recommended reading

Agencies could be prone to new kind of sophisticated cyberattack

Federal computer networks are vulnerable to the same type of sophisticated cyberattack that recently cost a global bank more than $1 million in a month, according to a security company official.

Hackers used a "man-in-the-browser" attack to steal a total of $1,077,000 from about 3,000 customers of a large financial institution between July and August, a report released by M86 Security on Tuesday indicated. In such attacks, the perpetrator installs on the victim's computer Trojan horse software capable of modifying Web transactions in real time. The report did not name the bank because an investigation is currently under way, but said the victims were located primarily in the United Kingdom.

While big payouts often are the motivation for man-in-the-browser attacks, hackers could use a similar strategy to steal classified or other sensitive information from federal agencies, said Bradley Anstis, vice president of technology strategy for M86 Security.

"Any websites that [enable] large financial transactions or [the exchange] of sensitive information, of which government has quite of a few, are at risk of this type of cyberattack," Anstis said. He noted advanced security controls, including multifactor authentication, won't protect systems from man-in-the-browser attacks, because the software running on infected machines "looks over the shoulders" of users who have the appropriate credentials.

Unlike phishing attacks, which infect computers when users click on a malicious link in an e-mail, man-in-the-browser attacks load malware onto computers when users visit legitimate websites that also have been compromised, typically via third-party advertisements. The Trojan horse remains dormant on the infected computer until users visit a particular site -- in this case their financial institution -- and enter credentials to access their account.

As a user logs in, the perpetrator uses the malware to gain account access, intersect transactions and manipulate requests. If a user requests a money transfer to pay rent, for example, the hacker will reroute funds to an external account; when the bank asks for authorization for the transfer, the malware routes the request back to the user, who enters the required information, "assuming that the bank is doing a great job at protecting his or her information," Anstis said. The malware even allows the perpetrator to adjust the user's balance online and in downloaded PDF documents as needed, to evade detection.

The attackers seem to target accounts with larger balances, ensuring sizable transfers don't result in overdraft notifications that alert victims. Stolen funds are transferred to what are known as money mule accounts, which are legitimate banking accounts whose owners often are unaware they're participating in criminal activities. Money mule accounts are used only a few times within a certain time frame.

"These types of attacks really take cyberthreats to a whole other level," Anstis said. "There's little the organization or [computer] user can do."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.