Treasury Dept report confirms Tor network abuse in financial crimes

A non-public report realized by the US Treasury Department found that a majority of bank account takeovers exploits the anonymizing the Tor network.

A report from the U.S. Treasury Department found that a majority of bank account takeovers by cyber criminals, affected organizations over the past decade, exploited the anonymizing Tor network.

The news is shared by the popular cyber security expert Brian Krebs through its KrebsOnSecurity blog, the information come in a non-public report obtained by the specialist that was issued by the Financial Crimes Enforcement Network (FinCEN). The FinCEN is the Treasury Department bureau responsible for collecting and analyzing data about financial transactions with the intent to identify fraudulent activities and prevent financial crimes, its operation are decisive to fight money laundering and terrorist financing.

The report, dated December 2nd, 2014, examined 6,048 suspicious activity reports (SARs) filed by financial organizations between August 2001 and July 2014, focusing for those involving one of more than 6,000 known Tor network nodes. The findings are very interesting, 975 hits corresponding to reports totaling nearly $24 million in likely fraudulent activity.

“Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor related filings were rapidly rising,” the report concluded. “Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet [link added] found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses.”

The most concerning aspect of the report is the rapid rise in the number of SAR filings over the last year involving bank fraud tied to Tor nodes.

“From October 2007 to March 2013, filings increased by 50 percent,” the report observed. “During the most recent period — March 1, 2013 to July 11, 2014 — filings rose 100 percent.”

FinCEN confirmed that that majority of bank account takeovers was run through the Tor network, but financial institutions have not adopted any countermeasure. Only the three percent of organizations were aware of the connection through Tor network, the Identity Theft (44 percent) and Money Laundering (35 percent) are the predominant types of Suspicious Activity in Tor-related SARs.

“Our analysis of the type of suspicious activity indicates that a majority of the SARs were filed for account takeover or identity theft,” the report noted. “In addition, analysis of the SARs filed with the designation ‘Other revealed that most were filed for ‘Account Takeover,’ and at least five additional SARs were filed incorrectly and should have been ‘Account Takeover.’”

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley highlighted that despite traffic analysis could be effective against fraudulent transactions, the approach is unlikely to have a lasting impact on fraud due to the possible exploitation of other anonymizing techniques.

 “I’m not surprised by this: Tor is easy for bad actors to use to isolate their identity,” Weaver explained “Yet blocking all Tor will do little good, because there are many other easy ways for attackers to hide their source address.”

Fraudulent activities over the Tor network represent a threat to the network itself, traffic congested by botnet activities and the traffic ban operated by many ISPs, are just a few samples of possible negative effects on the Tor architecture.

“A growing number of websites treat users from anonymity services differently Slashdot doesn’t let you post comments over Tor, Wikipedia won’t let you edit over Tor, and Google sometimes gives you a captcha when you try to search (depending on what other activity they’ve seen from that exit relay lately),” explained in a blog post the Tor Project Leader Roger Dingledine. “Some sites like Yelp go further and refuse to even serve pages to Tor users.”

Unfortunately, the abuses of the Tor network have dramatic repercussions on its users and their benign usage.

Pierluigi Paganini

(Security Affairs –  Tor network, cybercrime)