RSA Warning, DDoS Attacks Linked?

Latest Threats Fuel Fears of More Attacks

By , October 9, 2012.
RSA Warning, DDoS Attacks Linked?

The next-generation Gozi Trojan threat that security vendor RSA warned about last week is real and requires response, experts say.

See Also: Stop Mobile Payment Fraud, Not Customers

Meanwhile, the alleged hacktivist group calling itself Izz ad-Din al-Qassam - reportedly responsible for a series of distributed denial of service attacks against U.S. banks in September - announced in an Oct. 8 Pastebin post a new wave of DDoS attacks beginning Oct. 9, targeting Capital One Financial Corp., SunTrust Banks and Regions Financial Corp.

In light of these warnings and the resulting publicity, industry experts say banking institutions must be seen as taking the threats seriously.

"Being targeted for attack will be bad enough," says Shirley Inscoe , a fraud analyst at financial-services consultancy Aite. "Think how much worse a bank will appear to its clients if it received prior warning and took no action to ensure it is prepared" (see Banks Under Attack: PR Missteps).

Are Threats Connected?

In the wake of the RSA warning, one expert says the cybercrime group alleged to be behind those Gozi-variant threats that RSA's Mor Ahuvia blogged about Oct. 4 could be connected to the recent DDoS attacks. But Izz al-Din al-Qasam, the hacktivist group behind the DDoS attacks, has denied that it's connected to the Gozi-variant threats.

Though the attack threats differ - one being DDoS, the other a man-in-the-middle banking Trojan designed to steal online credentials - Mike Smith of Akamai Technologies says the timing is suspicious.

"It leads me to believe that it's the same group and that they are trying creative ways to get around the fraud detection and prevention employed at the banks," Smith says.

One of the unique areas noted by RSA's Ahuvia, in her analysis of the anticipated Gozi-variant threat is that the group promoting the Gozi attack is openly recruiting hackers to join its ranks. That recruitment marks a first for an organized cybercrime gang, Ahuvia says.

"If a gang is privately developing its Trojan, it does not [typically] want to be sharing this with the whole world," she says. "So we've really never seen a gang like this."

Now, couple the timing of those September DDoS attacks and the Gozi threats RSA identified with the timing of the Oct. 8 post, and the coincidences seem too striking to overlook, Smith says.

"So why did they skip last week?" he asks. "Was it so they could focus on a longer effort of recruiting for the campaign that is in the RSA fraud alert? It almost seems like it."

While it's difficult to know how seriously the industry should take anonymous threats posted on sites such as Pastebin, the timing raises questions, Smith says.

Bracing for Attack

In light of the Gozi threat and the risk of account takeover, many industry experts say it's critical for institutions to strengthen their defenses through enhanced fraud detection and transaction-anomaly monitoring - layered security tenets of the FFIEC authentication guidance for U.S. banking institutions.

Inscoe says institutions should use the threats as an excuse to test their disaster recovery plans. "Best case scenario, the banks can take some precautionary measures and count it toward testing, if no attack materializes," she says.

Other industry experts are not quite so optimistic about banks' defenses.

Mike Angelinovich of online security solutions provider OHVA Inc. says most banks and credit unions will have a tough time detecting and fighting Gozi - one of the most sophisticated banking Trojans available on the black market.

"Three months ago, Gozi had a 0 percent detection rate," Angelinovich says. "I don't think that has changed much since June."

Stronger authentication, as prescribed by the FFIEC guidance, could improve the odds. But that's not something most institutions are prepared to launch, Angelinovich says.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Obama Unveils Cyberthreat Info Sharing Plan

The president's proposal would provide stronger privacy protections than legislation passed by the...

Latest Tweets and Mentions

ARTICLE Obama Unveils Cyberthreat Info Sharing Plan

The president's proposal would provide stronger privacy protections than legislation passed by the...

The ISMG Network