ALERT: Targeted attacks on institutional online banking

[Doug Pearson <dodpears () REN-ISAC NET>]

January 11, 2010

Subject: Targeted attacks on institutional online banking

To: Participants in the EDUCAUSE Security Discussion Group,

We're aiming to raise awareness regarding targeted attacks that use
compromised commercial banking credentials to steal funds. Two of the
more successful are known as Clampi and Zeus. We'll be sending the
following letter to CIO's and business officers in 36+ hours.

At the bottom we've included additional discussion specific for this
community of security practitioners.


==================================================================
===================== START OF CIO/BO LETTER =====================
==================================================================

Alert: Targeted attacks on institutional online banking

We want to raise awareness, but not alarm, to an electronic crime threat
targeting institutional/commercial online banking activities. Two of the
most successful criminal operations (and the respective malware) are
known as Clampi and Zeus. The operations have been in place for over a
year, and have proven to be successful, difficult to stop, and damaging.
A public school district in Pennsylvania lost $700,000 in a two-day
attack. A county government in Kentucky lost $415,000. A New York school
district, $3MM of which .5MM remained unrecovered as of 6-Jan. [1][2]

Persons who conduct institutional/commercial online banking operations
are being specifically targeted by the criminals.

Standard desktop computer antivirus is not an effective defense because
the attackers constantly morph the attacks to evade antivirus
signatures. Network defenses such as firewalls and intrusion detection
systems are similarly ineffective. Some attacks have successfully
defeated two-factor authentication[3], although two-factor remains to be
an effective defense against many other attacks.

We recommend the following actions:

=== Business Officers and CIO's ===

1. Make sure that your peer (BO or CIO) has a copy of this message.

2. Read the Internet Crime Complaint Center (IC3) message [4].

3. Make certain that systems used in performing financial transactions
are protected by strict technical controls and receive periodic validation.

4. Make certain that personnel involved in performing online financial
transactions have the necessary security awareness and training. Those
persons should receive targeted training on phishing and this threat.

5. Have written policies defining the controlled environment in which
online banking transactions can be conducted, e.g. what systems can be
used, how they must be maintained, required personnel training, etc.

6. Routinely audit compliance with established technical controls and
policies.

7. WE STRONGLY RECOMMEND THAT all online banking operations should be
conducted on special-use computers that are used SOLELY for banking
transactions. No other use of the machine should be permitted - no
e-mail, no web browsing, no general-purpose business use - nothing but
institutional online banking transactions.

How the attacks work: As described in an FBI release[5] "In a typical
scenario, the targeted entity receives a 'spear phishing' e-mail which
either contains an infected attachment, or directs the recipient to an
infected website. Once the recipient opens the attachment or visits the
website, malware is installed on their computer. The malware contains a
key logger which will harvest each recipient's business or corporate
bank account login information. Shortly thereafter, the perpetrator
either creates another user account with the stolen login information or
directly initiates funds transfers by masquerading as the legitimate
user. These transfers have occurred as both traditional wire transfers
and as ACH transfers."

We're sharing additional technical and policy information - aimed at
security officers and teams - to the public EDUCAUSE Security mailing
list, and within the private REN-ISAC [6] community.

The text of this message (along with clobber-free long reference URLs)
is at:
http://www.ren-isac.net/alerts/banking-attacks_20100111.html

A technical-audience version of this Alert is also located at that link.

Additional reading links are included below my signature.

If you have any questions, don't hesitate to e-mail me directly.


On behalf of the REN-ISAC team,

Doug Pearson
Technical Director, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

---

References

[1] The Growing Threat to Business Banking Online
http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html

[2] FBI investigating online New York school district theft
http://www.computerworld.com/s/article/9143144/FBI_investigating_online_New_York_school_district_theft

[3] Real-Time Hackers Foil Two-Factor Security
http://www.technologyreview.com/computing/23488/

[4] Compromise Of User's Online Banking Credentials Targets Commercial
Bank Accounts
http://www.ic3.gov/media/2009/091103-1.aspx

[5] Fraudulent Automated Clearing House (ACH) Transfers Connected to
Malware and Work-at-Home Scams
http://www.fbi.gov/pressrel/pressrel09/ach_110309.htm

[6] REN-ISAC briefings
http://www.ren-isac.net/references.html

Additional references:

The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud
http://www.neustar.biz/pressroom/whitepapers/ACH_White_Paper.pdf

Online banking warning surprises some experts
http://content.usatoday.com/communities/technologylive/post/2010/01/online-banking-precaution-for-small-and-mid-sized-businesses-draws-attention-/1

Banking Securely Online, by US-CERT
http://www.us-cert.gov/reading_room/Banking_Securely_Online07102006.pdf

-o0o-

==================================================================
==================== END OF THE CIO/BO LETTER ====================
==================================================================

EDUCAUSE Security Discussion Group folks (continued):

Elaborating on the technical and policy controls mentioned in the CIO/BO
letter:

-- As mentioned, AV, firewall, and IDS don't prevent the problem. They
might help detect a breach after it's already happened, but that's often
too late. Two-factor authentication can be beaten, although it remains
an effective defense against many other attacks

-- Application white-listing, e.g. on Windows, AppLocker[1][2], can
offer significant protection.

-- Systems used for online banking:

   + Should have the least amount of software installed as
     necessary to facilitate their business functions.

   + Should have Javascript and ActiveX disabled or specifically
     limited to trusted sites.

   + Should be subject to a change management process for
     any work that's to be done on the machine. Multiple-party
     approvals should be required.

   + Should be examined monthly and routinely patched by
     professional institutional IT security staff. If the system
     is not examined or patched by a specific date of a month,
     business office folks should not use it until the IT
     security staff bring it up to date.

-- Two-factor authentication should be used for banking access were
available. While two-factor authentication will not protect against all
attacks it does provide protection against many. Sites should press
their banks to offer two-factor if they don't already.

-- As mentioned in the CIO/BO letter, separate machine(s) used SOLELY
for institutional online banking operations (and used for all such
operations) is STRONGLY RECOMMENDED. Useful technical and policy
controls include:

   Referencing the Neustar document[3]:

   + Don't make the machine part of a Windows domain. Administer
     the machine using a local administrator account.

   + Shut the machine down when not in use.

   + Implement very aggressive firewall and possibly proxy
     protections for the system. All non-banking traffic should
     be denied.

   + Aggressively monitor traffic to and from the system

   + Place the machine on a separate VLAN, on a secure dedicated
     hard-wired network connection.

   And additionally:

   + No other use of the machine should be permitted - no e-mail,
     no web browsing, no general-purpose business use - nothing but
     online instructional banking transactions.

   + Physical access to the machine should be tightly controlled.

   + The system should have a permanent and obvious distinguishing
     mark, e.g. spray paint it orange, to insure there can be no
     mistaking that this is a special purpose machine.

   + Any other intentional use of the machine should be a cause
     for disciplinary action.

-- While virtual machine solutions are technically an option to
dedicated machines, in the interest of keeping the solution simple,
clean, usable, and understandable by non-technical business office
staff, we do not recommend virtual solutions.

-- And as always, "user privilege reduction" - the user should never
conduct normal use of the system under an admin-privileged account.

-- Other standard desktop hardening recommendations and practices apply,
e.g. [4][5].

We'd appreciate to hear your discussion on additional means to protect
from this threat.

The text of this message (along with clobber-free long reference URLs)
is at:
http://www.ren-isac.net/alerts/banking-attacks_20100111.html

[1] AppLocker
http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx

[2] Software Restriction Policies
http://technet.microsoft.com/en-us/library/cc766330%28WS.10%29.aspx

[3] The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud
http://www.neustar.biz/pressroom/whitepapers/ACH_White_Paper.pdf

[4] NIST Computer Security Resource Center - Systems Administration
http://csrc.nist.gov/itsec/

[5] Microsoft Security Guidance
http://technet.microsoft.com/en-us/security/bb977553.aspx

Additional references:

Clampi/Ligats/Ilomo Trojan
http://www.secureworks.com/research/threats/clampi-trojan/

Measuring the in-the-wild effectiveness of Antivirus against Zeus
http://www.trusteer.com/files/Zeus_and_Antivirus.pdf

ZeuS Tracker :: ZeuS blocklist
https://zeustracker.abuse.ch/blocklist.php


On behalf of the REN-ISAC team,

Doug Pearson
Technical Director, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630