You don't need a fast car to rob a bank any more, just malware

Jul 30, 2014 by Bill Buchanan
Swag bags and getaway cards are so 20th century. Credit: Andrey_Popov

The number of physical robberies on banks has fallen dramatically in recent years, but the amount of money banks are losing through electronic methods has rocketed. In 2013 for example, the annual fraud indicator estimated the annual cost of fraud in the UK was £52bn what it was five years before. So it's easy to put up CCTV cameras, bulletproof glass and alarm bells, but in an electronic world there are infinite ways to commit fraud.

In fact there are so many targets in a electronic world that criminals can focus their efforts on the customer, the bank or the merchant. With virtually no footprint at all, criminal gangs can install within any part of the e-commerce infrastructure and either steal user credentials or modify transactions. It may be tempting to see this as a victimless crime, but large-scale fraud can have serious implications on the , not to mention user trust.

Individuals have been finding ways around electronic security for decades. Well known examples include John Draper (aka Captain Crunch), who in the 1970s used a whistle tuned to 2.6kHz that was given away in cereal packs to fool the pitch-controlled security system on the US telephone network, allowing him to make long-distance calls free of charge. Then there was Vladmir Levin, from Russia, who siphoned off millions from Citibank customers in the early 1990s by finding a way around their dial-up wire transfer service.

These days, any script kiddie can create their own targeted attack on the finance system. You don't need extensive programming skills or even a deep knowledge of how the e-commerce infrastructure works. A key target is the end user, since they tend to be the weakest link in the chain.

Holy Boleto!

The latest reminder came with the recent attacks on Boleto Bancário, the Brazilian inter-bank payment system, which were announced earlier this month. Known colloquially as Boleto, a vast amount of low-dollar transactions were hijacked by the latest malware, most probably set up by Brazilian organised crime gangs. With the theft amounting to nearly $4bn (£2.4bn), it could be the largest fraud in history.

Boleto is the second-most-popular payment method in Brazil after credit cards and has around 18% of all purchases. It is typically used to pay phone and shopping bills. One reason it is popular is that many Brazilians don't have a credit card, and even when they do have one, they are often not trusted.

The fraud worked very simply. It tricked customers to install a piece of malware on their system and then waited until they visited their bank's website. It spread using what is called spear phishing, which is the most common method these days, where users are sent emails with links on them. When the user clicks on them, they will run a program on their computer, and install the malware.

The malware used what is called a man-in-the-browser attack, where the malware sits in the browser, including Google Chrome, Mozilla Firefox and Microsoft Internet Explorer. It is known commonly as a Eupuds, which is classified as an information-stealing Trojan that stays alive by writing itself on to a user's hard drive and modifying the relevant Windows registry key so that it starts every time the computer is booted up. As well as infecting browsers using Windows operating systems, it can also steal information through the likes of Windows Live/Hotmail and Facebook.

In the case of Boleto, it worked by detecting the traffic between the browser and server by searching for specific relevant strings linked to bank sites. It then recorded all the information that had to be submitted about the recipient of the Boleto transaction. It then submitted the transfer for payment and modified it by substituting an attacker's account for the recipient's one. As many as 200,000 IP addresses were infected and 83,000 user email credentials were stolen in a move that had been going on for two years.

Of the statistics received, all the infected machines were running Microsoft Windows as their operating system. The majority were running Microsoft Windows 7 (78.3%), with Microsoft Windows XP second-most popular (17.2%). Of the browsers detected, the most popular was Internet Explorer (48.7%), followed by Chrome (34%) and Firefox (17.3%); and the most popular email domain used to steal user credentials was hotmail.com (94%). The reason that the impact was so great is that Boleto is only used in Brazil, thus malware detection software has not targeted it since it is a limited market.

All the same, the threat should have been detected more quickly. The first signs of the ZIP file containing the malware appeared in 2010. Cisco Systems was highlighting the distribution of the spam emails in 2012 and more warnings highlighted the threat last year.

Wake up and smell the malware

These attacks should serve as a wake-up call for the finance industry and governments around the world. What is most worrying about this type of fraud is that it could compromise the whole of the finance industry. It could even bring down major finance companies and even nation states with a single large-scale event.

As long as there's one person who will to click on a link in an email, there will be the potential for fraud. This is why the focus is moving towards end-users. So what's the solution? Users need to watch what they click, and also protect their systems by installing the latest upgrades from the likes of Microsoft and having up-to-date virus software. Until customers and major organisations find a way of getting fully across these threats, these are dangerous times to bank.

Explore further: Cybercrime ring uncovered in Brazil (Update)

add to favorites email to friend print save as pdf

Related Stories

Brazil cybertheft could be biggest ever

Jul 09, 2014

A scheme that has been skimming funds from Brazilian bank payments over the past two years may be the largest cybercrime heist in history, at some $3.75 billion, security researchers say.

ISPs need to do more to tackle major cyber-attack

Jun 17, 2014

Warnings about the impending cyber-attack have gone unheeded and more must be done to tackle the threat of an infection, according to the Institution of Engineering and Technology (IET).

Bank-stealing malware returns after US crackdown

Jul 11, 2014

Malicious software used to steal millions from bank accounts has re-emerged a month after US authorities broke up a major hacker network using the scheme, security researchers say.

Facing the Windows XP apocalypse? Here are some options

Mar 26, 2014

Are you ready for the "XP Apocalypse" on April 8? That's when Microsoft Corp. plans to stop issuing security updates for the aging, but still-popular XP version of its flagship Windows operating system, which ...

Recommended for you

BPG image format judged awesome versus JPEG

Dec 17, 2014

If these three letters could talk, BPG, they would say something like "Farewell, JPEG." Better Portable Graphics (BPG) is a new image format based on HEVC and supported by browsers with a small Javascript ...

Atari's 'E.T.' game joins Smithsonian collection

Dec 15, 2014

One of the "E.T." Atari game cartridges unearthed this year from a heap of garbage buried deep in the New Mexico desert has been added to the video game history collection at the Smithsonian.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

_tak
not rated yet Jul 30, 2014
The users can not be held responsible for the lack of security.
The exploits used by criminals are not known by the anti-virus or operating system.
So you can not protect yourself.

The banking industry is the one who should provide us with save payment methodes.
That is their sole purpose and the pure definition of a bank.

This oversight in the article, and blaming the users, brings in question the motivation for writing this article. The correct motivation for this article would be to motivate the banking industry to meet our need for financial security.
kochevnik
not rated yet Jul 30, 2014
Anyone working in banks knows that security is usually the lowest priority. When modems were the standard, many banks simply used an obscure phone number to access each other's branches without passwords or oversight

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.