companies should review transaction reports on a daily basis to detect fraud.

David Jevans is Chairman of the Anti-Phishing Working Group (www.antiphishing.org) and Chief Executive Officer of IronKey (www.ironkey.com ).