The way businesses and consumers do their banking online has changed rapidly in a very short period of time, as the cat-and-mouse game between financial institutions and cyber-attackers reaches a new, and somewhat unpredictable, phase.
Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a report of guiding principles meant to be a risk management framework for financial institutions that were offering internet-based products and services to their customers. The basics outlined advisory expectations for effectively authenticating controls applicable to “high-risk online transactions involving access to customer information or the movement of funds to other parties”.
Six years later, in a follow-up supplement released in June, the message hasn’t really changed, but the context has shifted to a wider scope. In it, the council focuses a great deal on how financial institutions need to consider new and evolving threats, particularly as they relate to assessing risks to online accounts, adjusting customer authentication, layered security and establishing minimum control expectations for online banking activities that need more of them.
“The next generation of threats have changed radically from just a few years ago”, says Ashar Aziz, founder, CEO and CTO at FireEye. “Most of today’s attacks are targeted with the goal of obtaining something valuable – sensitive personal information, intellectual property, authentication credentials, insider information – and each attack is often a multi-staged endeavor to penetrate the network, spread slowly to key systems, and exfiltrate the sensitive data found on those systems.”
Aziz says these types of attacks occur every day, and the ones that grab headlines are just “the tip of a vast iceberg”. The stealthy nature of these attacks tends to incorporate web and email-based infection tactics with technology that helps them stay under the radar once they’re planted in the network.
The problem can compound quickly because traditional security technologies, like next-generation firewalls, intrusion prevention systems, anti-virus and web gateways, aren’t effective enough to deal with these threats, which can be modified to lure unsuspecting end-users into the same trap.
“From a technology standpoint, traditional protections still rely too heavily on signatures and known patterns of misbehavior to identify and block threats”, Aziz says. “These defenses are good at detecting the known, but are blind to the polymorphic, dynamic, ‘unknown’ malware attacks that essentially look ‘new’, or zero-day, every time they’re used to penetrate networks. In addition, these disparate technologies do not coordinate defenses across attack vectors, with email and web as the predominant mechanisms.”
|"From a technology standpoint, traditional protections still rely too heavily on signatures and known patterns of misbehavior to identify and block threats"|
|Ashar Aziz, FireEye|
Ori Eisen, CTO of 41st Parameter, sees it the same way. The number of websites infected in relation to the number of users who came in touch with that infection point can only be estimated, he says, and these are usually only discovered after information has been compromised or a mistake in the malware’s code has exposed it.
The King of Drive-by’s
A lot of these new attacks are considered ‘drive-by’s’, meaning that a piece of malware attaches itself to end-users simply by having them load a web page that carries the infection. Unlike phishing attacks, which dupe users into providing usernames and passwords for attackers to gain access, a drive-by does this by luring users to click on a link.
A tactic like this was initially made obvious after the death of pop music icon Michael Jackson, where cyberattackers sent out random email blasts with links to bogus web pages that carried malicious code inside, thereby infecting users who clicked to open the links.
“Drive-by’s are subtle because they carry malware that takes very little to attach itself, and since the user doesn’t even realize it’s happening, it’s only a matter of time before it starts phishing for banking information”, Eisen says. “What they do is hone in on very specific use cases, so even if a lot of people may have been infected, it won’t be used on those who don’t have treasury, corporate or commercial accounts.”
A drive-by can be even more insidious because it can also impersonate a user’s login session. What that means is cyberattackers can not only log in to a user’s account, but also precisely emulate that user’s behavioral pattern. A user’s settings, click frequency, browsing history and time spent logged in would be in full view for attackers.
Identifying an Impostor
Banks that have detection capabilities may be able to know when users have been infected in this way, provided they have tools that are looking for those types of compromises. Eisen says major banks are ready, but smaller financial institutions are likely not there yet. This proves problematic because the nature of the malware is that it can move from the user to the bank’s network relatively easily through a simple login.
“When setting out to detect the copy, it’s not just listening to the message in the data that’s important, what’s more important is to listen to the authenticity of that message”, says Eisen. “Did the message actually come from the user’s computer? Are there other signals that give us reason to believe we’re talking to an imposter?”
|"Drive-by’s are subtle because they carry malware that takes very little to attach itself, and since the user doesn’t even realize it’s happening, it’s only a matter of time before it starts phishing for banking information"|
|Ori Eisen, 41st Parameter|
The two most common malware programs that use this method are Zeus and SpyEye, but Papras is another that is gaining notoriety in IT circles. It’s also known by a few other aliases, such as Snifula, Ursnif, or Mdrop-CAD. FireEye’s Aziz says it’s particularly dangerous because it steals entire web forms and exfiltrates them to a command-and-control server through HTTP POST. It also features keylogging capabilities to steal information from Outlook and passwords from the browser cache.
MRG Effitas, an independent research firm that studies malware and analyzes prevention methods through testing real-world conditions, conducted a simulation meant to gauge the detection and response capabilities against what it calls “Man in the Browser” attacks, or MitB, for short. This sort of attack falls along the same lines as a drive-by in that it is designed to capture login information directly from a user’s browser session, even when the site is SSL-encrypted.
Of the 28 security applications tested, five were suites banks consider ideal for end-users to install on their Windows PCs for security related to online banking. MRG Effitas’ results showed that none of the five programs were able to identify the malicious code. Indeed, out of the 28 applications tested, BullGuard Internet Security was the only one that detected it. The results were also fairly consistent regardless of whether the PCs were running Windows in 32-bit or 64-bit.
Jim Bruene is the founder and editor of The Finovate Group, a series of conferences highlighting the best innovations in financial and bank technology. He also runs Online Financial Innovations, a research firm that issues regular reports on online banking. Though he admits his expertise isn’t on the security side of online banking, he says it’s clear that commercial accounts are the number one target.
“Most of the problems are on the business side because, for most of the 20-year history of personal online banking in the US, you haven’t been able to move money out of your account easily, except for bill payments”, Bruene says. “Pulling out thousands of dollars from someone’s personal account when he’s never wired money from there before is an easy red flag for banks, whereas business accounts have larger amounts going back and forth more frequently, making them prime targets.”
|"Business accounts have larger amounts going back and forth more frequently, making them prime targets"|
|Jim Bruene, The Finovate Group|
Financial institutions will also have to contend with the rise of smartphones as online banking tools, he adds. Finding the happy medium between convenience and security is likely to be an issue for banks and security vendors, and there’s no doubt that cyberattackers will exploit any vulnerabilities they can find, given that mobile phone security is still a mixed bag.
“Bank of America’s SafePass feature sends you a one-time, six-digit code via text message that you use to log in”, Bruene shares. “The code is gone after you’ve successfully logged in, so there’s no set password that can be captured by a keylogger. It’s probably not bulletproof, and it’s not terribly convenient, but at least they’ve added that extra layer.”
Because the majority of B2B commerce is taking place on end-user workstations, cyberattackers are continually focusing on adapting to find discreet and methodical intrusion points that are very tough to detect. And because software like Zeus is open-source, there is an underground community that refines and alters the code all over the globe.
This is why IT security professionals and financial institutions need real-time technology to analyze URLs for malicious content, says Aziz. It’s not enough to have lists of bad domains because they aren’t effective from a security standpoint, and URL filtering is generally better at enforcing an organization’s acceptable web usage policies than it is at catching malware on the fly, he adds.