We have observed that increasingly sophisticated cyberattacks are being directed at the on-line banking systems of our clients. In particular, targeted attack mechanisms which are either new or which have been modified so they are not recognizable to antivirus software.
This new cyberthreat requires changes in cybersecurity practice to ensure that you are not victimized, suddenly discovering that criminals have compromised and emptied your bank account. Historic cybersecurity practices, including antivirus deployment, security patch maintenance, and token-based authentication to banking websites, should be continued. However, they are not sufficient alone to protect against this cyberthreat.
Sophisticated cyberattacks are now targeted at smaller companies
The most determined and sophisticated thieves will selectively target potentially rich clients hoping to completely take over the computer of a person with access to the firm’s bank accounts. They will use an old exploit customized in such a way that it is different enough to be unrecognizable to antivirus products.
Alternatively, they may pay for new vulnerabilities with no defense in place for this never-before-seen attack. Criminals may use publicly available information, for example the on-line bio’s of company executives, to specifically target people who likely control access to the firm’s bank accounts.
Gaining control of any PC within the targeted organization gives the criminal considerable leverage to identify and compromise the computer of a person with access to the firm’s bank accounts. For example, they can look for company phone lists on server drives or read the e-mail of the person who fell victim to them to identify the individuals in finance.
At that point, the criminal could even send an attack by e-mail from the compromised employee’s computer to the folks in finance, which would certainly appear trustworthy. Targeting their cyberattack against a limited set of individuals helps keep the criminal’s particular methodology beneath the radar of companies like Microsoft and Symantec making it more likely they will succeed.
Once the criminal has control of the computer of an executive with banking access they must still have considerable skill to carry out their cybertheft. They must be patient enough to wait for a day where the firm’s accounts have a relatively large sum in them. Further, almost all business banking requires secondary authentication using a one-time code from a fob. In order to complete their cybercrime, the criminal must project to the user a spoofed website which appears to be that of their bank.
As the password and one-time key are entered the cybercriminal intercepts these and injects these into the real bank website, allowing him to transfer funds to his own account. Such transfer may go undetected by the bank if it is sufficiently small and appears not to be irregular. For example, a common exploit is to add non-existent people to a firm’s payroll. Note that compromising the payroll list could be an easy end run around bank security, possibly carried out by attacking an HR management system, which is likely to be less strongly defended.
Historically, attacks requiring such sophistication were only employed against very high value targets, large corporations or those with particularly valuable electronic assets. For example the attack against RSA, which was carried out to gain information which allowed criminals to target Lockheed, presumably to conduct espionage related to Department of Defense secrets. However, we have directly observed that criminal capability has improved to the point where even firms of under $50 mm / yr can be cost effectively targeted.
Security practices required to defend against on-line banking cybercrime
These practices in combination will defend against almost all on-line banking cyberattacks:
| • | Ensure that computer operating systems are patched and have active and up to date antivirus software. |
| • | Use both password and token based authentication for your banking website. Switch banks if token based authentication is not available. |
| • | Require secondary authorization of all on-line banking transactions – one person initiates the transaction and one person completes it. Use separate computers for each part of the process. |
| • | Require that one approval be done using a computer dedicated only to on-line banking. Restrict this computer so that it cannot be used for any other purpose. |
| • | Require your bank to confirm any transactions over a certain limit, determined by your risk tolerance, using off-line methods (fax, phone call). |