The Cyberattack that Struck (or Didn’t Strike) Citibank (and Others)
On Tuesday the Wall Street Journal reported that the FBI is investigating a cyberattack at Citibank, in which tens of millions of dollars were stolen. In response, Citibank issued a carefully-worded denial of any breach to its systems. It’s conceivable that the FBI and Citibank are both correct — that a cyberattack did occur, and that there was no penetration of Citibank’s systems.
Whatever took place (or didn’t) at Citibank, it’s not in dispute that U.S. businesses have suffered massive losses this year as funds vanished inexplicably from bank accounts. Enormous sums of money – the FBI estimates $100 million in unauthorized transfers – simply evaporated, leaving both the banks and the customers mystified.
Initially, banks accused customers of sharing passwords. How else could this have occurred? In turn, customers, some of whom lost hundreds of thousands of dollars from one month to the next, accused the banks of fiduciary neglect.
In recent months, information security researchers have begun to piece together the extremely sophisticated cyberattack behind these thefts. The Zeus trojan, as an early variant was dubbed, is a criminal instrument which requires one to stand back in awe of its well-crafted capabilities.
Zeus and its many offspring originate far from the bank account. They start as packets of malicious code, planted by hackers on legitimate websites. Local newspaper sites, online retailers, and search engines are among the candidates to become unwitting hosts to the malware. Once a server is infected, it attempts to infect 100 percent of its visitors. John or Jane Business Owner browses the weather report at Daily Chronicle dot com, using the same workplace computer where banking transactions are done. All it takes is one click on the five-day forecast, or another innocent-looking link, and the malware is injected into John or Jane’s computer. This is called a drive-by download.
Some web surfers avoid infection, but many don’t. Zeus and friends are polymorphic, meaning they are engineered to evade traditional security tools by constantly changing their signatures, so that firewalls and anti-virus software don’t recognize them. They often get past the front gate. The trojans then lie in wait, primed for action at the first sign of a bank transaction, which – yes — they are engineered to recognize. (This is the simplest layer of the attack. The code includes a database of bank URLs. Something easily compiled by searching Google.)
When it sees the user is logging on to a bank website, the malware comes to life. It records the user name and password, which it might send back to its human creator. But more likely, it rides along on the transaction, noting the amount, and executing a nearly-simultaneous transaction of its own while staying within a reasonable dollar range of the legitimate transactions. It then directs the funds to a predetermined bank account. Since businesses frequently conduct multiple fund transfers during their online banking sessions, the criminal activity is obfuscated. If the business issues 20 paychecks, 22 transfers would not draw undue attention at the bank.
Weeks later, when the bank statement arrives, the fight to recover the funds begins. While consumers have 60 days to unwind a fraudulent transaction, businesses have only 48 hours. By the time the time the missing funds are noticed, it’s too late. Adding insult to injury, a new user name and password won’t deter further attacks. Recall that the malware is watching for the bank’s URL, and will record the user credentials no matter what they are. The whole process begins again.
And so it can be said, truthfully, that the bank’s systems have never been breached. They have not. The banks – many of them – have been indirect victims of cyberattacks on their customers. It might also be true, as Citibank asserts, that no account holder has lost money. In some cases, an insurer could step in to fill the void, leaving account holders unharmed.Explore posts in the same categories: Uncategorized