DDoS to hide attacks against wire payment switch systems

Pierluigi Paganini August 22, 2013

Fraudsters target wire payment switch at US banks to steal millions using DDoS to divert the attention on fraudulent transactions.

Cybercriminals are targeting the wire payment switch instead to hit directly into the banking accounts of individuals and businesses, this appears to be the last trend observed for recent attacks against numerous US banks.

The wire payment switch is the component that manages and executes wire transfers at banks, its impairment represents one of the worst scenarios of attack that banks could suffer.

In the spring 2013 Dell SecureWorks Counter Threat Unit (CTU) published the ‘2012 Threatscape Report‘, which highlighted that fraudsters have been utilizing Dirt Jumper, a $200 crimeware kit used for DDoS attacks, to divert bank staff attention away from fraudulent wire transactions.

“The CTU research team continues to observe growth and active development within the underground economy, both in offering DDoS as a service as well as creating DDoS kits usable by threat actors with any skill level. Dirt Jumper is the DDoS malware family most often encountered by CTU researchers, and it went through several iterations throughout 2012. While Dirt Jumper can still be found by its original name, the most recent version has been named Pandora. A number of other DDoS kits surfaced, such as YZF, DiWar, and ArmageddoN. Some of these kits turned out to be a rebranded version of Dirt Jumper. Others, such as BlackEnergy and Optima, remained in active use as well.”

In September 2012 the FBI, Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3), issued a joint alert for the diffusion of the Dirt Jumper crimeware kit being used to DDoS attack banks hiding fraudulent transactions.

“In some of the incidents, before and after unauthorized transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public Web site(s) and/or Internet Banking URL. The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer. One botnet that has been used for this type of distraction is the Dirtjumper botnetDirtjumper is a commercial crimeware kit that can be bought and sold on criminal forums for approximately $200.” states the report.

The tools used for the attacks are usually HTTP-based C2 botnet focused on DDoS attack and operate as a multi-threaded process. From the analysis DDoS C2 infrastructure security experts found that the phenomena are globally distributed with higher concentrations in Ukraine, United States, and Russia.

wire payment switch DDoS C2 infrastructure distribution

All the tools can identify targets by domain or IP address and supports both HTTP, HTTPS. As described many times cybercriminals could build their own DDoS botnet using one of numerous malware available in the black market or they could pay for a DDoS service from other criminal gangs. Cybercrime is attacking the wire payment switch at several US banks to steal millions from their choice of accounts, according to security experts.

Usually cybercriminals attacks directly bank customers compromising their PCs with malicious code such as Zeus or most recent KINS trojan, in this way they collect bank login credentials to steal money from the victim’s bank account.

The Gartner Research vice president Avivah Litan explained the tactics of the attackers against at least three US banks, the cybercriminals used ‘low-powered’ distributed denial-of-service (DDoS) attacks as a diversion strategy while they operated fraudulent wire transfers, the losses due to credit institutions amounted to several millions.

“DDoS attacks are an increasingly popular method for criminals to divert bank security staff attention while defrauding bank systems. Until recently, most illegal money transfers were accomplished via account takeover – of either customer or employee accounts when the fraudsters moved money from customer accounts to their mules and eventually their own accounts.” wrote Litan in a blog post

It is important to remark that according Litan the attacks didn’t appear to be linked to the campaign conducted by the group of hacktivist known as Martyr Izz ad-Din al-Qassam Cyber Fighters that hit several banking institutions in the last months.

The new wave of attacks is financially driven:

“It wasn’t the politically motivated groups,”  “It was a stealth low-powered DDoS attack, meaning it wasn’t something that knocked their website down for hours” ” [the attacks] “added up to millions [lost] across the three banks”.she confirmed.

Once the DDoS is underway, the hackers take over the payment switch (e.g. Wire application) itself using an accredited privileged user account, in this way cyber criminals could control the master payment switch and transfer as much money from as many accounts as they can get away with until their are discovered.

The attacks hit directly the financial institutions, security experts believes that banks staff  is targeted by a spear phishing campaign despite it is still not clear how the attackers obtained access to the wire payment switch at banks.

Once obtained the credentials of multiple employees the cybercriminals were able to obtain privileged access rights on wire payment switch and “handle all aspects of a wire transaction, including the approval”.

Security experts suggested to mitigate this type of attacks to slow down the money transfer system for the whole duration of the DDoS attack.

Banking institutes are advised … cybercriminals are refining their techniques.

Pierluigi Paganini

(Security Affairs – wire payment switch, cybercrime, banking)

you might also like

leave a comment