Tag: phishing

20 Sep 2012

New cyber attack targeting small to medium-sized financial institutions

The FBI, in association with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3), recently issued a fraud alert warning that criminals are using a multi-vector attack to compromise financial institution networks and initiate fraudulent wire transfers.  The first thing that struck me about this attack is that although all the recent focus has been on strengthening controls on the merchant side, this is targeted not at the merchant, but directly at the financial institution itself.

Simply put, the attack uses a combination of SPAM and phishing emails (#1 below), keystroke loggers, and remote access software (#2 below) to capture employee authentication credentials.  A successful attack results in the employee’s PC being under the control of the criminal, who will then use the employee’s authority to initiate wires, approve them, and even override built-in transaction limits. The following graphic describes how the attack occurs, with the exception that in #5 the victim is the financial institution, not the on-line banking customer:

(Click here for original document)

It is important to understand that this is not a “proof-of-concept” attack, this is actually occurring, and has resulted in attempted transfers ranging from $400,000 and $900,000.

One of the unique indicators of the attack is that either just prior to or just after the attack, the institution’s website is targeted by a denial of service attack which is designed to slow or deny access to the FI’s website, distracting institution employees and preventing or delaying them from detecting the fraudulent transactions.  They recommend that institutions monitor for spikes in website traffic that may indicate the beginning of the attack.

The alert also lists 17 best practice recommendations for financial institutions designed to prevent and detect this (and similar) attacks.  It is not surprising that the first 5 recommendations address the weakest link; the employee.  I previously identified the employee as the biggest single risk to information security, and employee training as a trend for 2012.  Many of the other recommendations should be familiar to most FI’s; restrict user access rights and login times, review Anti-malware and Anti-virus defenses, implement anomaly detection, and utilize IPS and “white-lists” to prevent connections to suspicious sites.  They also recommend that institutions strongly consider (their words, my emphasis) implementing out-of-band authentication for wire authorization.  This is where the final authentication approval is send back to the originator via a communication channel other than the one used to initiate the transaction.  This was also one of the recommendations from the FFIEC in their authentication supplement released last year.

In my opinion there are 2 controls financial institutions can implement now that will do more than any other to significantly reduce the incidence of fraudulent transactions.  The first is out-of-band authentication, and the other is utilizing a secure DNS service, similar to this.

14 Sep 2011

The current single biggest security threat to financial institutions – UPDATE

(UPDATE – Hord Tipton, executive director of (ISC)2, posted recently on the biggest data breaches of the past year.  His analysis confirms that ” …humans are still at the heart of great security successes – and, unfortunately, great security breaches…The lesson we learn from this year’s breaches is that most of them were avoidable – even preventable – if humans had exercised best practices at the proper times.”)

What was the nature of the attack on the security company RSA that they described as “extremely sophisticated”  and an “advanced persistent threat”?  Simply put, it was a fairly ordinary phishing email that was sent to RSA employees that contained an Excel spreadsheet with an embedded Adobe Flash exploit.  At least one employee opened the attachment.  The exploit allowed the attacker to install a backdoor and subsequently gain access to the information they were after.

I wrote about this here, discussing how password tokens (like RSA) were just one factor in one layer of a multi-factor, multi-layered security process.  At the time the post was written (shortly after the attack became public) we weren’t sure about either the nature of the attack, or exactly what was taken, but at this point it is pretty clear that the real weakness that was exploited at RSA is still out there, and it can’t be fixed by a patch or an update.  In fact according to recent IT audits this particular vulnerability is still present at most financial institutions…the employee.  Or more specifically, the under-trained-and-tested employee.

How do you address this threat?  Sure, regular critical patch updates and Anti-virus/Anti-malware software are important, but the only way to mitigate the employee risk is through repeated testing and training.  As far back as 2004 the FFIEC recognized social engineering as a threat, stating in their Operations booklet:

Social engineering is a growing concern for all personnel, and in some organizations personnel may be easy targets for hackers trying to obtain information through trickery or deception.

And as recently as this year social engineering is mentioned again in the recent FFIEC Internet Authentication guidance:

Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset or as a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Most financial institutions already include some form of social engineering testing in their IT controls audits, typically as part of a penetration, or PEN test.  Auditors assessing social engineering control effectiveness will use various techniques to entice an employee to enter their network authentication credentials.  Posing as a customer, an employee, a trusted vendor, or even going to the extreme of constructing a website with the same look and feel of the institutions actual website, auditors have been extremely effective in getting employees to disclose information.  In fact in all of the social engineering tests I’ve seen, the vast majority resulted in at least one employee disclosing confidential information, and in many cases 50% or more employees handed over information.  Although I believe this number is slowly declining, if the RSA breach taught us anything it was that all it takes is one set of disclosed credentials from one employee to compromise the organization.

So if both social engineering and the need for training and testing is not a new concept to financial institutions, then why is this such a persistent problem?  After all, most institutions have been conducting information security training for years.  In fact as part of their IT examinations, examiners have been required to “…review security guidance and training provided to ensure awareness among employees and contractors, including annual certification that personnel understand their responsibilities.”

I think a big part of the challenge is that financial institution employees are specifically hired for their customer service skills; their willingness to want to help each other and the customer.  These are exactly the personality traits that you want in a customer-facing employee.  But this helpful attitude is exactly why financial institution employees are notoriously difficult to train on information security.  (An excellent summary of this is found in a technical overview paper published by Predictive Index).  The same personality traits that make employees want to help are also correlated with a general lack of suspicion.  And a little suspicion can be more useful in preventing social engineering attacks than all the formal training in the world.

Suspicion can’t be taught, but adherence to polices and procedures can.  And fortunately one personality trait that is correlated with a helpful attitude is a willingness and ability to follow the rules.  Perhaps the answer is to spend more training time making sure your employees know what is expected of them (as defined in your policies) and how they are expected to respond to requests for information, and spend less time discussing why (i.e. the current threat environment).  Make sure you include social engineering testing as part of your annual IT audits because this is the only way to measure the success of your training efforts.  And if the testing results indicate that more training is necessary, repeat training and testing not just annually but as frequently as you have to until the test response rate  is zero.  Also, use the news of recent cyber-incidents as an opportunity to stage “what would you do in this circumstance” training exercises with your employees.  In the end this is one risk you’ll never completely eliminate…the best you can hope is that you don’t become a training exercise for someone else!