RISK MANAGEMENT
Fraud Alert
Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud
Recent FBI reporting indicates a new trend in which cyber criminal actors are using spam and phishing e-mails , keystroke loggers , and Remote Access Trojans ( RAT ) to compromise financial institution networks and obtain employee login credentials . The stolen credentials were used to initiate unauthorized wire transfers overseas . The wire transfer amounts have varied between $ 400,000 and $ 900,000 , and , in at least one case , the actor ( s ) raised the wire transfer limit on the customer ’ s account to allow for a larger transfer . In most of the identified wire transfer failures , the actor ( s ) were only unsuccessful because they entered the intended account information incorrectly .
Tradecraft
The actor ( s ) primarily used spam and phishing e-mails to target their victims . Once compromised , keyloggers and RATs installed on the financial institution employee ’ s computer provided the actor ( s ) with complete access to internal networks and logins to third party systems . Variants of ZeuS malware were used to steal the employee ’ s credentials in a few reported incidents .
In some instances , the actor ( s ) stole multiple employee credentials or administrative credentials to third party services and were able to circumvent authentication methods used by the financial institution ( s ) to deter fraudulent activity . This allowed the intruders to handle all aspects of a wire transaction , including the approval .
The unauthorized transactions were preceded by unauthorized logins that occurred outside of normal business hours using the stolen financial institution employees ’ credentials . These logins allowed the actor ( s ) to obtain account transaction history , modify or learn institution specific wire transfer settings , and read manuals providing information and training on the use of US payments systems .
In at least one instance , actor ( s ) browsed through multiple accounts , apparently selecting the accounts with the largest balance .
Victims
Small-to-medium sized banks or credit unions have been targeted in most of the reported incidents , however , a few large banks have also been affected . Denial of Service Attacks
In some of the incidents , before and after unauthorized transactions occurred , the bank or credit union suffered a distributed denial of service ( DDoS ) attack against their public Web site ( s ) and / or Internet Banking URL . The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction , which in most cases is necessary to stop the wire transfer . One botnet that has been used for this type of distraction is the Dirtjumper botnet . Dirtjumper is a commercial crimeware kit that can be bought and sold on criminal forums for approximately $ 200 .
Recommendations to Financial Institutions :
• Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited e-mails
• Do not allow employees to access personal or work e-mails on the same computers used to initiate payments
• Do not allow employees to access the Internet freely on the same computers used to initiate payments
• Do not allow employees to access administrative accounts from home computers or laptops connected to home networks
• Ensure employees do not leave USB tokens in computers used to connect to payment systems
8