The latest in cybercrime? Fully automated bank heists
Cybercriminals have been stealing passwords to siphon off bank accounts for years, but cybercops were gaining. Now an automated system could vastly expand online bank heists.
(Page 2 of 2)
That approach has worked well for the cyber bank robbers. The Federal Bureau of Investigation reported in September it was investigating 400 criminal wire transfers that attempted to steal more than $255 million from US business bank accounts, although actual losses were closer to $85 million.Skip to next paragraph
Subscribe Today to the Monitor
Cybercops seemed recently to be gaining on the cyber bank robbers, limiting their ability to grab the cash electronically. Over the past three years, the percentage of account takeover cases in which fund transfers were halted before they could leave the financial institution grew from 24 percent in 2009 to 41 percent in 2011, the Financial Services Information Sharing and Analysis Center, an industry group, reported recently.
But the newly automated process discovered in January holds potential to vastly expand online bank heists. To start with, there's no longer a need to have a bad guy on the other end of a mouse in Kiev, or wherever, to personally plug the stolen information into a Web browser. Instead, automated versions of Zeus and SpyEye instantly compose a fraudulent transfer request while the victim is still logged onto the computer – making it look to the bank as though the individual is responsible for the transfer, the report says.
But before the heavily automated robotic attacks can begin, criminals do research to find the rich businesses and individual accounts they want to target. Targeted individuals are then sent "spear-phishing" e-mails that appear to come from an associate, but which contain a link that, if clicked on, downloads the malicious computer code.
Once on the victim’s computer, the automated version of Zeus or SpyEye prompts the victim during the login process for any additional information needed to send a wire transfer. It collects not only the login and password being typed in, but also prompts the victim to supply a special number from a digital token – a process called "two factor" authentication that European banks have long used to authenticate transfers.
Soon after, the victim sees a "Please wait..." or "System under maintenance" message appear on the screen. But the malicious software is just stalling the user – and while he or she waits – it automatically executes the wire transfer in the background using the legitimate digital token number, password, and any other data the user just entered.
Unlike in Europe, banks in the US typically don't require a second piece of identifying information for authentication of a wire transfer. In either case, the software allows cyber bank robbers to sit back and watch as private data collected from victims logged into their accounts allows money to sail automatically into accounts they control.
There are exceptions, of course. When an unusually fat account comes into view, a human operator can step in to vastly raise the amount of the fraud from a small percentage – typically programmed into the system for 3 percent or less to avoid tripping the bank's alert system, says Dave Marcus, director of advanced research and threat intelligence at McAfee.
"It's clear that the people who put this together had a good understanding of banking platforms and the transaction process," Mr. Marcus says. "From the bank's perspective, it was you that logged in, you that initiated that wire transfer."
Still, he says, the automated thefts, some of which dated back more than a year in computer logs that McAfee has examined, can be defended against. The mere discovery of the automated system should enable banks to take steps to detect such measures more easily, he says.