EU cyber security agency ENISA; “High Roller” online bank robberies reveal security gaps
July 2012 by ENISA
Many online banking systems dangerously rely on PCs being secure, but banks should instead presume customer PCs are infected, says the EU’s cyber security agency ENISA in response to the reports about the “High Roller” cyber-attack.
The recent targeted “High Roller” cyber-attacks on wealthy corporate bank accounts which yielded tens of millions of dollars were analysed in a report recently published by McAfee and Guardian Analytics. The report describes the technical details and the impact of the series of cyber-attacks. The old adage that “criminals go where the money is” today means that “bank robbers go online”, as the Executive Director of ENISA, Professor Udo Helmbrecht states. It should come as no surprise that large organised crime groups are targeting online banking sites. Still, the attacks drew a lot of attention for three reasons:
1. Highly automated: The attackers reduced manual intervention to a minimum, relying mostly on automation. The attacks were also fast and easily missed by the user.
3. Targeted: Only PCs from users with correspondingly high balances were targeted (e.g. around 5000 PCs in the Netherlands).
The cyber-attacks had three phases. First, targets were identified using online reconnaissance and (spear) phishing. Victims with access to high balance accounts (hence the name “High Rollers”) were singled out. Secondly, malware (SpyEye, Zeus and Ice 9) was loaded onto the victim’s PC, which was customised for the victim’s online banking websites. The malware was triggered when the victim started an online banking session. SpyEye, Zeus and Ice 9 are common types of malware toolkits and are tailored for this attack. Later, automated fraudulent transactions were carried out in the name of the user and hidden from them behind warning and waiting messages. The malware transfers sums from savings accounts to checking accounts, and then to mules abroad who take the cash and send it onwards using person-to-person money transfer (such as Western Union). A detailed technical analysis and set of recommendations from McAfee and Guardian Analytics can be found online.
1. Assume all PCs are infected: The attacks used Zeus, which is a Do-It-Yourself virus kit available for around a thousand EUROs. Zeus has been available as an off-the-shelf virus around since 2007 and the detection rate is low. For a bank, in the current situation it is safer to assume that all of its customers’ PCs are infected, and the banks should therefore take protection measures to deal with this.
Statistics on Zeus: Only about 40% of Zeus malware is detected.
2. Secure online banking devices: Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer’s PC is not infected. Given the current state of PC security, this assumption is dangerous. Banks should instead assume that PCs are infected, and still take steps to protect customers from fraudulent transactions. For example, a basic two factor authentication does not prevent man-in-the-middle or man-in-the-browser attacks on transactions. Therefore, it is important to cross check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device (e.g., an SMS, a telephone call, a standalone smartcard reader with screen). Even smartphones could be used here, provided smartphone security holds up.
3. Strong cooperation needed to take down global command centres: The cyber-attack was carried out using command and control servers dynamically located across the globe, using e.g. fast flux botnets and bulletproof hosting providers. Criminals use these tricks to make law enforcement and notice-and-takedown more complicated. Therefore, strong global collaboration, both in terms of prevention and in terms of response is needed. ENISA works on fostering closer ties and more information exchange between national Computer Emergency Response Teams (CERTs), law enforcements and between EU countries to improve incident response across borders.
Preventing cyber-attacks is important, but it is also necessary to be prepared for when attacks happen. ENISA has been working with the different EU Member States to ensure that every country has well-functioning CERTs to handle cyber security incidents. ENISA organises large scale international cyber security exercises (for example Cyber Europe 2010, Cyber Atlantic 2011, and the upcoming Cyber Europe 2012) to increase international collaboration on large-scale security incidents. ENISA is also working with Member States to improve incident reporting to ensure more transparency about the causes, the frequency and the impact of past incidents. Currently consumers, businesses and policy makers are forced to make rough estimates. The EC recently announced a forthcoming strategy for Internet security, addressing the possibility of extending Article 13a (mandatory incident reporting and security measures) beyond just the electronic communications sector.
Looking forward, browser security and smartphone security will play an increasingly important role as more and more transactions are being carried out on smartphones or tablets. The rapid adoption of smartphones offers an important opportunity to improve end-point security (for example by using vetted appstores or by using smartphones as second factors) but we should not take smartphone security for granted.
 Antivirus detection rate for Zeus binaries is on average 38.4%. In other words, even if you run up-to-date antivirus programmes, there is still a high chance of being infected.
 Even if the user has to type a fresh and secret code each time for authenticating the transaction to the server, the attacker can still intercept the code and replay it to the server to execute a fraudulent transaction.
 Fast flux is a technique where one domain name points to a large and quickly changing set of IP addresses (i.e. computers).
“Bulletproof hosting provider” is a term for a provider with no conditions or check on the material uploaded. Cyber criminals use bulletproof hosting to host command and control servers, malware infection sites, phishing sites, and so on.
 Note that while we see that many smartphone vendors have taken the chance to improve on PC security, we should be warned: There have already been cases where criminals infect both the PC and the smartphone of the victim to circumvent two-factor authentication schemes based on SMS, using Zitmo.