Police interest started last year when, according to the Independent, "a businessman providing website hosting services said he had discovered a hacker was remotely accessing his servers to intercept money transfers."
The investigation soon revealed that the culprit was engaged in wider criminality, and eventually led to the arrest of the unnamed 'superhacker,' believed to be the son of a computer engineer. "Experts believe the 'super-hacker' diverted about $50,000 a month to his bank account, using the 'technological cave' he assembled at his home," reports the Telegraph. "Police raiding his Buenos Aires residence seized sophisticated computers and other technological equipment."
This equipment is thought to include the C&C server used to download malware onto the victims' computers. Precise details on the hacker's operation are not yet known, but it is likely that the malware was a man-in-the-browser trojan used to divert funds from the victims' accounts.
Two things particularly stand out from the police operation. The first is that in order to preserve forensic evidence, "The arrest operation shut down the power to the entire neighbourhood to prevent the deletion of sensitive data," reports the BBC.
The second explains the name of the police operation: 'Zombie.' "Operation Zombie is so called because, in an attempt to complete the job unnoticed, the suspected hacker would use a network of thousands of 'zombie' computers to bombard the target servers with a 'denial of service' attack, ensuring users could not access their accounts around the time of the cyber raid."
We don't yet know whether superhacker had his own botnet to deliver the DDoS attack, or whether he hired one as necessary. It is, however, a growing practice in financial fraud. The DDoS interrupts the standard procedure of sending out a transaction confirmation email. Even if the email gets sent, the victim is less likely to be able to access his account to accept or reject the transaction -- and by the time it is possible, the automated transaction will have completed.
Not all security experts believe that this is a useful criminal approach, however. "Hiding a fraudulent transfer behind a DDoS is an interesting approach," David Harley, senior research fellow at ESET told Infosecurity. "But I’d say it’s overkill. After all, a DDoS attack is going to attract attention from the provider, even if it succeeds in its initial task – doesn’t the DoS hamper the intercept of the transfer?"
This echoes advice issued by Gartner just last month: "One rule that banks should institute is to slow down the money transfer system while under a DDoS attack." If they did this, then the fraud itself could possibly be prevented.
A more effective approach, already seen with some eastern European malware, says Harley, would be the use of camouflage techniques such as "spurious error messages indicating that the server is unavailable or that there’s an authentication problem. Genuine-sounding ‘errors’ on the client side rather than server-side are far less likely to attract attention."