Treachery, deceit and pilfering have always been associated with mankind ever since the Neanderthal age. History has been a sore witness to the many acts of treason perpetrated by man to entice, dupe and usurp the innocent. Currently, as the world is shifting to a new paradigm propelled by technological advancement, the temperament of man remains much the same. The medieval swindling tactics have been augmented with sophisticated cons. Today, the highly precarious Internet is relentlessly misused for committing atrocities over the cyber space. Among the numerous cyber-crimes committed, “hacking the banks” provides the best bang for buck for the cyber criminals.

Take a look at the recent online bank heists that have occurred over the last couple of years:

• In mid-July 2010, computer crooks stole $447,000 from Ferma Corp. a Santa Maria, California based Demolition Company by initiating a large batch of transfers from Ferma’s online bank account.

• Also in July 2010, attackers stole $415,000 from Bullitt County Bank, Kentucky in US.
• In December 2009, cyber criminals successfully stole 300,000 Euro from a German bank’s online accounts.

• And the list goes on….. The modus operandi adopted by cyber criminals for hacking banks is evolving continuously keeping in pace with today’s modern banking technology.

The Basic Attack Plan In order for the attack to work, the attacker has to first remotely take control of an online-bank user’s desktop/laptop through which the user will be doing his/her online banking transactions. There are many ways of taking control of the victim machine remotely, but the easiest approach for the attackers would be to attack the desktop applications like web browser, PDF reader and MS-Office applications etc. which are by default installed on the victim’s machine. These desktop applications contain a plethora of vulnerabilities that can be remotely exploited by the attackers to give them unauthorized access to the victim’s machine.

Attacking these desktop applications could be done in many different ways. The easiest way would be to send a fraudulent e-mail to the online bank user containing a PDF or MS-office attachment with malicious software embedde inside the attachment. When the user unwittingly opens the attachment, the malicious software will get downloaded on his/her desktop. This malicious software is some type of data-stealing Trojan horse program which seemingly looks very innocuous but its main purpose is to silently connect the victim’s machine to a remote command server controlled by the attacker.

Alternatively, instead of sending a direct e-mail, the attacker will try to entice the online bank user to visit some fraudulent websites controlled by the attacker which will contain attack code planted invisibly within the website. Once an unsuspecting user visits such websites, his/ her web browser will be automatically attacked by the attacker’s attack code forcing the user’s machine to download some malicious Trojan software unbeknownst to him/her.

Malicious Banking Trojans
Cyber criminals use specialized banking trojans like “Zeus”, “LuckySpoilt”, “MPack”, “Clampi”, “URLZone” etc. for this purpose. Some of these trojans are commercially available for as little as $500 with options for software updates, remote support, annual maintenance etc. These trojans are tailor-made for hacking online bank accounts and come with all the bells and whistles required for making online bank hacking a relatively easy chore for the attackers. Following  are some of the features found in banking trojans like URLZone or Zeus:
• Ability to log credentials and activities of bank accounts
• Can take screenshots of web pages served by the websites
• Can steal money from the compromised accounts
• Ability to hide its fraudulent transaction(s) in the report screen of the compromised account
• The Command control server can send instructions remotely to the banking  trojans about the amount to be stolen and where the stolen money should be deposited

• Logs and reports on other web accounts (e.g.: Facebook, PayPal, Gmail)  and banks from other countries Current versions of ZeuS sell for up to $10,000 and are used by elite cyber  gangs to wire funds from the online banking   accounts of small-sized and medium-sized   businesses.

A relatively new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens called “OddJob” has been released. This new banking Trojan, keeps sessions open after customers think they have “logged off”’, enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how attacker ingenuity can side-step many commercial IT security applications traditionally used to defend users’ digital – assets and online monetary – assets.

At the time of this writing, a far nastier banking Trojan by the name “tatanga” has been just released. Tatanga hooks into explorer.exe and can inject HTML in Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Minefield (Firefox dev builds), Maxthoon, Netscape, Safar and Konqueror, basically every popular browser.

How Do These Banking Trojans Work?
• Banking Trojan sits inside a user’s browser and waits for the user to log into a bank. During login, the banking Trojan copies the user’s ID, password and OTP (One Time Password), sends them to the attacker and stops the browser from sending the login request to the bank’s website, telling the user that the service is “temporarily unavailable.” The fraudster immediately uses the user ID, password and OTP to log in and drain the user’s accounts.

• Some banking Trojans overwrites transactions sent by a user to the online banking website with the criminal’s own transactions. This overwrite happens behind the scenes so that the user does not see the revised transaction values. Similarly, any online banks will then communicate back to the user’s browser the transaction details that need to be confirmed by the user with an OTP entry, but the malware will change the values seen by the user back to what the user originally entered. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.

• Authentication that depends on out-of-band authentication using voice telephony is circumvented by a simple technique whereby the fraudster asks the phone carrier to forward the legitimate user’s phone calls to the fraudster’s phone. The fraudster simply tells the carrier the original phone number is having difficulty and needs the calls forwarded, and the carrier does not sufficiently verify the requestor’s identity before executing the fraudster’s request.

Command & Control Server

After having infected the victim’s machine, the banking Trojan then connects to the Command & Control Servers to receive instructions. The Command & Control Servers for these trojans are usually hosted in Russia and other far eastern European countries. The Command & Control Server will then issue instructions which will include the amount to be stolen from the bank account, the money mule’s account details to transfer the money, instructions to capture the screenshot of the online banking interface, etc.

Money Mules

Money mules are “willing or unsuspecting” individuals typically hired via Internet job search Web sites to act as “local agents” or “financial agents” responsible for moving money on behalf of a generic- sounding international corporation, legal  experts say. Once a “mule” is hired by the cyber-gang, the stolen money is transferred to the “mule’s” bank account. Later on, the “mule” is asked to transfer the stolen amount – after deduction of his or her commission – to a bank account provided by the cyber gang via Western Union or Moneygram typically in far Eastern Europe countries.

Evading Anti-fraud systems
To avoid warning signs by anti-fraud systems at the bank, the money mule accounts are only used for a limited number of times within a certain timeframe. Since  banks monitor large bank transfers, the amount of money deposited in a money mule account is predefined in order to stay under the radar.

To minimize detection by anti-fraud systems, the cyber criminals use various parameters to define the amount of money they will steal on each transaction. Criteria used by the criminals include: making sure that the victim’s balance is positive, ensuring that the amount to be stolen is not too high, setting a random amount on each transaction, making sure that the remaining balance remains positive. The aim is to minimize detection by the anti-fraud systems.

Avoiding Detection by the Victim

In order to continue with their nefarious business activities in a clandestine way, the cyber criminals also need to hide the illegal money transfer transaction from the victim, otherwise the game will be over for them if the victim were to detect the unauthorized transfer and complain  about it to his/her bank. To minimize the chances of their detection, the Trojan creates a forged bank report page that will be presented to the victim, effectively hiding the fraudulent transaction. The Trojan hides the transaction it conducted from the victim’s machine by forging a bank report screen on the infected computer.

In the case of German Bank as discovered by M86 security group, the transferred amount below is shown as Euro 53.94, instead of the real amount of Euro 8,576.31. The Trojan generated a forged screen showing the transferred amount as Euro 53.94, and sent it back to its Command & Control server as an image. If the victim would log into his/her online banking account from a different, uninfected computer the real transaction will show up.

Conclusion

Cyber attacks and attackers are getting increasingly sophisticated and there is an urgent need to protect our resources from these threats. Online bank users should be alert and keep abreast of the various tricks used by the cyber criminals while surfing the web. Users should also ensure adequate security of their systems by installing personal firewalls and other security tools that will alert on any suspicious activity.

Banks and financial institutions should employ unified web security solutions like web application firewalls with real-time content inspection, multi-factor authentication etc. Banks should consider deploying the following measures:
• Server-based fraud detection to monitor transactions for suspicious behavior.
• Out-of-band transaction verification to verify user transaction requests, and execute only the specific transaction verified or signed by the requesting user.
• Out-of-band communication protocols that can prevent calls from being forwarded to numbers that are not registered to a specific user account.

 

About The Author

 

Hidayath Ullah Khan, I am the CEO of Sentelist MiddleEast – an IT consultancy firm specializing in Application Security,
Penetration Testing and Forensics