Criminals intent on stealing millions of dollars from consumer bank accounts plan to unleash a massive cyberattack on major U.S. banks, security firm McAfee warns in a new report, confirming a warning from RSA, the security division of EMC Corp., which said in October that a criminal ring had created an advanced cyberattack to steal money from bank accounts at major banks.
The attack, known as Project Blitzkrieg, is expect in Spring 2013, using a sophisticated Trojan that has already been successfully tested on at least 300 bank accounts.
Since Bank security is alerted if a customer uses a different computer to access their account, the attackers plan to clone computers to make it look like they are using customer’s’ home computers. And, to get around the bank’s policy to limit the size of transfers, the criminal ring is recruiting hundreds of “criminals” to transfer smaller amounts each time they log into the account.
The Russian based scheme entails a recruiting campaign that promises hackers a cut of stolen funds and the backing of two Russian cybercriminals, including a cybermafia chief known as NSD. Hackers are prepared to infect computers with malware and use stolen user names and passwords to move money out of the user’s accounts.
Publicity may well force the Russian criminals to postpone or even cancel the attack. But on-line bankers need to be aware of the possibility that this may go forward.
One of the primary weaknesses of online banking has to do with how it is susceptible to credential stealing and session hijacking malware. While security software and regular patching helps to somewhat mitigate the risks on this front, hackers have a huge financial impetus to discover novel security loopholes and ruthlessly exploit them for personal gain.
Using a separate computer for online banking sidesteps this arms race by working on a system that is not at risk from two of the most common vectors of infection: Web browsing and phishing emails. So while the idea of using a separate computer for online banking sounds somewhat archaic, doing so does offer a much greater level of protection against Trojans and malware. A netbook will more than suffice for this task, as with an unused computer or
even a tablet. For the first two options, it makes sense to equip them with the latest security software, too; and best avoid using the obsolete Windows XP
operating system on these machines.
With a new generation of banking malware already making its round stealing one-time keys from infected mobile phones, it is surprising that some financial institutions still relied on a static username and password combination for authentication. As a bare minimum, you should insist on a physical key fob for generating a one-time security key for logging on, or for a text message containing the same information. The first option is more desirable at this point, though the second still offers reasonable protection.
Of course the key fob might not work because malicious software also is helping thieves defeat so-called two-factor authentication, which generally involves requiring online banking customers to enter something they have in addition to their user name and password, such as the code generated by a key fob that creates a new, six-digit number that changes every 30 seconds.
DSL and cable modem connections are more vulnerable to attack because they offer an “always on” capability. You can help protect your computer from attack by using a personal firewall. Personal firewalls can be software, hardware, or both, and create a barrier to attacks.
Don’t use Microsoft Windows when accessing your bank account online. Virtually all of the data-stealing malware in circulation today is built to attack Windows systems, and will simply fail to run on non-Windows computers.
Switching to a Linux build on a Live CD when online banking, will protect a banking session even if the underlying hard drive has been infected.
Where protecting mobile devices is concerned, not jailbreaking (iOS) or rooting (Android) a smartphone offers slightly more protection by allowing a standard vetting process from smartphone makers to help weed out Trojan apps. Turn off features of the device not needed to minimize the attack surface of the device. Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft. And, most importantly, use the same precautions on your mobile phone as you would on your computer when using the Internet.