Member Login
login help
Contact Us
24x7 CSIRT

Alert: Targeted attacks on institutional online banking

This is the CIO and business officer version of the Alert.
There is also a technical version.

- - - - - - - - -

January 14, 2010
To: CIOs and Business Officers,

We want to raise awareness, but not alarm, to an electronic crime threat
targeting institutional/commercial online banking activities. Two of the
most successful criminal operations (and the respective malware) are known
as Clampi and Zeus. The operations have been in place for over a year, and
have proven to be successful, difficult to stop, and damaging. A public
school district in Pennsylvania lost $700,000 in a two-day attack. A county
government in Kentucky lost $415,000. A New York school district, $3MM of
which .5MM remained unrecovered as of 6-Jan. [1][2]

Persons who conduct institutional/commercial online banking operations are
being specifically targeted by the criminals.

Standard desktop computer antivirus is not an effective defense because
the attackers constantly morph the attacks to evade antivirus signatures.
Network defenses such as firewalls and intrusion detection systems are
similarly ineffective. Some attacks have successfully defeated two-factor
authentication[3], although two-factor remains to be an effective defense
against many other attacks.

We recommend the following actions:

=== Business Officers and CIO's ===

1. Make sure that your peer (BO or CIO) has a copy of this message.

2. Read the Internet Crime Complaint Center (IC3) message [4].

3. Make certain that systems used in performing financial transactions
are protected by strict technical controls and receive periodic validation.

4. Make certain that personnel involved in performing online financial
transactions have the necessary security awareness and training. Those
persons should receive targeted training on phishing and this threat.

5. Make committed and purposeful use of banking transaction
initiator/approver roles. Most banks offer sophisticated role-based
controls, but it's up to the institution to put them to effective use.

6. Have written policies defining the controlled environment in which
online banking transactions can be conducted, e.g. what systems can be
used, how they must be maintained, required personnel training, etc.

7. Routinely audit compliance with established technical controls and

8. WE STRONGLY RECOMMEND THAT all online banking operations should
be conducted on special-use computers that are used SOLELY for banking
transactions. No other use of the machine should be permitted - no e-mail,
no web browsing, no general-purpose business use - nothing but
institutional online banking transactions.

How the attacks work: As described in an FBI release[5] "In a typical
scenario, the targeted entity receives a 'spear phishing' e-mail which
either contains an infected attachment, or directs the recipient to an
infected website. Once the recipient opens the attachment or visits the
website, malware is installed on their computer. The malware contains a
key logger which will harvest each recipient's business or corporate bank
account login information. Shortly thereafter, the perpetrator either
creates another user account with the stolen login information or directly
initiates funds transfers by masquerading as the legitimate user. These
transfers have occurred as both traditional wire transfers and as ACH

We're sharing additional technical and policy information - aimed at
security officers and teams - to the public EDUCAUSE Security mailing list,
and within the private REN-ISAC [6] community.

The text of this message (along with clobber-free long URLs) is at:

A technical-audience version of this Alert is also located at that link.

Additional reading links are included below my signature.

If you have any questions, don't hesitate to e-mail me directly.

On behalf of the REN-ISAC team,

Doug Pearson
Technical Director, REN-ISAC
24x7 Watch Desk +1(317)274-7228



[1] The Growing Threat to Business Banking Online

[2] FBI investigating online New York school district theft

[3] Real-Time Hackers Foil Two-Factor Security

[4] Compromise Of User's Online Banking Credentials Targets Commercial Bank Accounts

[5] Fraudulent Automated Clearing House (ACH) Transfers Connected to Malware and Work-at-Home Scams

[6] REN-ISAC briefings

Additional references:

The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud

Online banking warning surprises some experts

Banking Securely Online, by US-CERT