In September 2012, the FBI warned financial institutions about malware attacks targeting bank employees to steal login credentials. Although financial malware such as Zeus and SpyEye have been used to attack online banking customers for years, using these tools to perpetrate fraud directly against financial institutions by compromising bank employee accounts is relatively new. Because banks are generally doing a better job at protecting customers against malware, criminal gangs are looking for another entry point. They are now turning their attention to bank employees with the same advanced malware and extensive money mules (people who transfer funds stolen from online banking accounts to the criminals). They are also using money laundering to commit fraud against online banking users.
Advanced Malware Battle
The FBI report specifically mentions two types of malware attacks: keylogging and remote access tools (RATs). While keylogging (which copies keystrokes typed by the victim) has existed for many years, RATs (which are used to remotely access and control an infected computer) are a relatively new addition to financial malware toolkits. They have been specifically added to enable pre-attack reconnaissance and target non-browser based applications like email on employee computers.
Compromising employee devices (PCs and laptops) is relatively straightforward. Cybercriminals use phishing emails to trick users into either opening documents infected with malware or lure users to click on embedded links that lead to websites that serve up malware. Cybercriminals also compromise legitimate websites that can automatically infect devices just by visiting a compromised page. Once there, popular exploit kits, such as Blackhole, actively scan a user’s device for a variety of vulnerabilities and then use the appropriate files to invisibly install malware. Cybercriminals target both undisclosed and disclosed, but unpatched, vulnerabilities to bypass system restrictions that would otherwise prevent these infections.
Most financial institutions implement controls like anti-virus protection on endpoint devices and intrusion prevention systems (IPS) on the network—both of which are evaded by readily available malware kits. Trusteer Intelligence has found that up to 4 percent of employee devices can be infected with dangerous data stealing malware over the course of a year at a typical financial institution. Most financial institution security professionals understand that anti-virus solutions are ineffective against advanced data-stealing malware that is specifically designed to evade such protections. Evidence of this is readily apparent on bank customers’ computers, which are continuously infected with malware, despite running up-to-date anti-virus software.
Unfortunately, even anti-malware solutions like sandboxing that place suspicious files in a safe, isolated container on the computer and virtual machine analysis which inspects suspicious files on a separate, isolated computer are not very effective. Worse, these solutions require considerable information technology (IT) management oversight to analyze suspicious files and respond to employees who are prevented from running legitimate, yet blocked applications on their computers. Additionally, network-based security approaches, such as intrusion prevention systems, only function when the endpoint device is connected to the corporate network. Many employees use corporate devices to connect to the Internet when they are outside the office (e.g., when they are at home or traveling). In fact, a large Trusteer customer recently revealed to us that their corporate-issued employee laptops are ten times more infected with malware than their employees’ desktops.
To Protect the Enterprise, Secure the Endpoints
Knowing that cybercriminals are targeting employee devices, financial institutions must detect and remove the malware before it can do harm. Malware can cause damage only when it is executing on the endpoint machine, such as a laptop or mobile phone. Once malware executes, it exposes itself for what it is. Although we can’t fully prevent malware from infecting a device, we can certainly determine when malware is running—if we know what to look for. This means conducting real-time, persistent device monitoring to find active malware threats and specifically those that seek to compromise a bank’s critical internal information technology systems.
Bank boards should ensure that their IT security and fraud prevention teams are aware of the fact that criminals are attacking bank employee computers to commit fraud. These groups should be able to articulate the defense mechanisms that are in place to prevent malware from infecting employee computers (both desktop and laptop). They should also have protection measures deployed that can prevent infected computers from being used to compromise other systems on the corporate network. Boards should expect the bank to be protected by several layers of security that use multiple technologies, periodic threat assessments, and a detailed mitigation plan in case fraud does occur.