Driven to Distraction

Diversionary infections reflect a new devious style of cyberattack tactics

By Tam Harbert

Financial cyberattacks have been getting a lot of press lately. Starting last fall, a wave of distributed denial of service (DDOS) attacks hit several large American banks, crashing their servers and leaving online customers stranded. Many of these attacks were carried out by so-called political hacktivists. One group in particular, called Izz ad-Din al-Qassam Cyber Fighters, claim they targeted the sites in retaliation for a YouTube trailer of an American-made anti-Muslim film.

While such attacks on big banks get the headlines, more bottom-line mischief is going on behind the scenes. Hacktivists are usually just trying to make a point, says Josh Pauli, associate professor of cybersecurity at Dakota State University. More devious, he notes, are cybercriminals who use DDOS attacks to distract IT staff in order to download sensitive information or make fraudulent fund transfers in the background.

In fact, small to mid-size community banks have been the targets of such attacks, according to a fraud alert from the federal government in September 2012. But DDOS attacks weren’t the only tactic described in the alert: Criminals were also using spam and phishing emails, keystroke loggers and remote access Trojans. The thieves initiated wire transfers ranging in amounts from $400,000 to $900,000.

Yet, community bankers don’t seem concerned about cyberattacks. In a 2012 survey by KPMG, 51 percent of community banking leaders said they were only slightly concerned or not concerned at all that their bank may be vulnerable to attack.

Bankers beware

The key weakness of community banks is the fact that staff often wears so many different hats, says Pauli, who also consults on IT security for community banks. A woman may use her PC for browsing the Web and sending emails in the morning, and then use that same PC to make ACH transfers in the afternoon. That means if she happens to fall for a phishing attack, the bad guys could have access to sensitive banking functions.

Despite repeated warnings, bank IT staffers can still be fooled by social engineering, Pauli says. It’s no longer just a matter of ignoring emails from Nigerians. Today, the bad guys are doing their homework and targeting specific people within organizations. A particular employee might get an email from someone purportedly moving to town and shopping mortgage rates, for example. The email might reference your bank’s competitor down the street, perhaps even a specific loan officer’s name. The sender might ask if your community bank can match your competitor’s rates, attaching a Web link or PDF file with the other bank’s quotes. Once clicked, the links or attachments still look safe and legitimate, but in the background the cyberthief is downloading malware so he can later access critical operations.

Clue in staff and customers

Another new diversionary threat is lack of security awareness by a community bank’s customers, says Sencer Tasan, chief security officer of core-processing vendor DCI in Hutchinson, Kan. Cyberthieves often target customers rather than the actual bank, he says. And mobile security is a growing threat. There are more than 35,000 different kinds of malware applications that have been developed to target and trick Android phones, Tasan says.

So what to do? Educate customers as much as possible, Tasan says. “Commercial banks have to really talk to their customers about this, especially regarding online banking,” he says.

For banks looking to protect their own IT turf, Pauli has several recommendations, including education and training for employees. But such training needs to cover more than just warning staff to not open links or email attachments, he says. Rather, banks should make sure that employees are kept up to date on the latest scams.

“The attacks you see today are a lot different from two years ago,” he says. “You have to constantly educate your people.”

Desktop solutions

One method of protection against tricky cyberattacks is to restrict employees to visiting only websites that are on an approved list. However, few banks like this approach because it’s high maintenance for IT staff and frustrating for employees.

Another countermove is to use virtualization to separate functions on one PC. Even if an employee uses the same machine for email and fund transfers, virtualization can enable the creation of two separate desktops on that machine. The employee uses one desktop for potentially unsafe practices, like Web browsing and email, but reserves another desktop for more sensitive bank functions.

This approach, called dual virtualized desktops, accepts the inevitable—determined criminals can mostly likely break in. At a recent seminar, Pauli showed that even a recently patched and updated Windows 7 PC was still vulnerable. “No matter how good your security person is, [the cybercriminals] can basically bypass all the security measures,” he says.

With dual virtualized desktops, however, “even if malware infects the first desktop, there is no way it can reach the bank’s core functions,” Pauli says. “And with virtualization, it’s easy for the IT staff to erase the infected desktop and create a new one. It’s expendable.”

Tam Harbert is a writer in Rockville, Md.