recommended reading

FBI is on the lookout for financial losses unrelated to fiscal cliff


Fiscal cliff or not, the government will be scanning the financial markets for signs of million dollar losses in 2013, as a cyber posse threatens to empty consumer accounts at U.S. banks.

Data security firm RSA in October uncovered one of the largest organized plots to hijack online banking transfers, dubbing the gambit “Project Blitzkrieg.” Researchers figured out the type of virus in play by observing subversive chatroom discussions. Since 2008, this form of malicious software has stolen $5 million from American bank accounts.

This month, a McAfee white paper classified the ongoing activity as a credible threat. Researchers at the antivirus firm, however, say the Justice Department and Secret Service -- responsible for investigating financial crimes -- are likely to have tools in place to finger the perpetrators, who are expected to act by spring 2013.

“They really have put in the processes and expertise to go after these criminals,” Ryan Sherstobitoff, author of the McAfee Lab report, said in an interview.  “Where there is evidence of wrongdoing, the FBI has really advanced in the last five years to deal with the cyber threat.”

The malware apparently copies to a remote server all the settings on a victim’s PC so that the bank’s website cannot distinguish between the con artist’s and the legitimate customer’s transactions. The malware replicates the victim’s time zone, screen resolution, browser type, and software product characteristics, among other things.

Sherstobitoff said he does not have inside knowledge about the FBI’s procedures for this case, but he is familiar with how researchers have helped authorities during previous cases. “Typically it’s a game of connecting the dots,” he said. Experts look for observable data such as the IP address -- the network location -- of machines used in a hack, online identities, and banking transaction logs. With this information, they can follow the assailant’s online footsteps.

Another way to ID the suspect: If the individual is not using a virtual private network and then connects to a social network, like Facebook, authorities can obtain online activity logs from the perp’s Internet service provider and the social media company to tag the culprit. “This really only happens if the activity first off is monitored and can be correlated with actual malicious activity and [the] activity of accessing a social media site from the same location,” Sherstobitoff said.

The virus obtains sensitive details from customers that are necessary to mimic user settings through so-called man-in-the-middle attacks that invisibly redirect customers to a password-stealing website during their online banking sessions.

The sleuthing is all about “putting together the real name to the underground virtual identity,” Sherstobitoff said.

In recent crackdowns on hacktivists, FBI court papers chronicled how agents successfully used public data and warranted digital surveillance to identify the real identities of tricksters.

Once, for instance, the feds detected public signals broadcasting from a wireless router inside a Chicago building known to be the suspect’s residence, according to legal filings. Through other signals, they determined the media access control, or MAC, address of the computer tied to the router. A MAC address is a unique serial number for hardware that often identifies the device’s manufacturer, which in this case was Apple. A cooperating witness knew the suspect used a MacBook. He then reported to the authorities that the suspect was online at the time they identified the computer’s signals—helping confirm the device and the accused person’s computer were one and the same.

McAfee researchers anticipate Justice will employ some of the same maneuvers to prosecute any potential cyber thieves.

Based on the chatter seen so far, it is expected recent publicity may prompt the gang to change its game plan but still pull off heists of the same magnitude. The media attention “probably is going to decrease the likelihood of it happening as how they originally envisioned it,” but likely will hit with the same severity as intended, Sherstobitoff said.  

Regardless of whether a crime goes down, federal agents are on the lookout, according to RSA’s experts.

“The move is both risky and peculiar considering recent law enforcement operations in the underground leading to extensive fraudster arrests by the FBI,” Mor Ahuvia, an RSA cybercrime communications specialist, wrote back in October, when the firm first chronicled the conspiracy. 

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.