recommended reading

FBI is on the lookout for financial losses unrelated to fiscal cliff

Thinkstock

Fiscal cliff or not, the government will be scanning the financial markets for signs of million dollar losses in 2013, as a cyber posse threatens to empty consumer accounts at U.S. banks.

Data security firm RSA in October uncovered one of the largest organized plots to hijack online banking transfers, dubbing the gambit “Project Blitzkrieg.” Researchers figured out the type of virus in play by observing subversive chatroom discussions. Since 2008, this form of malicious software has stolen $5 million from American bank accounts.

This month, a McAfee white paper classified the ongoing activity as a credible threat. Researchers at the antivirus firm, however, say the Justice Department and Secret Service -- responsible for investigating financial crimes -- are likely to have tools in place to finger the perpetrators, who are expected to act by spring 2013.

“They really have put in the processes and expertise to go after these criminals,” Ryan Sherstobitoff, author of the McAfee Lab report, said in an interview.  “Where there is evidence of wrongdoing, the FBI has really advanced in the last five years to deal with the cyber threat.”

The malware apparently copies to a remote server all the settings on a victim’s PC so that the bank’s website cannot distinguish between the con artist’s and the legitimate customer’s transactions. The malware replicates the victim’s time zone, screen resolution, browser type, and software product characteristics, among other things.

Sherstobitoff said he does not have inside knowledge about the FBI’s procedures for this case, but he is familiar with how researchers have helped authorities during previous cases. “Typically it’s a game of connecting the dots,” he said. Experts look for observable data such as the IP address -- the network location -- of machines used in a hack, online identities, and banking transaction logs. With this information, they can follow the assailant’s online footsteps.

Another way to ID the suspect: If the individual is not using a virtual private network and then connects to a social network, like Facebook, authorities can obtain online activity logs from the perp’s Internet service provider and the social media company to tag the culprit. “This really only happens if the activity first off is monitored and can be correlated with actual malicious activity and [the] activity of accessing a social media site from the same location,” Sherstobitoff said.

The virus obtains sensitive details from customers that are necessary to mimic user settings through so-called man-in-the-middle attacks that invisibly redirect customers to a password-stealing website during their online banking sessions.

The sleuthing is all about “putting together the real name to the underground virtual identity,” Sherstobitoff said.

In recent crackdowns on hacktivists, FBI court papers chronicled how agents successfully used public data and warranted digital surveillance to identify the real identities of tricksters.

Once, for instance, the feds detected public signals broadcasting from a wireless router inside a Chicago building known to be the suspect’s residence, according to legal filings. Through other signals, they determined the media access control, or MAC, address of the computer tied to the router. A MAC address is a unique serial number for hardware that often identifies the device’s manufacturer, which in this case was Apple. A cooperating witness knew the suspect used a MacBook. He then reported to the authorities that the suspect was online at the time they identified the computer’s signals—helping confirm the device and the accused person’s computer were one and the same.

McAfee researchers anticipate Justice will employ some of the same maneuvers to prosecute any potential cyber thieves.

Based on the chatter seen so far, it is expected recent publicity may prompt the gang to change its game plan but still pull off heists of the same magnitude. The media attention “probably is going to decrease the likelihood of it happening as how they originally envisioned it,” but likely will hit with the same severity as intended, Sherstobitoff said.  

Regardless of whether a crime goes down, federal agents are on the lookout, according to RSA’s experts.

“The move is both risky and peculiar considering recent law enforcement operations in the underground leading to extensive fraudster arrests by the FBI,” Mor Ahuvia, an RSA cybercrime communications specialist, wrote back in October, when the firm first chronicled the conspiracy. 

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.