Cyber Crime: Phony Tools, Web Injections, And Bank Fraud

Photo courtesy of Lee Davy via Flickr

Traditional bank capers and heists are becoming less and less frequent. While this is in part due to advances in bank security, robbers are also finding slippery new ways to steal — now more commonly from behind laptops than masks.

Crime moves to the net

The Wall Street Journal estimates that bank holdups have been cut in half in the last decade, with the decline in bank robberies exceeding declines in other criminal activity.

And while electronic crimes have risen simultaneously, resulting in larger sums stolen, a lack of physical heists has also resulted in less casualties. In 2011, bank robberies left 13 dead — 40% less than 2003.

Though cyber crime may be less violent, it’s still a serious issue, especially as hackers are getting exceedingly clever.

Notably impressive and extensive cyber-heists include a 2013 network of thieves stealing $45 million in 26 countries, including $2.5 million from ATMs in New York City.

The thieves pulled it off by stealing information from databases of prepaid debit cards, copying information onto doctored physical cards, eliminating withdrawal limits and creating access codes, then sending a network of operatives out to numerous cities and countries in what some describe as a “cyber flash-mob.”

Though the “big fish” are still at large, seven indicted suspects face up to 10 years in prison each.

Methods to the malware

The Internet is a dangerous no-man’s land where anyone who’s vulnerable – and at times those that aren’t – can be targeted and hacked.

How is it done? Thieves use botnets, also known as malware, to compromise financial networks. In the case of the ATM heist, these networks were credit card processors, but increasingly, hackers are targeting the client-end instead of the banks’ own servers.

Yes, this means you. According to a Michigan State University paper (pdf), this is because banks are implementing stronger server security, and client computers are outside of their protection.

It’s estimated that botnets successfully cause $300 million yearly in fraud losses, and that companies spend $1 billion to prevent further attacks – though their measures aren’t always successful.

The MSU paper describes the steps cyber-criminals take to commit online bank fraud:

1. Creating and spreading malware

Cyber criminals design malicious code; this malware infects computers and mobile devices by compromising browsers or using phishing attacks to attract users with spam websites and emails. Once infected, bots can exfiltrate sensitive information.

Other ways that malware is distributed in mass settings is through social networks exploiting trust: for example, “likejacking” attacks that trick users into liking and downloading malware.

Fake antiviruses and other phony tools are also used to fool users into inviting malware onto their machines. Some bots infect USBs to spread to different devices, and mobile bots are hidden in legitimate phone applications so as not to rouse suspicion.

2. Extracting data from infected devices

Infected machines are managed from a centralized server controlled by a “botmaster.” Bots use form grabbing and key logging to snoop information between client and bank servers.

Web injections are also used to trick users into providing more sensitive information using trick form fields. Plugins that take screenshots or use other methods to lift credit information are also common extraction tools.

3. Converting data into cash

Once data is stolen, cyber criminals have to sell it, often using Virtual Private Networks (VPN) to connect with Internet Relay Chat (IRC), used by underground economies where criminals can remain anonymous and communicate through untraceable encrypted channels.

Data can be sold in the form of dumps and purchased using e-currencies like Perfect Money, Western Union, or Money Gram, which can be converted into cash. IRCs also have “credit card shops” that sell credit card information for as cheap as $2- $20 (in 2013).

“Money mules” are also hired in some cases to use credentials to extract money from the bank and transfer it to offshore accounts, sometimes as e-currency.

Protective measures

According to the MSU paper, banks are deploying a number of countermeasures in attempt to prevent cyber-theft. They include:

  • Encrypted channels between endpoints (ineffective against browser-based attacks)

  • Multi-factor authentication systems providing unique “tokens” or one-time passwords, such as Bank of America’s SafePass.

  • Site-key authentication using verification images, selected text, and challenge questions

  • Virtual keyboards that protect against key logging (but unfortunately not against form grabbing)

While these complex multiple authentication measures can be effective, there is little to protect against web injections and man-in-the-browser attacks. Banks have to reach the levels of extremity these criminals have in order to stop them, and so far, they appear to be lagging behind.

Though better user education and cyber laws will help, ultimately, until better defense technology is implemented the moral is this: be wary of what you allow on your devices, because it could crawl into your wallet.

We measure success by the understanding we deliver. If you could express it as a percentage, how much fresh understanding did we provide?
Jennifer Markert