Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/30/2008
09:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attackers Mix Online, Offline Exploits to Mask Financial Fraud

Cybercriminals split the attack cycle into pieces that may appear unrelated in order to evade detection

The most sophisticated targeted attacks aren’t all about the hack -- they start with clever reconnaissance, both online and offline, to learn as much about the victim as possible. And financial institutions are increasingly getting burnt by seemingly unrelated activities on- and offline that blended together to execute major fraud.

It isn’t just about someone siphoning your password with a keylogger or phishing attack. Professional cybercriminals are deploying multichannel attacks that split the attack cycle into pieces that may not look like they're related -- snooping on an account online to study a banking customer’s signature and then forging that signature in a fax request to wire funds from the customer’s account to the attacker’s, for instance, says Diana Kelley, partner with Security Curve, a security consulting firm.

This combination of offline and online activity lets the attacker stay under the radar of forensics or other incident tracking, for instance, using wire transfers and ATM transactions as well rather than a pure online transaction with a bank.

“It’s hard for financial institutions to trace [this]... [when] somebody gets into an account online and looks around for information on an account” but doesn’t actually make any transactions, Kelley says. “They can then use a lot of that information to start doing more effective offline attacks. If you know how much money a victim has in [an] account” you could withdraw that offline, says Kelley, who this week published a white paper on the subject on behalf of Guardian Analytics, which provides online fraud and risk management products.

Multichannel-type attacks are nothing new. They can also include physical security and social engineering breaches, like the brand of security assessments “red team” experts like Chris Nickerson employ for their clients. Nickerson, CEO of Lares Consulting, says you need red-team testing to get the complete security picture. (See Tiger Team Member Attacks Developers, Not Apps.)

Nickerson infiltrates the application development team in a company before ever looking at their applications for vulnerabilities. “I can get into the application from the back side while on the outside, without touching” the app, says Nickerson.

Security Curve’s Kelley, meanwhile, focused specifically on financial institutions in her research. She says a rise in offline financial fraud seemed intriguing given the rise in keyloggers and other crimeware. “Is there a tie here?” she asks. “We’ve got this increase in multichannel fraud… why are they getting on people’s systems?... It may not necessarily be to get into your account directly.”

One example of this type of attack is the Coreflood botnet Trojan, which is notorious for performing reconnaissance on its victims, she says. Coreflood has stolen user account information, Webpage content, digital credentials, and browser cookies, for instance. And it made sure the server it used appeared to be from the same geographic location as the victim.

“Coreflood is trying to steal financial information, and has stayed under the radar pretty well. It’s not in-your-face sending out emails,” said Joe Stewart, director of malware research for SecureWorks, in a recent interview. Stewart, who has tracked Coreflood closely for some time, says Coreflood’s attackers know a lot about their victim, including his or her company’s name, and their Windows machine’s registration information, for instance. “They are very aware of who[m] they are infecting,” Stewart said. (See Malicious Botnet Stole Bank, Credit Union Credentials.)

Kelley says banking customers can protect themselves from these multipronged -- and often silent -- attacks with the usual best practices: updated antivirus and anti-spyware, patching your machine, and never clicking on an email purportedly from a financial institution. “And talk to your financial institution about what they are doing” for anti-fraud, she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Guardian Analytics
  • SecureWorks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Unreasonable Security Best Practices vs. Good Risk Management
    Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-19010
    PUBLISHED: 2019-11-16
    Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
    CVE-2019-16761
    PUBLISHED: 2019-11-15
    A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
    CVE-2019-16762
    PUBLISHED: 2019-11-15
    A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
    CVE-2019-13581
    PUBLISHED: 2019-11-15
    An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
    CVE-2019-13582
    PUBLISHED: 2019-11-15
    An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.