Fraudsters are increasingly using distributed-denial-of-service attacks to distract institutions during account takeover and other fraudulent schemes, says fraud prevention expert Avivah Litan of the consultancy Gartner.
"When you're under attack, all eyes are on the attack, and there's not as many resources paying attention to other parts of your system," Litan says this interview with Information Security Media Group [transcript below]. "You may even have alarms going off that you just don't have time to pay attention to, because most of the alarms that go off still have to be investigated manually."
That distraction is what's valuable to fraudsters, she says. Recent account takeover schemes, for instance, have involved taking control of a banking institution's payment switch during the midst of a DDoS attack. Those takeovers have likely led to millions of dollars worth of fraud, Litan estimates.
And while DDoS attacks are not new, they have only recently emerged as tools used to cover up fraud, Litan says.
During this interview, Litan discusses:
- Lessons fraudsters have learned from the hacktivist group Izz ad-Din al-Qassam Cyber Fighters about waging effective DDoS attacks;
- Why using DDoS attacks as a distraction for fraud is a focus for criminal groups; and
- A review of al-Qassam's fourth phase of DDoS against U.S. banks.
Litan is an analyst at Gartner and a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry and is a Gartner Research vice president. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.
New Account Takeover Scheme
TRACY KITTEN: The takeover of the payment switch, rather than individual accounts, is much more lucrative for the fraudster. Why?
AVIVAH LITAN: It's because they don't have to go through an individual account that has a finite amount of money in it one at a time. They can just go to a central administrative account that manages multiple accounts, so they have the ability to move money from many accounts at once to many other accounts or to a single account. The difference is that instead of one at a time, you can do many at a time.
KITTEN: Do you know exactly how the switch is taken over?
LITAN: The switch is a piece of software like anything else in the banking industry, so I don't know how this was taken over. But I imagine it was done through some kind of administrative account that has access to the software. It's a little bit like the breaches you've been covering in the retail industry, where the bad guys go in and take over a point-of-sale system through the administrative accounts. It's very similar to that in concept. My guess is that they went in through an administrative account with privilege and just took over the software.
KITTEN: Does this privileged user have to be compromised in advance of the attack?
LITAN: Yes. There are two ways they could have gotten into the system. One is through the privileged account, and yes it would have to be taken over through some type of advanced threat that could have been put on the system through a spear-phishing scheme or some other, more secretive, kind of scheme with a USB drive. I'm not sure, but the only way they could get data and money out of the system is either through a privileged account or directly through the database. Someone can issue direct commands to a system that could evade detection. In other words, just go straight to the file and create some false entries. The likelihood, I would think, is that the criminals just got ahold of an account and escalated privileges or just took over an existing privileged account. That's the common way they do it.
Masking Takeovers with DDoS
KITTEN: How is DDoS being used to mask these types of takeovers?
LITAN: DDoS is a distraction, so when you're under an attack, all eyes are on the attack, and there's not as many resources paying attention to other parts of your system. You may even have alarms going off that you just don't have time to pay attention to, because most of the alarms that go off still have to be investigated manually.
Origin of Scheme
KITTEN: In a blog that you posted recently about this takeover of the payment switch, you noted that it's a relatively new trend. When did the trend emerge and how many banking institutions are you aware of that have been targeted?
LITAN: I've heard about this in the last three to six months, and it was less than a handful of banks that I heard about. But there could be more. I'm not really sure. It's something people don't really like to talk about.
KITTEN: Do you have any idea how much money has been lost?
LITAN: No, I really can't add it up. I know that it was substantial, and my guesstimate is that it's millions, probably about $10 million across three banks; but that's just an educated guess. It's something that I don't really like to drill in to. It's a pretty private situation.
KITTEN: Do you know how long it took these banking institutions to identify the fraud?
LITAN: It took less than a day.
New Threats to the Industry
KITTEN: From your perspective, what does this new takeover scheme signify for the industry?
LITAN: I think if you look at the trend, there are certainly more groups taking advantage of DDoS. It's a little bit like the copycat syndrome. But also, if you look at the trends in account takeovers, they're just getting deeper into the systems. They started out with customer accounts. Actually, first they started out with consumer accounts and then they moved into business accounts. Then they moved into bank employee accounts and now they're moving into privileged accounts that have access to the payment system. If we continue to follow this trend, I think we'll see more of this type of attack.
The next step, if they can pull it off, would be to get into the payment networks themselves. Instead of just going after one bank at a time, they'd go many banks at a time. It's harder and harder to get into the nerve of the payment system, but that's where they look like they're headed.
Mitigating the Attacks
KITTEN: What should banking institutions and payment networks be doing to stay vigilant?
LITAN: Most banks are really paying a lot of attention to these attacks and are beefing up their DDoS defenses. I think they've done a really good job in the last six months. Of course, we all need to do more organizationally. There have been issues of coordination, because many of the institutions getting attacked have lots of different departments that work on the same related problems, so organizationally they need to sync up; and they are syncing up. They just need to keep putting more controls in.
In this case, I don't like to simplify it. A control that says when you're under DDoS attacks, slow down your wire transfers until the attack is over could help. Unfortunately, none of us have a crystal ball to forecast the new fraud trends. Most of the time, it's reactive and you put a rule in once you see a new fraud trend. There really aren't good predictive models that can predict new fraud trends. You may get caught the first or second time; but then after that, you can put the rules in to stop it.
al-Qassam Cyber Fighters
KITTEN: al-Qassam Cyber Fighters waged attacks against U.S. banks for nearly a year. Do you think we can expect a shift, with attacks being aimed at other industries?
LITAN: I'm not plugged in enough to really answer that properly. I don't know what's going on in the Iranian government. I think that the banks rightfully expected al-Qassam to come back after the Iranian election, and they did. But, as you mentioned, it's been lackluster and maybe the new regime just isn't as interested in it. ...
But I think from a fraud-prevention standpoint, we can expect more copycat attacks. DDoS has been around for a long time. What's changed is using DDoS as a cover-up to commit fraud, and also these very high-bandwidth DDoS attacks and application-layer DDoS attacks. This new generation of DDoS we saw with al-Qassam did spawn a whole new genre. I think that new level will continue to be used - all these different types of attacks, such as application layer - as a distraction for fraud and also the high bandwidth attacks. In terms of al-Qassam itself, it seems like they're fading, and hopefully they are; but they left behind a trail of destruction that other people are happy to pick up and run with.