Catch Them If You Can: E-banking Malware FraudBy: SecureWorks
Infamous fraudster Frank Abagnale became a household name with his globe-trotting escapades posing as a pilot, lawyer and doctor; inspiring a Leonardo DiCaprio film and even a Broadway musical. Abagnale shot to notoriety in the 1960s for defrauding banks of millions of dollars with meticulously forged checks.
Fraud is nothing new. However, gone are the days that bogus checks are a top concern for the financial sector's security departments. What techniques would the modern-day Abagnale use?
The answer, of course, is found online. A modern way that criminals can conduct fraud is e-banking malware. This malicious software does not target the bank directly but attacks via the customer, who will often have weaker security defences. Malware will infect a victim's system and perform fraudulent transactions on their behalf.
This presents a serious risk for e-banking customers, both individuals and business, as well as the financial institutions themselves. Whilst individuals can present an easier target with less security defences, businesses are more likely to be specially targeted as they have access to higher value accounts. In the United States, where e-banking fraud is prevalent, there have been cases of small and medium enterprises going out of business after an e-banking Trojan. As for banks and financial companies, they must often bear the cost of the fraudulent transaction and replace money stolen from the victim's account. Also there is the risk of reputational damage if their name is linked to fraud cases in the media.
E-banking malware is supported by a well-organized underground infrastructure with an associated economy worth billions of dollars globaly1. Cyber-crime groups have access to "crimeware" kits, which act as malware factories; easy to use and with functions that you would expect from traditional commercial software packages such as support forums.
Malware is constantly evolving and "crimeware" kits allow continuous adaptation to defensive security measures that a bank or bank's customers might attempt to put in place. For example, modern e-banking malware is created so that each infection has a unique signature, allowing it to evade anti-malware solutions. Identifying the malware creators and eventual benefactors of the fraud poses great difficulty, due to a system using human "money mules" as middle men to transfer funds between the victim and the cyber-crime groups. Groups also work across borders and in countries with limited capacity or willingness to enforce computer crime legislation.
E-banking malware still primarily targets web-based applications accessed via computers and laptops, however with the move towards banking using mobile applications, criminals have adapted their methods to introduce mobile malware which has been targeting mobile devices for the last couple of years.
The barrier to entry into e-banking Trojan fraud is very low, with user-friendly "crimeware" kits making it accessible to criminals who are successfully evading being caught. As the uptake of online banking services increases and the integration of online services and other banking channels advances, left unchecked, this problem will only get worse.
There are effective methods to defend against this type of attack. Experts usually recommend a layered approach using multiple defensive methods. And managed security service providers like Dell SecureWorks can bring a wide range of technologies, services and deep expertise to bear.
1 Estimations of the costs of cyber-crime can vary. The UK government stated that the cost to the UK economy is £27bn per year http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime; a figure which has been disputed, for example by Ross Anderson http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf