“After a possible, brief delay due to a law enforcement investigation, the institution whose data has suffered a breach should need to inform the public that it happened,” said Lanny Breuer, assistant attorney general for the department’s criminal division, speaking during a session at Fordham Law School.
He added that the DoJ frequently sees “large-scale hackers, often based overseas, attempting to gain access to the private financial and personal information of individuals, as well as to sensitive government information. And because of how sophisticated these criminals have become, and because they are often located abroad, they can be very hard to catch.”
The remarks come during a banner week for financial cybercrime. For one, authorities arrested 14 individuals in an identity-theft ring that targeted tax refunds, causing damages of $11.3 million according to a US attorney's office in New Jersey. Then, both Bank of America and JPMorgan Chase’s public websites experienced outages. The Cyber fighters of Izz ad-din Al qassam took credit for the outages, saying they were protesting the anti-Islam “Innocence of Muslims” video.
Meanwhile, the FBI has published a fraud alert advising financial services firms that cyber criminals may be disrupting service to their websites in a bid to keep banks from noticing a recent surge in fraudulent large-sized wire transfers.
Bauer called cybercrime a top threat to national security and underscored the size of the problem. “While anti-virus software is critically important, it can only protect us from known vulnerabilities. And criminals around the world are working every day to come up with new ways to attack our computers and networks,” he noted.
One illustration of the nature of the threat can be seen in botnets, he said, networks of compromised computers under the remote command and control of cybercriminals. “Once the software is installed, the botnet’s owner can capture every password, credit card number and email typed on the infected computer,” he said. “The users of these infected computers are suffering from an extensive invasion of their privacy almost every time they turn on their devices – and they don’t even know it.”
In tandem with the address, the Financial Services Information Sharing and Analysis Center has raised its threat level for financial cyberattacks to “high,” up from the medium-level “elevated.” FSISAC said that issues of concern include the “recent credible intelligence regarding the potential for DDoS and other cyber attacks against financial institutions” (the suspected issue with Bank of America and Chase), and the Internet Explorer zero-day, which Microsoft patched today.
“Microsoft is aware of targeted attacks via active exploitation of a zero-day remote code execution vulnerability in Internet Explorer,” the Center said. “Members should maintain a heightened level of awareness, apply all appropriate updates and update AV and IDS/IPS signatures, and ensure constant diligence in monitoring and quick response to any malicious events.”