Zeus gets a little help from DDoS to defraud consumers, banks

Zeus gets a little help from its friend, DDoS. That's right, its Friday...
Zeus gets a little help from its friend, DDoS. That's right, its Friday...

The Federal Bureau of Investigation (FBI) recently warned consumers about a multiprong scam that involves the use of spearphishing, the Zeus trojan, DDoS attacks, and a jewelry heist.

The spam campaign pretends to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there is a problem with the ACH transaction at their bank. Once they click on the link they are infected with a variant of the Zeus trojan known as Gameover, which is able to keylog their information and steal their online banking credentials, the FBI Denver Cyber Squad explained.

“After the accounts are compromised, the perpetrators conduct a DDoS attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found). A portion of the wire transfers (not all) are being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired)”, the FBI explained.

Paquette was a bit perplexed by this explanation by the FBI. He noted that if the DDoS attack was launched before the attempted wire transfer, the bank would not be able to transfer the money. “According to the report, the criminals are able to complete the fraudulent transfers, yet they are allegedly launching DDoS attacks that stop either consumers from reporting it or banks from reversing the transactions”, he said.

The Corero CSO surmised that once the cybercriminals obtain the required information through the keylogging trojan, they complete the fraudulent transaction using the stolen credentials in a compressed time frame. Immediately after doing so, they launch the DDoS attack using a botnet against the bank’s IT infrastructure to stop consumers from filing a complaint and preventing banks from communicating with their financial services partners, Paquette judged.

“My conjecture is that is probably how it works, and the DDoS attack works by overloading portions of the infrastructure, such as switches, routers, and internet links, or it overloads the servers themselves”, he said.

Paquette offered a number of tips to banks to guard against DDoS attacks being used as a smokescreen for illegal money transfers. “Banks need to look at their infrastructure and determine which parts could be negatively impacted” by a DDoS attack, he said.

Banks should make sure that the application delivery servers are up-to-date on patches, that they are running latest versions of operating systems and applications, that they have been provisioned properly with enough capacity to handle a significant load, and that they are adequately protected against DDoS attacks, Paquette advised.

What’s Hot on Infosecurity Magazine?