Online Banking Alert - Technical Version

January 14, 2010
To: Participants in the EDUCAUSE Security Discussion Group,

We're aiming to raise awareness regarding targeted attacks that use compromised commercial banking credentials to steal funds. Two of the more successful are known as Clampi and Zeus. We'll be sending the following letter to CIO's and business officers in 36+ hours.

At the bottom we've included additional discussion specific for this community of security practitioners.

============ START OF CIO/BO LETTER ===============

Alert: Targeted attacks on institutional online banking

We want to raise awareness, but not alarm, to an electronic crime threat targeting institutional/commercial online banking activities. Two of the most successful criminal operations (and the respective malware) are known as Clampi and Zeus. The operations have been in place for over a year, and
have proven to be successful, difficult to stop, and damaging. A public school district in Pennsylvania lost $700,000 in a two-day attack. A county government in Kentucky lost $415,000. A New York school district, $3MM of which .5MM remained unrecovered as of 6-Jan. [1][2]

Persons who conduct institutional/commercial online banking operations are being specifically targeted by the criminals.

Standard desktop computer antivirus is not an effective defense because the attackers constantly morph the attacks to evade antivirus signatures. Network defenses such as firewalls and intrusion detection systems are similarly ineffective. Some attacks have successfully defeated two-factor
authentication[3], although two-factor remains to be an effective defense against many other attacks.

We recommend the following actions:

=== Business Officers and CIO's ===

1. Make sure that your peer (BO or CIO) has a copy of this message.

2. Read the Internet Crime Complaint Center (IC3) message [4].

3. Make certain that systems used in performing financial transactions are protected by strict technical controls and receive periodic validation.

4. Make certain that personnel involved in performing online financial transactions have the necessary security awareness and training. Those persons should receive targeted training on phishing and this threat.

5. Make committed and purposeful use of banking transaction initiator/approver roles. Most banks offer sophisticated role-based controls, but it's up to the institution to put them to effective use.

6. Have written policies defining the controlled environment in which online banking transactions can be conducted, e.g. what systems can be used, how they must be maintained, required personnel training, etc.

7. Routinely audit compliance with established technical controls and policies.

8. WE STRONGLY RECOMMEND THAT all online banking operations should be conducted on special-use computers that are used SOLELY for banking transactions. No other use of the machine should be permitted - no e-mail, no web browsing, no general-purpose business use - nothing but
institutional online banking transactions.

How the attacks work: As described in an FBI release[5] "In a typical scenario, the targeted entity receives a 'spear phishing' e-mail which either contains an infected attachment, or directs the recipient to an infected website. Once the recipient opens the attachment or visits the website, malware is installed on their computer. The malware contains a key logger which will harvest each recipient's business or corporate bank account login information. Shortly thereafter, the perpetrator either creates another user account with the stolen login information or directly initiates funds transfers by masquerading as the legitimate user. These transfers have occurred as both traditional wire transfers and as ACH transfers."

We're sharing additional technical and policy information - aimed at security officers and teams - to the public EDUCAUSE Security mailing list, and within the private REN-ISAC [6] community.

The text of this message (along with clobber-free long URLs) is at:

A technical-audience version of this Alert is also located at that link.

Additional reading links are included below my signature.

If you have any questions, don't hesitate to e-mail me directly.

On behalf of the REN-ISAC team,

Doug Pearson
Technical Director, REN-ISAC
24x7 Watch Desk +1(317)274-7228



[1] The Growing Threat to Business Banking Online

[2] FBI investigating online New York school district theft

[3] Real-Time Hackers Foil Two-Factor Security

[4] Compromise Of User's Online Banking Credentials Targets Commercial Bank Accounts

[5] Fraudulent Automated Clearing House (ACH) Transfers Connected to Malware and Work-at-Home Scams

[6] REN-ISAC briefings

Additional references:

The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud

Online banking warning surprises some experts

Banking Securely Online, by US-CERT


============ END OF THE CIO/BO LETTER =============

EDUCAUSE Security Discussion Group folks (continued):

Elaborating on the technical and policy controls mentioned in the CIO/BO letter:

-- As mentioned, AV, firewall, and IDS don't prevent the problem. They might help detect a breach after it's already happened, but that's often too late.
Two-factor authentication can be beaten, although it remains an effective defense against many other attacks

-- Application white-listing, e.g. on Windows, AppLocker[1][2], can offer significant protection.

-- Systems used for online banking:

+ Should have the least amount of software installed as necessary to facilitate their business functions.

+ Should have Javascript and ActiveX disabled or specifically limited to trusted sites.

+ Should be subject to a change management process for any work that's to be done on the machine. Multiple-party approvals should be required.

+ Should be examined monthly and routinely patched by professional institutional IT security staff. If the system is not examined or patched by a specific date of a month, business office folks should not use it until the IT security staff bring it up to date.

-- Two-factor authentication should be used for banking access were available. While two-factor authentication will not protect against all attacks it does provide protection against many. Sites should press their banks to offer two-factor if they don't already.

-- As mentioned in the CIO/BO letter, separate machine(s) used SOLELY for institutional online banking operations (and used for all such operations) is STRONGLY RECOMMENDED. Useful technical and policy controls include:

Referencing the Neustar document[3]:

+ Don't make the machine part of a Windows domain. Administer the machine using a local administrator account.

+ Shut the machine down when not in use.

+ Implement very aggressive firewall and possibly proxy protections for the system. All non-banking traffic should be denied.

+ Aggressively monitor traffic to and from the system

+ Place the machine on a separate VLAN, on a secure dedicated hard-wired network connection.

And additionally:

+ Initiators and approvers should have distinct dedicated machines (see #5 in CIO/BO letter).

+ No other use of the machine should be permitted - no e-mail, no web browsing, no general-purpose business use - nothing but online instructional banking transactions.

+ Physical access to the machine should be tightly controlled.

+ The system should have a permanent and obvious distinguishing mark, e.g. spray paint it orange, to insure there can be no mistaking that this is a special purpose machine.

+ Any other intentional use of the machine should be a cause for disciplinary action.

-- While virtual machine solutions are technically an option to dedicated machines, in the interest of keeping the solution simple, clean, usable, and
understandable by non-technical business office staff, we do not recommend virtual solutions.

-- And as always, "user privilege reduction" - the user should never conduct normal use of the system under an admin-privileged account.

-- Other standard desktop hardening recommendations and practices apply, e.g. [4][5].

We'd appreciate to hear your discussion on additional means to protect from this threat.

The text of this message (along with clobber-free long URLs) is at:

[1] AppLocker

[2] Software Restriction Policies

[3] The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud

[4] NIST Computer Security Resource Center - Systems Administration

[5] Microsoft Security Guidance

Additional references:

Clampi/Ligats/Ilomo Trojan

Measuring the in-the-wild effectiveness of Antivirus against Zeus

ZeuS Tracker :: ZeuS blocklist

On behalf of the REN-ISAC team,

Doug Pearson
Technical Director, REN-ISAC
24x7 Watch Desk +1(317)274-7228