Cybercriminals are trying something new at the bank: fully automated online heists.
In a new twist on a familiar online banking cybercrime threat, computer criminals are rolling out a new system targeting businesses’ and high-net-worth individuals' bank accounts in the US and Europe, security analysts say. The new system siphons the accounts using new, highly automated crime-ware that requires no human intervention.
Since January, when the process was discovered, a dozen cybergangs using this new robo-bank-heist rip-off technique have attempted at least $78 million in fraudulent wire transfers from accounts at 60 or more financial institutions worldwide, according to a new report by McAfee Labs, the Santa Clara, Calif., cybersecurity firm, and Guardian Analytics, a Los Altos-Calif.-based firm. Total attempted fraud could be as high as $2.5 billion.
But that's just the start. The wave of automated attacks has been rolled out in the US over the past 60 days, reports McAfee, which dubbed it the “High Roller” scheme. Credit Unions, big banks, and even regional banks were targeted in the European Union, Latin America, and now in the United States, the company found.
“With no human participation required, each attack moves quickly and scales neatly,” the report says. “This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term ‘organized crime.’ ”
After striking in Italy and Germany, cybercriminals focused on the Netherlands, where computer logs showed criminals had attempted to withdraw $44 million from more than 5,000 accounts, primarily of businesses, in two banks. It’s not clear how much was actually stolen.
In March, researchers discovered that a San Jose-based server linked ultimately to a Russian Internet service provider was being used for fraudulent transactions in the Netherlands – and also to target at least 109 financial institutions in the US.
Computerized bank heists aren’t new, of course. Crime-ware programs like Zeus and SpyEye that infiltrate personal computers to steal personal banking credentials, including passwords and login information from unsuspecting users, have been a problem for years. Recording users’ keystrokes when they log remotely onto their accounts, the crimeware transmits the stolen personal banking data back to the cyberthieves.
Under that familiar scenario, a bad guy plops down at his own computer terminal to use the stolen passwords to fraudulently log onto the target account. He then transfers funds to the accounts of “money mules,” who pass the stolen funds along to the criminals, less their fee.
That approach has worked well for the cyber bank robbers. The Federal Bureau of Investigation reported in September it was investigating 400 criminal wire transfers that attempted to steal more than $255 million from US business bank accounts, although actual losses were closer to $85 million.
Cybercops seemed recently to be gaining on the cyber bank robbers, limiting their ability to grab the cash electronically. Over the past three years, the percentage of account takeover cases in which fund transfers were halted before they could leave the financial institution grew from 24 percent in 2009 to 41 percent in 2011, the Financial Services Information Sharing and Analysis Center, an industry group, reported recently.
But the newly automated process discovered in January holds potential to vastly expand online bank heists. To start with, there's no longer a need to have a bad guy on the other end of a mouse in Kiev, or wherever, to personally plug the stolen information into a Web browser. Instead, automated versions of Zeus and SpyEye instantly compose a fraudulent transfer request while the victim is still logged onto the computer – making it look to the bank as though the individual is responsible for the transfer, the report says.
But before the heavily automated robotic attacks can begin, criminals do research to find the rich businesses and individual accounts they want to target. Targeted individuals are then sent "spear-phishing" e-mails that appear to come from an associate, but which contain a link that, if clicked on, downloads the malicious computer code.
Once on the victim’s computer, the automated version of Zeus or SpyEye prompts the victim during the login process for any additional information needed to send a wire transfer. It collects not only the login and password being typed in, but also prompts the victim to supply a special number from a digital token – a process called "two factor" authentication that European banks have long used to authenticate transfers.
Soon after, the victim sees a "Please wait..." or "System under maintenance" message appear on the screen. But the malicious software is just stalling the user – and while he or she waits – it automatically executes the wire transfer in the background using the legitimate digital token number, password, and any other data the user just entered.
Unlike in Europe, banks in the US typically don't require a second piece of identifying information for authentication of a wire transfer. In either case, the software allows cyber bank robbers to sit back and watch as private data collected from victims logged into their accounts allows money to sail automatically into accounts they control.
There are exceptions, of course. When an unusually fat account comes into view, a human operator can step in to vastly raise the amount of the fraud from a small percentage – typically programmed into the system for 3 percent or less to avoid tripping the bank's alert system, says Dave Marcus, director of advanced research and threat intelligence at McAfee.
"It's clear that the people who put this together had a good understanding of banking platforms and the transaction process," Mr. Marcus says. "From the bank's perspective, it was you that logged in, you that initiated that wire transfer."
Still, he says, the automated thefts, some of which dated back more than a year in computer logs that McAfee has examined, can be defended against. The mere discovery of the automated system should enable banks to take steps to detect such measures more easily, he says.