Lessons from High Roller ThreatBanks, Security Experts Respond to Emerging Schemes
High Roller attacks waged from the cloud caught the financial industry off guard in early 2012, proving that cybercriminals are always enhancing their attacks. But Chris Silveira, who manages fraud intelligence at Guardian Analytics, says banking institutions should not think about High Roller attacks as special malware schemes that should be fought in isolation.
See Also: What is next-generation AML?
In fact, the more banks and credit unions work to integrate and streamline the processes and strategies they use to fight High Rollers and any other malware or fraud threat, the better.
Silveira says institutions need the ability to accurately and quickly detect unusual behavior and transactions. If High Roller teaches institutions anything, it's that emphasis needs to be placed on the ability to detect and respond.
"Criminal activity is still different than legitimate user activity," he says. "No matter how hard the malware tries, it still cannot replicate the DNA of financial institutions' real users."
A report released by Guardian Analytics and McAfee describes new tactics cyberthieves use to wage High Roller attacks - hacks that target high-balance, "high-roller," accounts.
The High Roller attacks show the ingenuity and determination of criminals to make their attacks better, stronger and faster, Silveira says in an interview with Information Security Media Group's Tracy Kitten [transcript below]. To fight back, Silveira says banks and credit unions need to rely on layered security, an action called for by the Federal Financial institutions Examination Council in its updated Authentication Guidance.
"Institutions taking a layered approach to security are the ones in the best position to protect themselves and their customers," he says. "Those not relying solely on authentication as a security strategy are the best positioned."
During this interview, Silveira discusses:
- How High Roller attacks are carried out;
- The roles layered security and customer awareness play in fighting ever-evolving threats; and
- How institutions can enhance account monitoring and detection.
Silveira is an information security and computer forensics professional with more than 14 years of experience in malware detection and prevention. Before joining Guardian Analytics, he worked for Silicon Valley Bank, where he created and managed the Computer Security Incident Response Team to minimize losses in the online channel. Silveira also spent 10 years at Electronic Arts, where he oversaw information security, incident response and computer forensics.
Operation High Roller
TRACY KITTEN: Guardian Analytics and McAfee recently joined forces to publish a report about Operation High Roller, which is a review of tactics cyber criminals are using to target high-value accounts. What can you tell us about Operation High Roller and the research your two firms put behind the report?
CHRIS SILVEIRA: Earlier in 2012, the fraud intelligence team at Guardian Analytics was doing research into new levels of automation and malware and noticed some unusual characteristics of the malware itself. This led the researchers to servers that sit in the cloud and direct fraudulent transactions. To help deepen the investigation and understand the scope of the attacks, McAfee agreed to join forces with Guardian Analytics and the two companies began investigating further. This is a very unique collaboration that combined traditional security and threat research offered by companies like McAfee with deep-baking fraud experience we hold. We not only were able to understand the penetration of the attacks across the world; we were really able to identify how the attacks work from installation of the malware all the way through the execution of the fraudulent transactions.
Attacks from the Cloud
KITTEN: High Roller attacks are targeting retail and commercial online accounts, but these attacks are primarily taking place in Europe, Latin America and the United States. These highly sophisticated attacks move away from typical man-in-the-browser attacks waged against PCs to attacks waged against servers which were initiated in the cloud. Why are these types of attacks from the cloud more concerning?
SILVEIRA: These automated servers or cloud-based attacks benefit criminals in multiple ways. They're more difficult to detect, they stay active longer and provide enhanced levels of adaptability for criminals. So with less activity, communications and execution of logic and code on the client itself, this offers less for systems monitoring the client to detect. The new servers described in the research are purposefully used solely for driving fraudulent financial transactions, unlike Botnets which are typically used in ways that make them more readily discovered, for example sending out spam or distributed denial-of-service attacks, or compromising credentials. The dedicated fraud transaction server offers few and infrequent signals for both researchers and detection tools to find, leaving the servers active and functioning for weeks rather than days. Then using a server-based approach, criminals can rapidly modify their attack code to adapt to any changes at the targeted financial institution, for example an online banking work flow, new security controls or the ability to attack new payment types all without having to push out new code to every infected client, which increases the risk of detection. Also, if they need to move the server for any reason, they can dynamically adapt communications to the clients to avoid detection.
Is High Roller Unique?
KITTEN: How big of a deal are High Roller attacks? Some industry experts have suggested that the vectors exploited in High Roller attacks are not really so new, and if that's true, why are these High Roller attacks so concerning and why did Guardian Analytics and McAfee deem them worth covering in a report?
SILVEIRA: That's a really good question. Basically, what we're talking about is this is an evolution or an advancement of criminal attacks. Some parts are using existing techniques. For example, how the malware gets on a victim PC, the malware's ability to automate certain tasks and the malware's ability to communicate with a remote server. What's new is the fact that the attacks are driven from a new server in the fraudster's arsenal, the fraud transaction server rather than from the victim's PC. As we mentioned before, this provides them with new level of scalability, adaptability and makes it harder to analyze and therefore more difficult to detect. We feel that any change in attack vectors is worth reporting. Financial institutions and their customers can only be prepared if they're fully informed of the full scope of attacks waged against them. As we've seen with some of the recent court cases like PATCO vs. Ocean Bank and Village View Escrow vs. Professional Business Bank, the courts are holding financial institutions to new levels of good faith and reasonable security. Preparation and being proactive is not just a security issue, but a business and reputation issue.
KITTEN: When we take a step back and look at some of these attacks, what unique security challenges do these cloud-based attacks pose? When it comes to automation, maybe that's what makes them so unique.
SILVEIRA: Well with this, most of the activity is happening from the server rather than from the victim's PC. Basically, it makes it harder for security researchers and security teams to understand what's happening, and this of course makes it more difficult in general to identify and stop the attacks. Also, since the servers are being built for one thing and one thing only - executing fraudulent transactions - they can stay under the radar longer than other criminal servers used to serve up other kinds of attacks, like I mentioned earlier, sending out spam or directing and distributing denial-of-service attacks. And I think it's important to point out that while not unique to the server-based approach, these attacks know how to effectively circumvent a broad range of multi-factor authentication.
Getting Around Multi-Factor
KITTEN: That's a good point that you raised about multi-factor authentication. How are these attacks circumventing multi-factor authentication?
SILVEIRA: What these attacks are able to do is once the server gets involved and starts executing its attack, it's able to essentially automate different pieces of the authentication flow upfront for the user. So say for example when a user begins the authentication process at their financial institution, the server itself is able to understand that there may be some piece of multi-factor authentication that's required later on, maybe at the execution of a transaction, and so what it's able to do is interrupt the authentication flow to be able to insert that piece of information that it needs to gather up front so that it can then later on go through and execute the transaction on its own entirely.
KITTEN: How are fraudsters determining which accounts to target if they're only targeting these so-called High Roller accounts? How do they determine where those accounts are located?
SILVEIRA: The criminals were going after high balance accounts, either wealthy individual consumers or large-dollar commercial accounts. How did they know? The malware would automatically perform account balance checks before proceeding further, so the fraudsters were able to programmatically insert into these fraud transaction servers the account balances that they were looking to take advantage of so that when the malware was able to go back and check the balances, the transaction server would know that this is a specific target that the fraudsters are interested in.
KITTEN: I would like to go back and talk a little bit about the high level of agility that these attacks have. Why are banking institutions so ill-equipped to detect and fight these types of attacks?
SILVEIRA: Let me flip that around and talk about it in the context of those that are equipped to actually detect and fight these attacks. Institutions taking a layered approach to security are the ones in the best position to protect themselves and their customers. Those not relying solely on authentication as a security strategy are the best positioned. For example, institutions that can accurately and quickly detect unusual behavior and transactions will have a good chance to spot these attacks. This is why in the Internet banking security guidance supplement released last year, the FFIEC called for anomaly detection as a minimum expectation for layered security.
KITTEN: You've talked about anomaly detection, but what other technology solutions can and should banking institutions invest in to help fight back or detect some of these attacks?
SILVEIRA: I think it all boils down to taking a layered approach to security, particularly putting emphasis on the ability to detect and respond to unusual behavior in the account. Then again, it's also about educating customers on the signs that this type of malware is in operation to begin with. For example, customers should be on high alert and contact their institutions if they attempt to log in and are presented with say, for example, "please wait" or "online banking under maintenance" kind of messages that are normally out of context with the application flow of that particular financial institution.
KITTEN: In the grand scheme of the war on malware, what lessons should Operation High Roller teach us?
SILVEIRA: Well first, criminals are continuously enhancing their attacks to be better, stronger and faster at stealing money. They're investing in these attacks. Financial institutions also need to continue to invest in defenses. However, financial institutions should not try to build defenses on an attack-by-attack basis. Then second, criminal activity is still different than legitimate user activity. No matter how hard the malware tries, it still cannot replicate the DNA of financial institutions' real users. You can detect unusual activity this way. And this is one new thing that's piled on to the existing attacks that are still out there and that haven't gone away. Financial institutions need to be prepared to defend against these highly automated and still very manual attacks as well. Then the final point is that banks of all sizes were attacked with this. As a financial institution, you can never assume you won't be hit.
Improving the Online World
KITTEN: Where can the online world make improvements?
SILVEIRA: There it's all about vigilance. I mean it really is. For online users, it's no longer just about keeping your PC up-to-date with the latest anti-virus or not clicking on links in e-mails or in social networking sites. Criminals are really good at getting malware onto PCs in very clever ways. The APWG, the Anti-Phishing Working Group, estimates that about 39 percent of PCs out there are infected with some type of malware. This means that end-users need to be vigilant about their machines but they also need to pay attention and recognize the signs that something might be wrong, specifically when they log-in to their online banking.
Then for financial institutions specifically offering online and mobile services, vigilance there translates into being more proactive and taking ownership of addressing these problems. Financial institutions are in a much better position to fight these attacks than businesses or consumers alone. It's truly an opportunity to build a shared approach to online security.