Member Login
login help
Contact Us
24x7 CSIRT

Alert: Targeted attacks on institutional online banking

This is the technical version of the Alert.
There is also a CIO and business officer version.

- - - - - - - - -

January 14, 2010
To: Participants in the EDUCAUSE Security Discussion Group,

We're aiming to raise awareness regarding targeted attacks that use
compromised commercial banking credentials to steal funds. Two of the more
successful are known as Clampi and Zeus. We'll be sending the following
letter to CIO's and business officers in 36+ hours.

At the bottom we've included additional discussion specific for this
community of security practitioners.

===================== START OF CIO/BO LETTER =====================

Alert: Targeted attacks on institutional online banking

We want to raise awareness, but not alarm, to an electronic crime threat
targeting institutional/commercial online banking activities. Two of the
most successful criminal operations (and the respective malware) are known
as Clampi and Zeus. The operations have been in place for over a year, and
have proven to be successful, difficult to stop, and damaging. A public
school district in Pennsylvania lost $700,000 in a two-day attack. A county
government in Kentucky lost $415,000. A New York school district, $3MM of
which .5MM remained unrecovered as of 6-Jan. [1][2]

Persons who conduct institutional/commercial online banking operations are
being specifically targeted by the criminals.

Standard desktop computer antivirus is not an effective defense because
the attackers constantly morph the attacks to evade antivirus signatures.
Network defenses such as firewalls and intrusion detection systems are
similarly ineffective. Some attacks have successfully defeated two-factor
authentication[3], although two-factor remains to be an effective defense
against many other attacks.

We recommend the following actions:

=== Business Officers and CIO's ===

1. Make sure that your peer (BO or CIO) has a copy of this message.

2. Read the Internet Crime Complaint Center (IC3) message [4].

3. Make certain that systems used in performing financial transactions
are protected by strict technical controls and receive periodic validation.

4. Make certain that personnel involved in performing online financial
transactions have the necessary security awareness and training. Those
persons should receive targeted training on phishing and this threat.

5. Make committed and purposeful use of banking transaction
initiator/approver roles. Most banks offer sophisticated role-based
controls, but it's up to the institution to put them to effective use.

6. Have written policies defining the controlled environment in which
online banking transactions can be conducted, e.g. what systems can be
used, how they must be maintained, required personnel training, etc.

7. Routinely audit compliance with established technical controls and

8. WE STRONGLY RECOMMEND THAT all online banking operations should
be conducted on special-use computers that are used SOLELY for banking
transactions. No other use of the machine should be permitted - no e-mail,
no web browsing, no general-purpose business use - nothing but
institutional online banking transactions.

How the attacks work: As described in an FBI release[5] "In a typical
scenario, the targeted entity receives a 'spear phishing' e-mail which
either contains an infected attachment, or directs the recipient to an
infected website. Once the recipient opens the attachment or visits the
website, malware is installed on their computer. The malware contains a
key logger which will harvest each recipient's business or corporate bank
account login information. Shortly thereafter, the perpetrator either
creates another user account with the stolen login information or directly
initiates funds transfers by masquerading as the legitimate user. These
transfers have occurred as both traditional wire transfers and as ACH

We're sharing additional technical and policy information - aimed at
security officers and teams - to the public EDUCAUSE Security mailing list,
and within the private REN-ISAC [6] community.

The text of this message (along with clobber-free long URLs) is at:

A technical-audience version of this Alert is also located at that link.

Additional reading links are included below my signature.

If you have any questions, don't hesitate to e-mail me directly.

On behalf of the REN-ISAC team,

Doug Pearson
Technical Director, REN-ISAC
24x7 Watch Desk +1(317)274-7228



[1] The Growing Threat to Business Banking Online

[2] FBI investigating online New York school district theft

[3] Real-Time Hackers Foil Two-Factor Security

[4] Compromise Of User's Online Banking Credentials Targets Commercial Bank Accounts

[5] Fraudulent Automated Clearing House (ACH) Transfers Connected to Malware and Work-at-Home Scams

[6] REN-ISAC briefings

Additional references:

The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud

Online banking warning surprises some experts

Banking Securely Online, by US-CERT


==================== END OF THE CIO/BO LETTER ====================

EDUCAUSE Security Discussion Group folks (continued):

Elaborating on the technical and policy controls mentioned in the CIO/BO letter:

-- As mentioned, AV, firewall, and IDS don't prevent the problem. They might
help detect a breach after it's already happened, but that's often too late.
Two-factor authentication can be beaten, although it remains an effective
defense against many other attacks

-- Application white-listing, e.g. on Windows, AppLocker[1][2], can offer
significant protection.

-- Systems used for online banking:

   + Should have the least amount of software installed as
     necessary to facilitate their business functions.

   + Should have Javascript and ActiveX disabled or specifically
     limited to trusted sites.

   + Should be subject to a change management process for
     any work that's to be done on the machine. Multiple-party
     approvals should be required.

   + Should be examined monthly and routinely patched by
     professional institutional IT security staff. If the system
     is not examined or patched by a specific date of a month,
     business office folks should not use it until the IT
     security staff bring it up to date.

-- Two-factor authentication should be used for banking access were
available. While two-factor authentication will not protect against all
attacks it does provide protection against many. Sites should press their
banks to offer two-factor if they don't already.

-- As mentioned in the CIO/BO letter, separate machine(s) used SOLELY for
institutional online banking operations (and used for all such operations)
is STRONGLY RECOMMENDED. Useful technical and policy controls include:

   Referencing the Neustar document[3]:

   + Don't make the machine part of a Windows domain. Administer
     the machine using a local administrator account.

   + Shut the machine down when not in use.

   + Implement very aggressive firewall and possibly proxy
     protections for the system. All non-banking traffic should
     be denied.

   + Aggressively monitor traffic to and from the system

   + Place the machine on a separate VLAN, on a secure dedicated
     hard-wired network connection.

   And additionally:

   + Initiators and approvers should have distinct dedicated
     machines (see #5 in CIO/BO letter).

   + No other use of the machine should be permitted - no e-mail,
     no web browsing, no general-purpose business use - nothing but
     online instructional banking transactions.

   + Physical access to the machine should be tightly controlled.

   + The system should have a permanent and obvious distinguishing
     mark, e.g. spray paint it orange, to insure there can be no
     mistaking that this is a special purpose machine.

   + Any other intentional use of the machine should be a cause
     for disciplinary action.

-- While virtual machine solutions are technically an option to dedicated
machines, in the interest of keeping the solution simple, clean, usable, and
understandable by non-technical business office staff, we do not recommend
virtual solutions.

-- And as always, "user privilege reduction" - the user should never
conduct normal use of the system under an admin-privileged account.

-- Other standard desktop hardening recommendations and practices
apply, e.g. [4][5].

We'd appreciate to hear your discussion on additional means to protect
from this threat.

The text of this message (along with clobber-free long URLs) is at:

[1] AppLocker

[2] Software Restriction Policies

[3] The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud

[4] NIST Computer Security Resource Center - Systems Administration

[5] Microsoft Security Guidance

Additional references:

Clampi/Ligats/Ilomo Trojan

Measuring the in-the-wild effectiveness of Antivirus against Zeus

ZeuS Tracker :: ZeuS blocklist

On behalf of the REN-ISAC team,

Doug Pearson
Technical Director, REN-ISAC
24x7 Watch Desk +1(317)274-7228