Internet Identity

Part of IID’s Takedown Taekwondo Series

In our previous Takedwon Taekwondo post, we explored how hackers exploit social networking sites to glean sensitive information from users. Today, we’ll look at how the financial industry is susceptible to online attacks and what can be done to thwart modern-day bank robbers.

This is an Online Stickup!

The Internet is like the old Wild West - it’s an expansive and promising new frontier, and yet at times a dangerous and lawless one. But instead of gun-toting scofflaws like Billy the Kid holding up banks with a six-shooter, financial institutions instead must worry about more clandestine villains: hackers and online fraudsters, armed with social engineering skills and malicious codes that can empty a bank’s coffers remotely from the other side of the world.

It’s no secret that the financial sector is an alluring target for money-hungry hackers. Consequently, banking institutions must be especially prepared and proactive in their efforts to quickly and decisively take down criminal infrastructure targeting their brand.

In September of 2012, the Financial Services Information Sharing and Analysis Center (FS-ISAC) raised its cyber threat level to “high” for the first time ever. It warned banks of a growing trend among online criminals using spam, phishing sites, keyloggers and Trojan horses to obtain employee login credentials, access sensitive data, and execute unauthorized overseas wire transfers of funds.

One of the most infamous incursions against the financial industry occurred in 2008 when criminals targeted electronic bill payment service CheckFree Corporation, seizing control of some of the company’s Internet domains via domain name system (DNS) hijacking and redirecting unsuspecting banking customers to a fraudulent website hosted in the Ukraine. About 5 million customers were notified that their financial data may have been breached. Compared to these cyber thieves, Billy the Kid looks about as scary as a kid with a water pistol.

Criminal Strategies to Assault the Vault

While the infrastructure that criminals employ to attack financial institutions grows increasingly sophisticated, their tactics still boil down to some basic strategies.

Phishing remains a weapon of choice among cyber-thieves, due to the ease of setting up an attack. Even the most inexperienced hacker can easily set up a fake bank login on a free webhost in mere minutes. A slight variation on phishing, 419 scams often aim to confuse banking customers by purporting to be a bank executive that needs to transfer an unclaimed fortune to the email recipient. The victim simply needs to reply to the email and provide their personal banking data to facilitate a money transfer. Only later do victims realize that by offering their information, they left their funds susceptible.

Bank employees are particularly attractive phishing targets because they have access to customer and corporate accounts. Spear phishing attacks, those that target a specific person for a specific reason, use social engineering to lend credibility to the scam. For example, bank employees may receive a spoofed email from their company’s system administrator requesting they install an update, only to be lured to malicious websites where malware is automatically downloaded. The consequences of these spear phishing attacks can be devastating - especially when the criminals are able to raid the accounts of corporate businesses. Generally, it is the bank’s responsibility to replenish these marauded accounts.

According to a study released in August 2012 by the Ponemon Institute, 74 percent of 998 small-to-medium-sized businesses participating in the study have been at one time or another victims of electronic banking fraud. Moreover, 73 percent of those fraud attacks resulted in funds being transferred, with 61 percent of attacks resulting in at least some unrecovered funds. Of the 998 respondents, 40 percent said their encounters with banking fraud resulted in either the partial or complete termination of their erstwhile banking relationship.

How Banks Can Save Client’s Savings

So who’s the sheriff in town that’s going to clean up cyberspace? Well, for starters, the best defense for banks is to self-police by taking proactive steps to avoid corruption of their web operations by brand impostors.

The FS-ISAC advises financial institutions to educate employees of ongoing web-based threats. Specific prescribed advice includes disallowing employees from conducting business on home computers and surfing the Internet on network computers; and to restrict employees’ access to payment and wire transfer systems, while limiting how much an employee can transfer from an account at any one time.

It’s also imperative that banks subscribe to security services like those provided by IID (Internet Identity). Such services include anti-phishing and anti-malware detection/mitigation solutions; DNS and border gateway protocol (BGP) protections that identify and help shut down hijacked domains and IPs; databases containing up-to-date lists of fraudulent websites and email addresses; and secure network gateways that restrict employee access to malicious sites.

In the case of phishing sites, IID uses automated fraud pattern-detection solutions, malicious domain databases and a team of online security experts to sniff out fraudulent banking sites and eradicate them.

In cases where a phishing domain secretly resides on an innocent website, IID contacts the site’s owner and ISP to shut down the fraudulent web pages. When the domain of the phishing site is entirely criminal in nature, IID turns to the domain registrar and ISP to eliminate the domain and fraudulent content top to bottom. IID also works with email providers to root out fraudulent email addresses used to impersonate banking institutions.

Malware sites are trickier, especially with the sudden emergence of the Black Hole Exploit Kit (BHEK) which allow hackers to redirect victims who click on links imbedded in spam messages across a series of hacked websites, before winding up on a landing page with a constantly changing URL. It is here that malicious software is automatically downloaded onto the victim’s computer. Despite their insidious nature, these attacks can be vanquished too, with the cooperation of registrars, ISPs and website owners.

In our next Takedown Taekwondo post, we’ll look at the higher education sector, including how they are victimized and the challenges in protecting them.