Zeus Thieves Raid Bank Accounts To Rob Jewellers

FBI warns of spear-phishing that Zeus loots victims’ bank accounts, stealing jewellery on the way

The US Federal Bureau of Investigation (FBI) has warned of an elaborate spear-phishing campaign that wires money out of victims’ accounts under the cover of a distributed denial-of-service (DDoS) attack against the bank. Part of the wired loot is redirected to buy jewellery which is collected by a money mule before the wired cash mysteriously disappears.

The new spear-phishing campaign masquerades as emails from the National Automated Clearing House Association (NACHA) and downloads a variant of the Zeus banking Trojan onto the victim’s computer, the FBI Denver Cyber Squad said in its warning issued on 23 November.

DDoS smoke screen

The malware steals the user’s online banking credentials and launches a DDoS attack on the financial institution to hide the fact that it is also transferring money out of user accounts. The DDoS attacks may also make it difficult for the financial institution to stop or reverse the transfers even if they are detected in time.

The email informs the recipient that there was a problem with a transaction at their bank and it was not processed. By clicking on the link in the email, the recipient is directed to a Website that downloads the Zeus variant called “Gameover” to the recipient’s computer, the FBI warned. Gameover is capable of logging keypresses to steal banking credentials as well as having the ability to defeat several forms of two-factor authentication mechanisms banks may be employing.

The new spear-phishing campaign involves “personal and business bank accounts, financial institutions, money mules and jewellery stores”, according to the warning.

Attackers are becoming increasingly smart and stealthy in their DDoS methods, Mike Paquette, chief strategy officer at Corero Network Security, told eWEEK. While a brute-force or flooding type of DDoS attack can be relatively easy to identify, it requires high-performance and sophisticated real-time analysis to recognise and block attack traffic while simultaneously allowing legitimate traffic to pass, according to Paquette.

Application layer attacks, such as the one posed by the recent Apache Killer, are “more insidious” and require the financial institution to have a thorough understanding of the typical behaviour and actions of their actual customers, he said.

Paquette suggested that financial institutions should automate DDoS defence to create user profiles to identify suspicious traffic, much in the same way automated credit card fraud-detection technologies look for unusual spending activity.

Glittering prises

A portion of the wire transfers is being transmitted directly to high-end jewellery stores, according to the warning. The criminals contact a jeweller looking for precious stones and luxury watches. They promise to wire the money directly to the jeweller’s account and someone will come to pick up the merchandise.

Once the fraudulent wire transfers are complete, a money mule comes to the actual store to pick up thousands of dollars of goods, the FBI said. Even though the transaction is reversed when the fraud is discovered, the jeweller is unable to recover the goods.

DDoS attacks against high-profile targets are generally perpetuated by intelligent, determined and persistent adversaries, and this “new breed” of attackers will switch to different sources and methods as necessary, Paquette said. Therefore, advance preparation is key to being able to respond to these DDoS attacks effectively, Paquette said. A response plan lists the steps the institution should take during a DDoS attack.

Hiding malicious activity by distracting the defenders with a DDoS attack is not new. The perpetrators who breached Sony’s PlayStation Network and Sony Online Entertainment services earlier this year appear to have taken advantage of the fact that the entertainment giant’s IT staff was busy trying to contain the DDoS attacks that had been launched by the Anonymous hacktivists.

Institutions should not rely on just the Internet service providers to be able to mitigate the DDoS attack, but should deploy technology in-house to serve as the front-line defence against both flooding type and application-layer DDoS attacks, according to Paquette. DDoS mitigation tools need to be deployed alongside monitoring services so that organisations can rapidly identify and react to sustained attacks.

“Continuous and automated monitoring is required in order to recognise an attack, sound the alarm and initiate the response plan,” Paquette said.