Cybercriminals split the attack cycle into pieces that may appear unrelated in order to evade detection

The most sophisticated targeted attacks aren’t all about the hack -- they start with clever reconnaissance, both online and offline, to learn as much about the victim as possible. And financial institutions are increasingly getting burnt by seemingly unrelated activities on- and offline that blended together to execute major fraud.

It isn’t just about someone siphoning your password with a keylogger or phishing attack. Professional cybercriminals are deploying multichannel attacks that split the attack cycle into pieces that may not look like they're related -- snooping on an account online to study a banking customer’s signature and then forging that signature in a fax request to wire funds from the customer’s account to the attacker’s, for instance, says Diana Kelley, partner with Security Curve, a security consulting firm.

This combination of offline and online activity lets the attacker stay under the radar of forensics or other incident tracking, for instance, using wire transfers and ATM transactions as well rather than a pure online transaction with a bank.

“It’s hard for financial institutions to trace [this]... [when] somebody gets into an account online and looks around for information on an account” but doesn’t actually make any transactions, Kelley says. “They can then use a lot of that information to start doing more effective offline attacks. If you know how much money a victim has in [an] account” you could withdraw that offline, says Kelley, who this week published a white paper on the subject on behalf of Guardian Analytics, which provides online fraud and risk management products.

Multichannel-type attacks are nothing new. They can also include physical security and social engineering breaches, like the brand of security assessments “red team” experts like Chris Nickerson employ for their clients. Nickerson, CEO of Lares Consulting, says you need red-team testing to get the complete security picture. (See Tiger Team Member Attacks Developers, Not Apps.)

Nickerson infiltrates the application development team in a company before ever looking at their applications for vulnerabilities. “I can get into the application from the back side while on the outside, without touching” the app, says Nickerson.

Security Curve’s Kelley, meanwhile, focused specifically on financial institutions in her research. She says a rise in offline financial fraud seemed intriguing given the rise in keyloggers and other crimeware. “Is there a tie here?” she asks. “We’ve got this increase in multichannel fraud… why are they getting on people’s systems?... It may not necessarily be to get into your account directly.”

One example of this type of attack is the Coreflood botnet Trojan, which is notorious for performing reconnaissance on its victims, she says. Coreflood has stolen user account information, Webpage content, digital credentials, and browser cookies, for instance. And it made sure the server it used appeared to be from the same geographic location as the victim.

“Coreflood is trying to steal financial information, and has stayed under the radar pretty well. It’s not in-your-face sending out emails,” said Joe Stewart, director of malware research for SecureWorks, in a recent interview. Stewart, who has tracked Coreflood closely for some time, says Coreflood’s attackers know a lot about their victim, including his or her company’s name, and their Windows machine’s registration information, for instance. “They are very aware of who[m] they are infecting,” Stewart said. (See Malicious Botnet Stole Bank, Credit Union Credentials.)

Kelley says banking customers can protect themselves from these multipronged -- and often silent -- attacks with the usual best practices: updated antivirus and anti-spyware, patching your machine, and never clicking on an email purportedly from a financial institution. “And talk to your financial institution about what they are doing” for anti-fraud, she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights