Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/30/2008
09:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attackers Mix Online, Offline Exploits to Mask Financial Fraud

Cybercriminals split the attack cycle into pieces that may appear unrelated in order to evade detection

The most sophisticated targeted attacks aren’t all about the hack -- they start with clever reconnaissance, both online and offline, to learn as much about the victim as possible. And financial institutions are increasingly getting burnt by seemingly unrelated activities on- and offline that blended together to execute major fraud.

It isn’t just about someone siphoning your password with a keylogger or phishing attack. Professional cybercriminals are deploying multichannel attacks that split the attack cycle into pieces that may not look like they're related -- snooping on an account online to study a banking customer’s signature and then forging that signature in a fax request to wire funds from the customer’s account to the attacker’s, for instance, says Diana Kelley, partner with Security Curve, a security consulting firm.

This combination of offline and online activity lets the attacker stay under the radar of forensics or other incident tracking, for instance, using wire transfers and ATM transactions as well rather than a pure online transaction with a bank.

“It’s hard for financial institutions to trace [this]... [when] somebody gets into an account online and looks around for information on an account” but doesn’t actually make any transactions, Kelley says. “They can then use a lot of that information to start doing more effective offline attacks. If you know how much money a victim has in [an] account” you could withdraw that offline, says Kelley, who this week published a white paper on the subject on behalf of Guardian Analytics, which provides online fraud and risk management products.

Multichannel-type attacks are nothing new. They can also include physical security and social engineering breaches, like the brand of security assessments “red team” experts like Chris Nickerson employ for their clients. Nickerson, CEO of Lares Consulting, says you need red-team testing to get the complete security picture. (See Tiger Team Member Attacks Developers, Not Apps.)

Nickerson infiltrates the application development team in a company before ever looking at their applications for vulnerabilities. “I can get into the application from the back side while on the outside, without touching” the app, says Nickerson.

Security Curve’s Kelley, meanwhile, focused specifically on financial institutions in her research. She says a rise in offline financial fraud seemed intriguing given the rise in keyloggers and other crimeware. “Is there a tie here?” she asks. “We’ve got this increase in multichannel fraud… why are they getting on people’s systems?... It may not necessarily be to get into your account directly.”

One example of this type of attack is the Coreflood botnet Trojan, which is notorious for performing reconnaissance on its victims, she says. Coreflood has stolen user account information, Webpage content, digital credentials, and browser cookies, for instance. And it made sure the server it used appeared to be from the same geographic location as the victim.

“Coreflood is trying to steal financial information, and has stayed under the radar pretty well. It’s not in-your-face sending out emails,” said Joe Stewart, director of malware research for SecureWorks, in a recent interview. Stewart, who has tracked Coreflood closely for some time, says Coreflood’s attackers know a lot about their victim, including his or her company’s name, and their Windows machine’s registration information, for instance. “They are very aware of who[m] they are infecting,” Stewart said. (See Malicious Botnet Stole Bank, Credit Union Credentials.)

Kelley says banking customers can protect themselves from these multipronged -- and often silent -- attacks with the usual best practices: updated antivirus and anti-spyware, patching your machine, and never clicking on an email purportedly from a financial institution. “And talk to your financial institution about what they are doing” for anti-fraud, she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Guardian Analytics
  • SecureWorks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/14/2020
    Omdia Research Launches Page on Dark Reading
    Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
    Why Cybersecurity's Silence Matters to Black Lives
    Tiffany Ricks, CEO, HacWare,  7/8/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-14499
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
    CVE-2020-14501
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
    CVE-2020-14503
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
    CVE-2020-14497
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
    CVE-2020-14505
    PUBLISHED: 2020-07-15
    Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...