The indictment of nine alleged participants in a fraud scheme
that involved infecting thousands of business computers with Zeus malware
to steal millions of dollars shows that the malware remains a formidable
ongoing threat, financial services security experts say.
The victims in the case included a Nebraska bank and a
Nebraska company, according to an announcement of the indictment from federal
prosecutors. The indictment was unsealed in connection with the April 11
arraignment of two Ukrainian nationals, who were recently extradited from the
United Kingdom. Three other Ukrainians and a Russian have not yet been
arrested; the indictment also names three other "John Doe"
defendants.
"These actors are only a few of those who operate Zeus
botnets out of a sea of cybercriminals who use variations to commit
fraud," says Ryan Sherstobitoff, a threat researcher at security vendor
McAfee, a unit of Intel. "Zeus will always be a continuing threat, and
cybercriminals will continue to use Zeus to steal money. We as an industry must
be vigilant."
Kevin Haley, security response director at security vendor
Symantec, says the indictments won't put much of a dent in the use of the
malware. "Zeus is not a gang; it's a toolkit, a very popular one used by
many gangs," he says. "While today there is one less gang, there are
still plenty of others using Zeus to attack us."
Andreas Baumhof, chief technology officer at anti-fraud
vendor ThreatMetrix, says that when it comes to fighting fraud, the latest
indictments are "like taking a scoop of sand out of the beach.
"The thing about Zeus is that the people who develop and
distribute Zeus are not the same people who use Zeus to steal money,"
Baumhof says. "Now we have a couple less people using Zeus."
Zeus is a continuing threat because many financial
institutions aren't looking necessarily for the malware itself, says George
Tubin, banking expert at anti-malware provider Trusteer. "What [banks] are
trying to do is use different authentication means and different fraud
prevention technologies to try to spot when fraud happens," he says.
"But very few institutions are actually trying to identify when
man-in-the-middle malware [such as Zeus] is being used."
The nine defendants in the case revealed April 11 allegedly
used the malware to capture passwords, account numbers and other information
necessary to log into online banking accounts, federal prosecutors say. The
conspirators then used the information to steal millions of dollars from
victims' bank accounts.
The defendants allegedly falsely represented to banks that
they were employees of the victim organizations and were authorized to make
transfers of funds from the victims' bank accounts, according to an
announcement from the Federal Bureau of Investigation.
As part of the scheme, the defendants allegedly used money
mules in the U.S. who received funds transferred over the ACH network or
through other interstate wire systems from victims' bank accounts, the FBI
says. The money mules then allegedly withdrew some of those funds and wired the
money overseas to conspirators.
All the defendants were charged by a federal grand jury with
conspiracy to participate in racketeering activity, conspiracy to commit
computer fraud and identity theft, aggravated identity theft and multiple counts
of bank fraud.
McAfee's Sherstobitoff says federal law enforcement is making
progress mitigating the Zeus threat through botnet takedowns and disruption
efforts. "These disruption efforts are oriented toward breaking up
criminal rings who operate Zeus to steal from commercial entities," he
says.
Haley at Symantec notes: "Security technology continues
to get better, and users become more aware of the social engineering tricks
that attackers deploy. But the attackers do not stand still either."
Organizations need to first identify the critical business
information that must be protected and prioritize that appropriately, Haley
says. Then they must implement security technology, including anti-spam
technology, to mitigate the e-mail threats. "And finally, users need
security awareness training," he says.
ThreatMetrix's Baumhof says making progress in fighting fraud
is challenging because many malware attacks are so targeted. "The trick
with Zeus is that it is a very flexible toolkit that you can use in many
different ways," he says. "People try to mitigate the specific
attacks that they are being attacked with, not against Zeus. People are
protecting against cuts and not against the Swiss Army knife."
To fight attacks that use Zeus, banks need to ensure more
data is available to systems that assess risk, Baumhof says. And that includes
information about end users' devices. "How can a bank make a good decision
regarding whether or not a particular transaction is valid if there is no
visibility into the endpoint?"
0 comments:
Post a Comment