There's good news in the fight against cybercrime. Authorities have arrested 10 individuals allegedly tied to a global phishing scheme that exploited Facebook and relied on a botnet to compromise more than 11 million computers and steal more than $850 million.
But arrests alone aren't enough to combat online banking fraud. Experts say banking institutions need to take several important steps to support the ongoing cyberfight, including sharing more information with law enforcement and using stronger authentication and end-user security.
"I think it's a good strike against the bad guys, but it just reinforces my view that the FBI is good at coordinating the arrests," says Dave Jevans, head of online security firm Marble Cloud and a member of the Anti-Phishing Working Group, an international organization of online security thought leaders. "You need private companies to help you know who to arrest."
On Dec. 11, the Department of Justice and the Federal Bureau of Investigation, along with international authorities, announced arrests of 10 individuals in connection with the Butterfly botnet, which between 2010 to October 2012 pushed variants of the malware known as Yahos through Facebook. Yahos, a banking Trojan, steals credit card and bank account details and other personal information stored on infected desktops.
Experts say the fraudsters likely spread their attack through Facebook by getting unwitting users to accept their friend requests. From there, the attackers took over the users' accounts and sent phishing e-mails to those users' Facebook friends.
The arrests of individuals residing in Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom and the United States hinged on cooperation from Facebook, experts say. Without Facebook's support, international authorities likely would not have connected all the dots.
"It just proves that law enforcement needs cooperation from the private sector," Jevans says. "They have the data. ... The more information they provide, the more security researchers and law enforcement have to work with."
But Jevans says the industry continues to fight a losing battle. "There are tons of other gangs out there doing just as much, if not more, harm," he says. "I don't want to say this arrest is a drop in the bucket, but it's definitely not going to stop attacks on Facebook."
Referring to the arrests in seven nations, Jevans says, "Usually when we see something spread out like that, it tends to involve the guys who sell the stolen financial information, not the ones who created the botnets. Until you get to those guys, you're not going to see much impact."
Still, the problem with many internationally coordinated efforts is that they fail to catch and prosecute the ring leaders and malware developers, Jevans says. Thus, new malware variants continue to hit unsuspecting online users daily.
In the short-term, to truly curb financial fraud losses, banking institutions need to focus on strengthening authentication, says online security and phishing expert Neil Schwartzman, a vice president for secure messaging infrastructure provider Message Bus.
"Real two-factor authentication would have made a difference here, on the bank side and prevented some of the financial losses that resulted after PCs were infected," he says. "Within the next two to five years, we will see stronger authentication everywhere, because the banks are going to get sick of the losses."
Until the industry addresses the core issue - unsecure user behavior - the cyberattacks will continue, Schwartzman says. Users are too trusting when it comes to clicking on links, especially when contained within e-mails of friends or contacts.
"The key component here is that Facebook is a community among friends," he says. "If you wrote to me on Facebook, I would respond."
Criminals target Facebook because it's an easy venue through which to fool users.
"What makes this interesting is not that it's botnet-oriented, per se, but that the malware did not come from known IPs [Internet protocols]." Schwartzman says. "It came from the safe harbor of Facebook," so users trusted infected messages.
Other attacks also have exploited Facebook, Jevans says, and Facebook has responded by enhancing its security measures. But until users learn to be more suspicious of all online communications, malicious infections will continue to grow.
Role of Authentication
Still, stronger authentication implemented at the bank or credit union level for account access would have prevented some losses related to the Butterfly attack, Jevans and Schwartzman say.
"Stronger authentication, like what Google has implemented, is pretty darn effective," Jevans says.
Google's out-of-band authentication option for e-mail login requires users to enter one-time pass codes sent via SMS to their registered mobile devices. "It's not a panacea," Jevans says. "But it definitely makes these types of attacks harder to pull off."
Many institutions also are finding value in the free distribution of anti-malware and browser-security software to online-banking customers, he adds. Jevans estimates that about 30 million users in the U.S. and U.K. have installed browser-security software offered for free by their financial institutions.
"That has proven to be very effective," Jevans says. "The bad guys, as far as I can tell, have not really targeted security browsers. Both of those [anti-malware and secure browsing] are things banks are doing in addition to two-factor authentication. It's easier for customers to use and it protects them."