At first, it was hard to tell what was causing the "phantom" money transfers from the online bank account of a small North Carolina company. Investigators didn't know if the fraudulent wire and Automated Clearing House transfers were caused by an insider or malware, recalls Don Jackson, director of threat intelligence with the Counter Threat Unit at SecureWorks, an Atlanta-based security services provider.
But the cause became quite clear when Jackson and his team examined the bookkeeper's computer: an infection by the Zeus Trojan. "In the past, Zeus was just spyware and wanted user names and passwords," he says. "This was the first banking version of Zeus. It got into the browser and changed things on the fly."
The malware caused the business to lose nearly $98,000, Jackson says. That was in late 2007. Today, criminals are using the Zeus crimeware kit with astonishing success, pulling off six-figure heists from the online bank accounts of scores of small businesses, municipalities and nonprofits. The Federal Deposit Insurance Corporation estimates losses from fraudulent electronic funds transfers in the third quarter of 2009 at about $120 million. The attacks have been mounting over the past 18 months or so and haven't slowed, experts say.
Zeus is among an emerging brand of stealthy malware that steals online banking and other sensitive credentials with ever changing capabilities to evade detection and defeat security controls. Bought and sold on the Internet and continually upgraded with new features, Zeus and its ilk represent the evolution of malware into a vast commercial enterprise. Banker Trojans accounted for 61 percent of all new malware in the first quarter of this year, according to a recent study by Panda Security. It's become an arms race with the criminals behind these malware-fueled business operations, says Joe Bernik, CISO at Fifth Third Bank.
"They're constantly looking for ways to improve the functionality to overcome whatever technical controls the financial services industry or whatever industry they're targeting puts into place," he says.
Malware has replaced phishing as the top threat, says David Shroyer, vice president of online security and enrollment at Bank of America. "The speed of evolution and the shifting of threat vectors are astounding. It's light speed, so we have to be on our toes to protect our customers and our industry," he says. "What I'm seeing in the industry is this is now the big thing we're all worried about and we're cooperating like we never have before."
Let's take a closer look at Zeus, its emerging competition in the banking malware market, their impact, and how the financial services industry is responding.
Malicious code designed for banking fraud has been around as far back as 2003, says Jamz Yaneza, threat researcher manager at Trend Micro. Most early banking malware came in the form of keyloggers, which captured all kinds of sensitive information, not just online banking credentials.
In the U.S., banks stepped up their defenses against spyware and keyloggers with added security, particularly two-factor authentication. In 2005, federal banking regulators issued authentication guidance for online banking, and regulators say attacks dipped for a couple years. Criminals had to figure out a new method of attack.
"Banks and online providers have done a good job putting in place authentication methods that made it hard for the criminals to make money," says Laura Mather, co-founder and CEO of Silver Tail Systems, a Palo Alto, Calif.-based provider of fraud prevention systems. "The bad news is the criminals didn't give up. They had to employ even more sophisticated technology in order to subvert the protections that have been put in place."
Fraudsters shifted their focus to malware because their returns from phishing were diminishing, says Sean Brady, identity protection and verification product marketing manager at RSA, the security division of EMC. "The more sophisticated groups were willing to put the extra investment into Trojans because they demonstrated return," he says.
To circumvent strong authentication methods, criminals have to impersonate the victim, Mather says. "Instead of just having a password, they have to look just like the victim, so they're accessing the victim's account from the victim's own computer, which means they have the correct IP address. It's very difficult for the bank to tell the difference between the malware and the legitimate user," she explains.
The Silentbanker Trojan, which surfaced a couple years ago, had this interception functionality but Zeus and other newer banking Trojans have honed it, experts say. Today's banking malware attacks a victim's Web browser instead of the online session, Bernik explains: "It modifies and intercepts the data that is being passed to the browser and it can actively modify Web pages."
Criminals have used Zeus to add fields to obtain additional data for authenticating to a bank website and to alter balances to hide fraudulent withdrawals. Researchers have detected variants of Zeus that have used the Jabber instant messaging protocol in order to use stolen credentials in real time and circumvent the security provided by one-time passwords tokens. Victims often receive an error message as the fraudster uses his or her credentials behind the scenes.
These kind of man-in-the-browser attacks are much harder to detect than the older man-in-the-middle attacks where the hostile party inserts itself between the authenticating server and the valid user, Bernik says.
"It becomes increasingly difficult for financial institutions to detect because some of the defense mechanisms we were using such as device ID and geo ID have limited value when dealing with a man-in-the-browser attack," he says.
A FORMIDABLE FOE
Zeus, also called Zbot, has been the most pervasive and damaging banking malware so far to date, researchers say. According to Microsoft, infections by Zeus have skyrocketed in recent months.
The malware spreads via phony emails that pretend to notices from legitimate organizations like NACHA, the association that oversees the Automated Clearing House (ACH) network, spear phishing emails targeting specific individuals and containing links to malware-rigged websites, and drive by downloads. Researchers believe criminals in Eastern Europe, particularly Russia and Ukraine, are behind the Zeus-fueled attacks.
The Zeus crimeware kit has three components, according to an analysis by Trend Micro: the Trojan, a configuration file, and a drop zone where stolen credentials are sent. After the Zeus Trojan is executed, it downloads its configuration file from a predetermined location then waits for the victim to log in to a particular target included in the configuration file, Trend Micro researchers say. Criminals conduct extensive research on banking websites to hone their attacks.
"They will do extensive research on the sites -- logging in, understanding the page flows and thresholds to perform transactions with, down to the HTML code of the actual pages because they will frequently use that knowledge to manipulate the page in the user's browser," Brady says.
The highly configurable nature of Zeus is one of its most powerful aspects, experts say. "Zeus is a lot of different botnets," Mather says. "Criminal A can buy Zeus and have his own command-and-control and his own botnet, and criminal B buys Zeus and has his own botnet that will be different from criminal A's because it's targeting victims in South America while the other is targeting victims in Europe."
Earlier this year, security firm NetWitness reported finding a 75GB cache of stolen data, including credentials for online banking sites and social networks, from more than 74,000 Zeus infected systems; the company named the infected PCs tied to the Zeus attacks the Kneber botnet. In March, security researchers reported ongoing efforts to shut down Kazakhstan-based Troyak.org, an ISP serving a large chunk of a Zeus botnet. Spanish authorities in December shut down the Mariposa botnet, which stole banking and other sensitive data by infecting 12.7 million computers with Zeus and other malware.
East European cybercriminal operations using the Zeus malware kit have capitalized on the recession to successfully recruit "money mules" in the U.S. to move money siphoned from business online banking accounts, experts say. Fraudsters lure money mules over the Internet with bogus work offers and use them to receive the stolen funds, instructing them to wire money overseas after deducting a commission. Oftentimes, the money is stolen in amounts less than $10,000, apparently in an attempt to not to trigger Suspicious Activity Report (SAR) requirements.
Jackson and other researchers at SecureWorks have been tracking each new version of the Zeus Trojan, which is constantly updated with new functionality. In March, they wrote that the latest version featured a level of control they hadn't yet seen in malware: a hardware-based licensing system so the malware can only be run on one computer. "Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer," wrote Jackson and Kevin Stevens, security researcher at SecureWork's CTU.
A beta version of a new Zeus variant they examined this spring featured polymorphic encryption, which allows it to re-encrypt itself each time it infects a computer, making each infection unique and harder for antivirus systems to catch, Stevens says.
Various modules, including a Firefox form grabber, a Jabber chat notifier, and Windows 7/Vista support, for Zeus are available on the Internet for prices ranging from $500 to $6,000, according to SecureWorks.
The developers behind Zeus also are very sensitive to detection rates of their malware by antivirus systems, says Mickey Boodaei, CEO of online security provider Trusteer. "Each variant they release goes through a kind of quality assurance process to make sure it's not detected by many antivirus solutions," he says.
New York-based Trusteer released a study last fall that showed the Zeus Trojan infecting PCs with updated antivirus software 77 percent of the time.
While Zeus has proven the most popular toolkit for criminals targeting online banking, the Clampi Trojan has also done its share of damage. Jackson says it's the number two threat to online banking after Zeus, but isn't available for sale like Zeus; rather, it's used by one criminal group in Eastern Europe.
Like Zeus, Clampi has advanced man-in-the-browser capabilities and uses state-of-the art polymorphic cryptors to conduct fraudulent ACH and wire transfers, according to Jackson. SecureWorks last summer documented the Clampi Trojan and how it targeted thousands of websites, including large banks, small banks and mortgage companies. Those behind Clampi use encryption adeptly, making it difficult for researchers to track it, Jackson says: "It flies under the radar a lot."
Last fall, Finjan researchers reported a new bank Trojan that criminals used to intercept online banking sessions and steal thousands of euros from German accounts last summer. URLzone minimizes the risk of being detected by banks' antifraud systems by systematically transferring random, moderate amounts of money from compromised accounts. According to RSA researchers, the Trojan uses money mules in a highly sophisticated way in order to foil researchers trying to identify the mule accounts it's using: It if detects that a computer isn't part of its botnet, it delivers a fake mule account to the researcher's computer.
The Silon Trojan, meanwhile, targets only customers of major U.K. banks and has managed to infect thousands of computers, according to Trusteer. Silon steals banking credentials, bypasses specific security controls and can update itself to counter banks' defensive measures.
Earlier this year, SecureWorks researchers discovered a new banking Trojan designed to facilitate fraudulent ACH and wire transfers. Bugat's capabilities include many of those common in banking malware, including Internet Explorer and Firefox form grabbing and stealing and deleting IE, Firefox and Flash cookies. Bugat mainly targets regional banks and smaller national banks, Jackson says. "It's fairly sophisticated, but not up there with Zeus and Clampi," he adds.
However, the emergence of Bugat indicates the strong demand for malware to commit financial fraud, according to SecureWorks. Indeed, the competition for Zeus appears to be heating up, especially with the emergence of SpyEye. According to Symantec, the first version of the malware kit appears for sale on Russian underground forums in December. Retailing for $500, "it is looking to take a chunk of the Zeus crimeware toolkit market," Symantec researchers wrote..
The SpyEye toolkit is similar to Zeus in many ways and is updated regularly with new features, including one called "Kill Zeus" designed to delete Zeus from an infected system and leave just SpyEye running, Symantec researchers noted.
Government agencies and financial services associations began sounding the alarm about a sharp increase of fraudulent ACH and wire transfers hitting small and midsize businesses last August. In November, the FBI estimated that the fraudulent activity had resulted in approximately $100 million in attempted losses.
"We're not hearing about it as much on the consumer side. It does happen, but these bad guys are going after the big fish," says Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC). "They're sending spear phishing emails to individuals at businesses they've checked out."
Investigative reporter Brian Krebs has documented many cases in which small businesses and municipal agencies have lost thousands of dollars through fraudulent money transfers. Oftentimes, Zeus is cited as a culprit, such as in the case of small New York marketing firm that lost $164,000 after a Zeus infection. Business banking customers hit by online banking fraud typically lose out because they don't have the same regulatory protections to limit losses from fraudulent electronic funds transfers as consumers.
The fraud surge has led to a spate of lawsuits. For example, Bullitt County in Kentucky sued its bank, First Federal Savings Bank of Elizabethtown, last summer after cybercriminals stole $415,989 through fraudulent ACH transactions, according to court documents obtained by The Courier-Journal. The bank, which claims the county's security failures led to a Zeus infection, refused to reimburse the county for $310,176 that wasn't recovered.
In another case, which has been widely reported, Hillary Machinery of Plano, Texas was sued by its former bank, Dallas-based PlainsCapital, after being victimized by online banking fraud late last year. Hillary countersued the bank over the cyberheist, in which criminals stole about $800,000; PlainsCapital recovered almost $600,000.
For the financial sector and other industries, customer education has been a major weapon in successfully beating back phishing to the point where it's not the threat it was five years ago, Bank of America's Shroyer says. But customer education is less powerful of a weapon against stealthy malware that is constantly finding ways to avoid detection, he says.
Malware also is trickier from a customer resolution standpoint, Shroyer says: "I can fix a customer who's been exposed to phishing in a matter of minutes. A customer exposed to malware is a very difficult conversation. I can't just tell them to change their ID and passcode. I have to tell them that their endpoint, their PC, has been compromised by something that isn't just impacting their Bank of America relationships, but their Yahoo email account and other financial accounts like PayPal."
Banking malware is a newer problem in the U.S., Shroyer adds, noting that banks in Australia, Brazil and the U.K. have been combating sophisticated banking Trojans for longer.
Mather, a former director of fraud prevention at eBay, says phishing was the top concern when she worked at the company; malware wasn't much on the radar. "Now when I talk to banks and other large organizations, they're having to assume the customer's computer is compromised. That's a very different way to look at your customers than worrying about whether they're going to give away their passwords."
Financial industry groups, keenly aware of the critical need to preserve confidence in the online banking channel, have provided a slew of recommendations for fending off malware attacks.
FS-ISAC, NACHA and the FBI, in their joint advisory last August, recommended financial institutions implement strong authentication, fraud detection and mitigation best practices including transaction risk profiling, out-of-band transaction authentication together with fraud detection, and defense in depth to their network and system infrastructure.
They also advised banks to educate their corporate and small business customers about security, including: reconciling accounts on a daily basis; initiating ACH and wire transfers under dual control (with one person initiating the transfer and another authorizing it); and possibly carrying out all online banking from a locked down, standalone computer with email and Web surfing disabled.
NACHA says financial institutions can take several steps to help protect their business customers from ACH fraud
NACHA, the nonprofit association that oversees the Automated Clearing House (ACH) network, released a bulletin late last year with tips for financial institutions and their customers to combat the problem.
According to NACHA, one of the reasons criminals are targeting small and midsize organizations is because -- generally unlike individual banking consumers -- many of them have the ability to initiate ACH credits and wire transfers via online banking. This funds transfer capability is usually related to the company's origination of payroll payments; criminals who hijack the corporate account may add fake names to a payroll file.
NACHA offered five steps financial institutions can take to protect corporate accounts from being taken over and used for ACH fraud:
* Deploy multifactor and multichannel authentication. * Require business customers to initiate payments under dual control, with distinct responsibility for transaction origination and authorization. * Enable out-of-band confirmation of payment initiation for certain types of payments. *Provide out-of-band alerts for unusual transaction activity. *Establish and monitor exposure limits related to customers' banking activities.
The association also offered tips for spotting the "money mules" used by fraudsters in their account takeover schemes. Banks need to watch out for these activity patterns, according to NACHA:
--A new account opened by an individual with a small deposit, quickly followed by one or more large deposits by ACH credit or wire transfer.
--An existing account with a sudden increase in the number and dollar amount of deposits by ACH credit or wire transfer;
---A new or existing account that withdraws a large amount of cash shortly after a large deposit by ACH credit or wire transfer.
"We're emphasizing an integrated, layered security strategy," FS-ISAC's Nelson says. "Any single defense you come up with they can circumvent…If you implement a layered defense strategy, you have a better chance of defeating these bad guys."
American Bankers Association backs the layered approach, says Doug Johnson, vice president of risk management policy for ABA. "One of the most important lessons we've learned from Zeus is that sometimes we hang our hat too much on security technological fixes," he says, adding that internal controls like dual authorization also are critical.
The association is working with other industry groups to address the problem on an ongoing basis. "It is something we take very seriously because it gets to the heart of the relationship between the bank and its commercial and municipal customers," he says. "Obviously, we need to counteract anything that could disrupt the trust that's built up between those two parties."
Fifth Third Bank's Bernik notes that new technologies are emerging to deal with the challenge of the compromised host (see "New Approaches" below) but adds, "There's no silver bullet to solve all the challenges when it comes to the online channel."
Fifth Third, aiming to be a "trusted advisor" to its customers, provides them with education and certain technologies to combat the malware problem, he says. Making sure customers are aware of security best practices is critical, he adds.
Citing security concerns, Shroyer declines to detail strategies and techniques the financial services industry is using to fight the malware problem. But he says that Bank of America is in the process of requiring customers to upgrade their online IDs and passcodes to meet its security requirements, and recently rolled out a browser upgrade for its customers to upgrade from older, vulnerable browsers. Customers can be resistant to change, but the uptake was surprising and heartening, he says. "We've got to drive the message that we're here to help you protect your assets."
In the wake of the malware attacks, though, the industry is coming together like never before, Shroyer says. He's having weekly calls with other banks in which they discuss what they're seeing and possible solutions. "You would not have seen that before," he says. "But now we have that collaboration."
Malware, he says, is "going to drive us towards an opportunity to react faster than we have in the past out of necessity."
Marcia Savage is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.
Vendors offer alternative technologies to secure online banking from fraud
As criminals use increasingly sophisticated malware to commit online banking fraud, new technologies have appeared to combat the problem.
Trusteer's Rapport product is a browser security plug-in that works to prevent malware from tampering with online banking sessions. While traditional desktop security products try to prevent malware, "we're locking down the session," says Trusteer CEO Mickey Boodaei.
Desktop protection products like Rapport and a similar technology from Prevx provide another strong layer of security but many banks are reluctant to go that route, says Avivah Litan, vice president and distinguished analyst at Gartner.
IBM offers an alternative technology to foil online banking fraud: a USB-attached hardware device called Zone Trusted Information Channel (ZTIC) that runs the TLS/SSL protocol to create a proxy for connecting with banking websites; the SSL session bypasses any malware on a PC. IronKey recently launched Trusted Access for Banking, a USB device with a virtualized operating system and secure Web browser.
"We're creating a separate secured operating environment on your computer without you needing a separate computer," says David Jevans, CEO of IronKey.
Both IronKey and IBM are offering locked down computing environments but the technologies still use the keyboard, Litan says: "You could still record the keystrokes, so there's still an issue."
Silver Tail Systems offers a different approach with technology that watches for changes in how a website is used and alert website owners to possible fraudulent activity. "We watch the behavior of the Web session to identify whether we think the behavior is a normal way to interact with a website," says Laura Mather, co-founder and CEO.
Litan says many of the alternative technologies, like ZTIC, aren't new but are getting more attention now. "There's nothing new under the sun but the situation is getting so bad that people are looking at these solutions," she says.
Litan recommends that financial institutions take a layered approach to fighting online fraud, including fraud detection that monitors transaction behavior and desktop protection.