The next-generation Gozi Trojan threat that security vendor RSA warned about last week is real and requires response, experts say.
Meanwhile, the alleged hacktivist group calling itself Izz ad-Din al-Qassam - reportedly responsible for a series of distributed denial of service attacks against U.S. banks in September - announced in an Oct. 8 Pastebin post a new wave of DDoS attacks beginning Oct. 9, targeting Capital One Financial Corp., SunTrust Banks and Regions Financial Corp.
In light of these warnings and the resulting publicity, industry experts say banking institutions must be seen as taking the threats seriously.
"Being targeted for attack will be bad enough," says Shirley Inscoe , a fraud analyst at financial-services consultancy Aite. "Think how much worse a bank will appear to its clients if it received prior warning and took no action to ensure it is prepared" (see Banks Under Attack: PR Missteps).
Are Threats Connected?
In the wake of the RSA warning, one expert says the cybercrime group alleged to be behind those Gozi-variant threats that RSA's Mor Ahuvia blogged about Oct. 4 could be connected to the recent DDoS attacks. But Izz al-Din al-Qasam, the hacktivist group behind the DDoS attacks, has denied that it's connected to the Gozi-variant threats.
Though the attack threats differ - one being DDoS, the other a man-in-the-middle banking Trojan designed to steal online credentials - Mike Smith of Akamai Technologies says the timing is suspicious.
"It leads me to believe that it's the same group and that they are trying creative ways to get around the fraud detection and prevention employed at the banks," Smith says.
One of the unique areas noted by RSA's Ahuvia, in her analysis of the anticipated Gozi-variant threat is that the group promoting the Gozi attack is openly recruiting hackers to join its ranks. That recruitment marks a first for an organized cybercrime gang, Ahuvia says.
"If a gang is privately developing its Trojan, it does not [typically] want to be sharing this with the whole world," she says. "So we've really never seen a gang like this."
Now, couple the timing of those September DDoS attacks and the Gozi threats RSA identified with the timing of the Oct. 8 post, and the coincidences seem too striking to overlook, Smith says.
"So why did they skip last week?" he asks. "Was it so they could focus on a longer effort of recruiting for the campaign that is in the RSA fraud alert? It almost seems like it."
While it's difficult to know how seriously the industry should take anonymous threats posted on sites such as Pastebin, the timing raises questions, Smith says.
Bracing for Attack
In light of the Gozi threat and the risk of account takeover, many industry experts say it's critical for institutions to strengthen their defenses through enhanced fraud detection and transaction-anomaly monitoring - layered security tenets of the FFIEC authentication guidance for U.S. banking institutions.
Inscoe says institutions should use the threats as an excuse to test their disaster recovery plans. "Best case scenario, the banks can take some precautionary measures and count it toward testing, if no attack materializes," she says.
Other industry experts are not quite so optimistic about banks' defenses.
Mike Angelinovich of online security solutions provider OHVA Inc. says most banks and credit unions will have a tough time detecting and fighting Gozi - one of the most sophisticated banking Trojans available on the black market.
"Three months ago, Gozi had a 0 percent detection rate," Angelinovich says. "I don't think that has changed much since June."
Stronger authentication, as prescribed by the FFIEC guidance, could improve the odds. But that's not something most institutions are prepared to launch, Angelinovich says.
"If financial institutions required another login, prior to any transfer, using strong multifactor authentication security, it would be very difficult for these attacks to succeed," Angelinovich says, especially if that multifactor solution were built around something the user has, not just something the user knows.
"An IP address or a cookie is not good enough," he adds. Any information a user has to input runs the risk of being keylogged.
Andreas Baumhof, a security executive at fraud-detection provider Threatmetrix, seems even less convinced institutions have many choices.
"The reality is that they have only limited options," Baumhof says. "Gozi is known to be able to defeat two-factor authentication. ... All financial institutions know that they are exposed to a greater risk; the problem is that they have no way of mitigating this risk."
Baumhof, however, says banks and credit unions can improve their Trojan detection by implementing more thorough reviews of online transactions. But the process for many institutions is far too manual, which means it's time and resource consuming.
Ultimately, banks may have to absorb financial losses linked to attacks, Baumhof says, because it will be impossible for them to detect and stop everything coming their way.
"My fear is that banks that just did as much as they had to, or as much as the FFIEC told them, could now be in trouble," he says.
More about Gozi
Posts monitored by RSA in underground hacking forums suggest 30 top-tier U.S. institutions will be targeted in coming weeks by the new Gozi variant, which takes over accounts and then allows hackers to manually set up fraudulent wire transfers in real time.
RSA says the same group of hacktivists that's making the threat claims to have used Gozi to drain roughly $5 million from U.S. bank accounts since 2008. U.S. accounts are deemed more vulnerable than European institutions because few U.S. banks require two-factor authentication for wire transfers.
Akamai's Smith says the planned tactic of bombarding the banks, with Gozi attacks being launched by numerous hackers simultaneously, mirrors the method used in the September DDoS attacks.
"They are overwhelming the banks with volume, much like fish schooling together for safety; some will get caught, but the majority will evade capture," Smith says.
And Baumhauf says all of this could just be testing for a much larger, organized attack down the road. "If we have problems right now, think about what we'll see once we see a proper attack."