Anti-Malware , Fraud , Risk Management

Seeking a SWIFT Malware Attack Antidote Here's Why Manual Oversight Is No Wire Transfer Security Panacea Mathew J. Schwartz (euroinfosec) • May 3, 2016     Telex: How SWIFT messages used to move. (Source: Arnold Reinhold/CC.)

The theft of $81 million from the central bank of Bangladesh's account at the U.S. Federal Reserve in New York is notable because attackers - not for the first time - appear to have employed malware to issue bogus money-moving messages via the SWIFT messaging platform (see SWIFT Confirms Repeat Hack Attacks).

See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers

The Society for Worldwide Interbank Financial Telecommunication - a Belgium-based cooperative of 3,000 organizations, founded in 1973 - maintains the SWIFT messaging platform, which it says handles the majority of international interbank messages. It's also confirmed this isn't the first attempted malware attack it's seen, although it has declined to comment on the identities of previous targets.

The attacks prompt the obvious question of whether better internal controls, applied to SWIFT messages, might have disrupted the scheme much quicker. Security experts and regulators have long recommended that organizations and banks employ manual intervention to verify all large wire transfers (see Why Are We So Stupid About Security?).

Accordingly, should SWIFT-using banks be using a greater number of manual reviews by bank employees - at both the sending and receiving end of every message - to better vet all large money-transfer requests? Should banks be picking up the phone more frequently and using pre-agreed codes to verify large transactions with their counterparts in initiating institutions?

SWIFT didn't immediately respond to my request for comment about whether it planned to advise banks to institute more checks to verify the authenticity of money-moving messages.

Cautionary Lesson

But for a potential answer to the question I'm posing, it's helpful to look at how a different criminal scheme attempted to illegally transfer a total of $69.7 million out of accounts held by United Airlines, brokerage Merrill Lynch and Kentucky distiller Brown-Forman at First National Bank of Chicago into accounts at Citibank and Chase Manhattan. After that, a gang - comprising seven U.S. residents, including two First National employees - allegedly planned to move the money into two Vienna-based bank accounts, according to prosecutors.

"Whoever concocted the scheme was familiar with the workings of wire transfers," an anonymous source told the Chicago Tribune.

Indeed, the insiders allegedly shared First National Bank's confidential wire-transfer codes and money-transfer codes, after which other individuals posing as United, Merrill Lynch and Brown-Forman employees called the bank's "wire room," tricking bank employees into initiating the transfers, the Los Angeles Times reported.

If anything about this story strikes you as dated, that's because it is: The alleged embezzlement occurred in 1988, points out information assurance consultant William Murray, who's an associate professor at the U.S. Naval Postgraduate School. "Twenty-eight years ago, but seems like only yesterday," he says.

Old School: Telex Machines Plus Code Books

Murray has been tracking information security concerns "since 'wire transfers' were done over telex machines using code books," he tells me. (For the uninitiated, telex machines involved switched networks of teleprinters, which worked like telephones except they were used to send and receive text-based messages.)

Such transactions "were hardly routine," Murray tells me. "As recently as 20 years ago, lots of transactions originated with a telephone call from the bank's customer to the bank. The 'interface' to SWIFT was called the 'wire room.' One clerk would take the order from the customer; a second one would call the customer back to authenticate the transaction."

With such a system - bank clerks in a wire room, armed with a SWIFT code book - what could go wrong? In fact, the alleged $70 million embezzlement from First National Bank of Chicago - which is now part of PNC - demonstrates some of the risks the system posed, because it relied on humans being in the loop, and people can be tricked. At the other extreme, meanwhile, the Bangladesh Bank hack demonstrates the danger posed by highly automated systems, for example, when hackers manage to exploit a system that a bank uses for its SWIFT messaging.

Of course, SWIFT transfers aren't fully automated. The Bangladesh Bank hackers attempted to transfer $951 million, some of which was blocked after attackers misspelled the name of the Sri Lankan not-for-profit organization to which they were attempting to transfer the money, prompting one of the routing banks, Deutsche Bank, to helpfully flag transaction for further review by Bangladesh Bank, Reuters reported.

More Security Costs

Obviously, no system is foolproof, and the First National Bank of Chicago case demonstrates how insiders can help abuse any system. But adding more checks and balances to money-moving transactions can increase the chance of spotting related scams. "The most effective, general and flexible control is management direction and supervision," Murray says. But that comes at a cost, and "because it is expensive, we resort to alternatives, for efficiency."

Of course the trend globally is to allow money to be moved more quickly, ideally backed by better authentication, tokenization, dynamic credentialing and encryption (see Fed Reveals Plan for Faster Payments). But in light of SWIFT customers having been targeted now via multiple malware schemes, is it time to at least make massive international wire transfers a little less "efficient" in exchange for better security?

DDoS , DDoS Attacks , Risk Assessments

Follows Collective's 'Total War' Against Donald Trump Mathew J. Schwartz (euroinfosec) • May 6, 2016     Still from an Anonymous video announcing Operation Icarus. (Source: YouTube.)

After earlier this year declaring "total war" against U.S. Republican presidential candidate Donald Trump, the hacktivist group Anonymous is now threatening global banks with 30 days of distributed denial-of-service attack disruptions.

See Also: Detecting Insider Threats Through Machine Learning

As a preview, on May 2, the group claimed to have disrupted the website of Greece's central bank. "Olympus will fall. A few days ago we declared the revival of Operation Icarus. Today we have continuously taken down the website of the Bank of Greece," the group said in the video posted on You Tube and delivered in the classic Anonymous style via a disembodied, computerized voice.

"This marks the start of a 30-day campaign against central bank sites across the world," it adds. "Global banking cartel, you've probably expected us."

Of course, banks have previously been targeted en masse by DDoS attackers. Beginning in 2012, for example, attacks waged by a group calling itself the "Izz ad-Din al-Qassam Cyber Fighters" continued to disrupt U.S. banks' websites as part of what it called "Operation Ababil." In March, the Justice Department unsealed indictments against seven Iranians - allegedly working on behalf of the Iranian government - accusing them of having waged those attacks. Regardless of who was involved, it's unclear if Anonymous could bring similar DDoS capabilities to bear for its Operation Icarus.

A Central Bank of Greece official, who declined to be named, confirmed the May 2 DDoS disruption to Reuters, though said the effect was minimal. "The attack lasted for a few minutes and was successfully tackled by the bank's security systems. The only thing that was affected by the denial-of-service attack was our website," the official said. Greek banks have been previously targeted by DDoS extortionists, demanding bitcoins (see Greek Banks Face DDoS Shakedown).

"It would have been better if no disruption occurred, but it is good that the attack - if that is what caused the disruption - was handled so quickly," says information security expert Brian Honan, who's a cybersecurity expert to the EU's law enforcement intelligence agency, Europol.

A "World Banking Cartel Master Target List" published by Anonymous to text-sharing site Pastebin early this month lists the U.S. Federal Reserve, as well as Fed banks in Atlanta, Boston, Chicago, Dallas, Minneapolis, New York, Philadelphia, Richmond and St. Louis. Also on the target list are websites for the International Monetary Fund, the World Bank as well as 158 central banks' websites. In a related video missive issued March 31, Anonymous urged its members to "take your weapons and aim them at the New York Stock Exchange and Bank of England," promising that "this is the operation to end all others."

The planned Anonymous operation follows elements of the collective earlier this year declaring "total war" against Trump, and on April 1 temporarily disrupting several of Trump's websites, The Hill reports (see DDoS: 4 Attack Trends to Watch in 2016). Since then, of course, Trump has become the only Republican presidential candidate left standing after his massive win in this week's Indiana primary.

Banks: Beware DDoS Threats

While the Anonymous bark doesn't always equal its bite, in the wake of this alert, "banks in the United Kingdom, United States and Latin America should be very prepared" against potential attacks, says Carl Herberger, vice president of security for DDoS-mitigation and security firm Radware.

"In the same vein as someone yelling 'bomb' at an airport or fire at a movie theater, cyber-attack threats - whether idle or not - are not to be taken lightly," he says, although he adds that the number of threatened DDoS attacks outweighs the quantity of actual attacks.

Herberger says in light of the new threat, all banks should review their DDoS defense plans, keeping in mind that DDoS attackers do continue to refine their tactics, as seen in the disruption of Geneva-based encrypted email service ProtonMail (see Refined Ransomware Streamlines Extortion).

"As the attacks on ProtonMail in November 2015 have demonstrated ... attackers change the profile of their attacks frequently and leverage a persistent and advanced tactic of revolving attacks geared to dumbfound detection algorithms," he says, dubbing such tactics "advanced persistent DoS."

Maintain a DDoS Defense Plan

Security experts have long recommended that all organizations have a DDoS defense plan in place. The U.K.'s national fraud and cybercrime reporting center, ActionFraud, for example, recently issued the following advice to all organizations:

Review: "Put appropriate threat reduction/mitigation measures in place," tailored to the risk DDoS disruptions would pose to the organization. Hire: If DDoS attacks are a threat, seek professional help. "If you consider that protection is necessary, speak to a DDoS prevention specialist." Prepare: All organizations should liaise with their ISP in advance of any attack. "Whether you are at risk of a DDoS attack or not, you should have the hosting facilities in place to handle large, unexpected volumes of website hits."

DDoS Extortions Spike

The guidance from ActionFraud, released April 29, also warned that the center has recently seen a spike in DDoS extortion threats from an unnamed "online hacking group" demanding the equivalent of $2,250 to call off their planned attack.

"The group has sent emails demanding payment of 5 bitcoins to be paid by a certain time and date. The email states that this demand will increase by 5 bitcoins for each day that it goes unpaid," ActionFraud's alert states. "If their demand is not met, they have threatened to launch a [DDoS] attack against the businesses' websites and networks, taking them offline until payment is made."

ActionFraud advises targeted organizations: "Do not pay the demand." That echoes longstanding advice from law enforcement agencies globally (see Please Don't Pay Ransoms, FBI Urges). ActionFraud also urges organizations to keep all copies of DDoS extortion emails - including complete email headers - as well as a complete timeline for the threats and any attacks, and to immediately report threats or attacks to authorities.

Investigators say that keeping complete records - including packet-capture logs - is essential for helping to identify perpetrators. Or as ActionFraud advises: "Keep a timeline of events and save server logs, web logs, email logs, any packet capture, network graphs, reports, etc."

Masquerading as Armada Collective?

CloudFlare, a DDoS mitigation firm, reports that related attacks began in March and have been carried out under the banner of Armada Collective, as well as potentially Lizard Squad, although it's not clear if those groups are actually involved (see Analysis: Impact of DD4BC Arrests).

It's also unclear if the threatened DDoS disruptions have ever materialized (see Cyber Extortion: Fighting DDoS Attacks). "We've been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack," CloudFlare CEO Matthew Prince says in a blog post. "In fact, because the extortion emails reuse bitcoin addresses, there's no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments."

Data Breach , Data Loss , Fraud

U.S. Bank Confirms Fraudulent Tax Returns Filed in Employees' Names Mathew J. Schwartz (euroinfosec) • May 5, 2016    

Some employees at organizations that use outsourced payroll provider ADP have been hit with tax return fraud. ADP blames customers for failing to secure the unique portal registration codes it issues to clients, saying they'd been obtained by fraudsters, enabling them to obtain individuals' personally identifiable information and use it to help commit identity theft.

See Also: Data Center Security Study - The Results

"ADP has learned of a small number of clients whose employees have been victimized by fraudulent registrations through a self-service registration portal," ADP spokesman Dick Wolfe tells Information Security Media Group. "Any potential exposure of W-2 information was limited to individuals who have had their personal information compromised previously - unrelated to ADP - based on ADP's investigation to date."

W-2 forms, which list an employee's full name, annual salary information, Social Security number and mailing address, have been used by identity thieves to file fraudulent tax returns and illegally obtain tax refunds (see Georgia Couple Confesses to IRS 'Get Transcript' Fraud Scheme).

ADP says the fraud attempts were discovered by its in-house financial crimes monitoring team, and that it's assisting U.S. authorities with an investigation.

The news of "a weakness in ADP's customer portal," was first reported by security blogger Brian Krebs, who said related attacks helped compromise accounts at more than a dozen firms, including the nation's fifth-largest bank, U.S. Bancorp, a.k.a. U.S. Bank.

U.S. Bank: Tax Fraud Alert

U.S. Bank says no customers were affected. "This did not [involve] customers or customer information. It affected approximately 2 percent of our employees," spokesman Dana E. Ripley tells ISMG, adding that "the vulnerability has been resolved," although declining to offer any further details.

According to U.S. Bank's first-quarter earnings release for 2016, the company has about 67,000 employees, meaning that about 1,350 of those employees were the victims of tax fraud, or attempted tax fraud.

U.S. Bank declined to share a copy of the warning letter that it sent to affected employees, although a copy was obtained and published by Krebs. "Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP," according to the note, sent by U.S. Bank executive vice president of human resources Jennie Carlson. "During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name."

ADP says the information leak appears to be limited to that self-service registration portal. "ADP has no evidence that its systems housing employee information have been compromised. Additionally, the company is working with a federal law enforcement task force to identify the fraud perpetrators," Wolfe says.

ADP Disputes Portal Weakness

Commenting on the information leak, Wolfe says that "weakness in the portal is a mischaracterization," and instead blames customers for the information security lapse, saying they mishandled the unique registration code that gets issued to each ADP customer organization.

"The company registration code is combined with an individual employee's personal information - e.g., partial SSN, DOB [date of birth], employee number, etc. - to create a unique access code required for portal registration," Wolfe says. "In this case, these clients made the unique company registration code available to its employees via an unsecured public website. The combination of an unsecured company registration code and stolen personal information - via phishing, malware, etc. - enabled the fraudulent access to the portal, based on ADP's investigation to date."

Wolfe says that ADP warns customers to never publish unique registration codes to unsecured websites, "and has temporarily disabled access to the registration portal for those clients that continue to publish company registration codes in this fashion." He adds that "ADP offers and advises its clients to use alternative industry-standard controls, including personal identification codes, which offer far greater protection during the self-service registration process." For customers that opt in, he says ADP offers this "enhanced model" of security free of charge, which includes "a unique registration code for each potential registrant tied to the client account." He says clients can also use employee ID numbers or their own single sign-on systems to add additional layers of security.

It's also not clear whether the ADP registration link at organizations that experienced tax return fraud was published by those organizations on publicly accessible pages, or perhaps mishandled or inadvertently posted by employees on open forums.

Fraudsters Aggregate Stolen Data

The news of the leak is a reminder that security controls based on an individual's name, address, Social Security number, first pet - and so on - should not be treated as being secure. Aided by ongoing data leaks and rampant password reuse, security experts say fraudsters are increasingly offering services based on the likes of aggregation and data completion services such as Experian, but with a cybercrime twist. These services aggregate stolen information about individuals - especially high-net-worth individuals - then resell it to fraudsters, for example, to enable them to commit identity theft or tax-return fraud (see E*Trade, Dow Jones: 7 Breach Lessons).

Cybersecurity , Risk Management , Technology

Vulnerability Management with Analytics and Intelligence Presented by Aujas     60 Minutes     Vulnerability management, defined as the cyclical practice of identifying, classifying, remediating and mitigating vulnerabilities, has been a basic element of the security posture in many global organizations. As the technology evolves by use of cloud, social and internet of things in organizations, the vulnerability management function grows more complex and critical. Attend this session to hear directly from Sameer Shelke, Cofounder and CTO of Aujas, a global information risk management company on: The threat landscape and how it forces vulnerability management programs to evolve; How analytics and intelligence can be added to your vulnerability management program; A case study of one large, multinational organization that has experienced this evolution and growth Adding "analytics" and "intelligence" aspects to the vulnerability management function help to ensure that it keeps up with the challenging threat and risk landscape. For example: Analytics: The vulnerability management program produces a large volume of data related to vulnerabilities, assets, trends, mitigation measures, gaps, compensating controls, etc. Converting the raw data to information using organization context and then to insights based on the risk landscape can provide real value for risk management decisions and actions. As an example, analytical information on the vulnerability root cause, its link to vulnerability trends and assets can help effective mitigation. Similarly, vulnerability remediation analytics can help identify weakness in the process for improvements. Intelligence: Typically, the vulnerability management process starts with vulnerability identification, which depends on vulnerability scanning. That's the start in the find-and-fix process. A critical miss in the process can be any weakness in the "find" step, either due to tool functionality or zero day vulnerabilities. Adding vulnerability intelligence to the management process from authoritative sources and mapping them to the organization assets and their specific configurations would remove critical gaps in the find process. You might also be interested in … Anonymous Threatens Bank DDoS Disruptions