Comment: Bank Heists Haven’t Disappeared, They’ve Evolved

Has the botnet taken over from the balaclava?
Has the botnet taken over from the balaclava?

At the end of last year, the British Banker’s Association claimed the number of bank robberies had dropped 90% over the past 20 years, effectively making such raids a thing of the past. But has the threat really disappeared, or have heists simply become more high tech? Has the botnet taken over from the balaclava? In a world where virtual currencies rival established coinage, is the pen and propaganda as mighty as the shotgun?

Whether through the sending or planting of sophisticated trojans that enable data ciphering, credential capturing, eavesdropping and so on, or whether it is tweeting good or bad news to manipulate share pricing, there is clear evidence of sustained attacks by cybercriminals for financial gain or influence. Organizations are being attacked using multiple techniques so, for example, a company’s social media accounts may be compromised, leading to reputational risk and an impact on share price. Malware may be simultaneously deployed – perhaps through an identified backdoor – to obtain sensitive data, the idea being that the organization may be caught off-guard while dealing with the social media attack.

On a wider scale, the top trading markets are also at risk, although not by known exploits. These systems tend to be robust and the processes around them are often well governed. To extract money from a trading system requires a trading account, and it is here where governance is needed, such as KYC (Know Your Customer), due diligence controls, and monitoring for suspicious activity. With recent waves of hedge funders, stock shorting and the like, many organizations have already taken notice of these risks and are acting accordingly.

Yet this does not make established trading markets foolproof: such systems can still be highly volatile and easily swayed by propaganda. One need only look at the false tweet sent out over the hacked Twitter account of the Associated Press in April 2013. The errant tweet claimed there had been an explosion at the White House, causing the DOW to briefly lose 0.9% of its value, equivalent to more than $130 billion. Thankfully, the AP quickly helped resolve the situation, suspending its account and sending out alerts that its Twitter account had been hacked, so the market quickly rallied.

This highlights the effectiveness of a well-thought and executed incident response plan. Not all organizations are as well prepared, Target being a case in point; the company now admits to having missed early warning signs, the CIO and CEO have resigned, sales are down and the share price has only partially recovered. Not only could Target have acted more swiftly, it also could have more effectively managed the subsequent negative PR.

Unethical hackers and cybercriminals are now routinely using propaganda and digital attack skills to affect share prices. Bad news or misrepresentation of events can affect share prices, just like insider trading; however, it is now easier to do so on a larger scale with electronic trade manipulation.

Communicating with the masses and targeting a release while simultaneously attacking a commodity will lead to a financial impact far greater than the traditional fraud schemes we were used to. Time is also in the attacker’s favor, ensuring that it will be focused, and in some fast-moving exchange commodities the attack can happen over a short period of time, making it harder to detect and prevent.

In contrast to established markets, virtual currencies are more vulnerable. An April 2013 attack against a Bitcoin exchange resulted in a significant, albeit temporary drop in the value of the virtual currency. Mt Gox had to fight off multiple distributed denial-of-service (DDoS) attacks, as the site was bombarded with huge amounts of data. Subsequently, a substantial volume of the currency was stolen due to a vulnerability in the trading platform, and this resulted in Mt Gox filing for bankruptcy.

The lack of traceability for some virtual currencies makes them highly attractive for criminals to launder their proceeds. In addition, sites offering cybercrime and malware toolkits, identity data and the like are increasingly using Bitcoin as the currency of choice for any transaction. We have also seen a new trend of ‘ransomware’ whereby a payment must be tendered (often via Bitcoin or other virtual currencies) for affected individuals to regain stolen or locked data.

Although regulators are aware of these issues, the regulation of virtual currencies is lagging behind their adoption (both legitimate and illegitimate offerings). Broadly speaking, there are two approaches being taken at this time. The first approach is to simply ban banks from handling trade in virtual currencies, and this is something that China is attempting along with Thailand and numerous other countries. This is rather futile and will simply force trading underground.

The other approach is to recognize Bitcoin and other virtual currencies as being fully legitimate alongside traditional currencies. As with transactions made in traditional currencies, there needs to be traceability for transactions and the same regulations around, for example, anti-money laundering and counter-terrorist financing.

Regulation is behind the curve, and law enforcement has limited resources to deal with financial cybercrime. There are also the challenges of sharing intelligence and coordinating activities across multiple forces in multiple countries. Although things are moving in the right direction with the launch of the European Cybercrime Centre (EC3), and in the UK the new National Crime Agency, there is still a general skills and knowledge gap that needs to be filled before law enforcement can effectively combat cyber financial crimes. The bank job has not disappeared but evolved, and from micro payment theft to the Zeus banking trojan, high-tech heists will continue until we devote the resources necessary to counter them.

Darren Hodder is an associate consultant and fraud expert with Auriga. He a frequent speaker and contributor to forums such as the Fraud Advisory Panel, IAFCI and the Fraud & Cybercrime Forum, and is a domain expert and specialist on technical, data, and software solutions for fraud risk issues. Having worked extensively with international credit bureau and payment service providers, Darren is also VP, Cyber Fraud Intelligence, for the CSCSS (the Centre for Strategic Cyberspace + Security Science) and in April 2012 he founded and launched #TheFraudTube as a news and information resource for the counter-fraud community, where he is Chief Editor and a regular blogger.

What’s hot on Infosecurity Magazine?