EU cyber security agency ENISA; “High Roller” online bank robberies reveal security gaps.
Many online banking systems dangerously rely on PCs being secure, but banks should instead presume all customer PCs are infected, says the EU’s cyber security agency ENISA in response to the reports about the “High Roller” cyber-attack.
Statistics on Zeus: Only ca 40% of Zeus malware is detected.
The recent, targeted “High Roller” cyber-attacks on wealthy corporate bank accounts yielding tens of millions of dollars was analysed in a report recently published by McAfee and Guardian Analytics. The report describes the technical details and the impact of a series of cyber-attacks. The old adage that “criminals go where the money is” today means that “bank robbers go online”, as the Executive Director of ENISA, Professor Udo Helmbrecht states. It should come as no surprise that large organized crime groups are targeting online banking sites. Still, the attacks drew much attention, for three reasons.
1) Highly automated: The attackers reduced manual intervention to a minimum, relying mostly on automation. The attacks were also fast and easily missed by the user.
3) Targeted: Only PCs from users with corresponding high balances were targeted (e.g. around 5000 PCs in the Netherlands).
The cyber-attacks had three phases. First, targets were identified using online reconnaissance and (spear) phishing. Victims with access to high balance accounts (hence the name “High Rollers”) were singled out. Secondly, malware (SpyEye, Zeus and Ice 9) was loaded onto the victim’s PC - tailor customised for the victim’s online banking websites. The malware was triggered when the victim started an online banking session. SpyEye, Zeus and Ice 9 are common types of malware toolkits, tailored for this attack. Later, automated fraudulent transactions were carried out in the name of the user and hidden from them behind warning and waiting messages. The malware transfers sums from savings accounts to checking accounts, then to mules abroad who take the cash and send it onwards using person-to-person money transfer (such as Western Union). A detailed technical analysis and set of recommendations from McAfee and Guardian Analytics can be found online.
1. Assume all PCs are infected. The attacks used Zeus, which is a Do-It-Yourself virus kit available for around a thousand EUROs. Zeus has been an off the shelf virus around since 2007 and the detection rate is low . For a bank, in the current situation it is safer to assume that all of its customers’ PCs are infected – and the banks should therefore take protection measures to deal with this.
2; Secure online banking devices: Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer’s PC is not infected. Given the current state of PC security, this assumption is dangerous. Banks should instead assume that PCs are infected, and still take steps to protect customers from fraudulent transactions. For example, a basic two factor authentication does not prevent man-in-the-middle or man-in-the-browser attacks on transactions. Therefore, it is important to cross check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device (e.g., an SMS, a telephone call, a standalone smartcard reader with screen). Even smartphones could be used here, provided smartphone security holds up.
3. Strong cooperation needed to take down global command centres: The cyber-attack was carried out using command and control servers dynamically located across the globe, using e.g. fast flux botnets and bullet proof hosting providers. Criminals use these tricks to make law enforcement and notice-and-takedown more complicated. Therefore, strong global collaboration, both in terms of prevention and in terms of response is needed. ENISA works on fostering closer ties and more information exchange between national Computer Emergency Response Teams (CERTs), law enforcements and between EU countries to improve incident response across borders.
Preventing cyber-attacks is important, but it is also necessary to be prepared for when attacks happen. ENISA has been working with the different EU member states to ensure every country has well-functioning CERTs to handle cyber security incidents. ENISA organizes large scale international cyber security exercises (for example Cyber Europe 2010, Cyber Atlantic 2011, and the upcoming Cyber Europe 2012) to increase international collaboration against large-scale security incidents. ENISA is also working with member states to improve incident reporting to get more transparency about the causes, the frequency and the impact of past incidents. Currently consumers, businesses and policy makers are forced to make rough estimates. The EC recently announced a forthcoming strategy for Internet security, addressing the possibility of extending Article 13a (mandatory incident reporting and security measures) beyond just the electronic communications sector.
Looking forward, browser security and smartphone security will play an increasingly important role as more and more transactions are being carried out on smartphones or tablets. The rapid adoption of smartphones offers an important opportunity to improve end-point security (for example by using vetted appstores or by using smartphones as second factors) but we should not take smartphone security for granted.