FBI is on the lookout for financial losses unrelated to fiscal cliff


A cyber gang has been plotting to empty online banking accounts by spring 2013.

Fiscal cliff or not, the government will be scanning the financial markets for signs of million dollar losses in 2013, as a cyber posse threatens to empty consumer accounts at U.S. banks.

Data security firm RSA in October uncovered one of the largest organized plots to hijack online banking transfers, dubbing the gambit “Project Blitzkrieg.” Researchers figured out the type of virus in play by observing subversive chatroom discussions. Since 2008, this form of malicious software has stolen $5 million from American bank accounts.

This month, a McAfee white paper classified the ongoing activity as a credible threat. Researchers at the antivirus firm, however, say the Justice Department and Secret Service -- responsible for investigating financial crimes -- are likely to have tools in place to finger the perpetrators, who are expected to act by spring 2013.

“They really have put in the processes and expertise to go after these criminals,” Ryan Sherstobitoff, author of the McAfee Lab report, said in an interview.  “Where there is evidence of wrongdoing, the FBI has really advanced in the last five years to deal with the cyber threat.”

The malware apparently copies to a remote server all the settings on a victim’s PC so that the bank’s website cannot distinguish between the con artist’s and the legitimate customer’s transactions. The malware replicates the victim’s time zone, screen resolution, browser type, and software product characteristics, among other things.

Sherstobitoff said he does not have inside knowledge about the FBI’s procedures for this case, but he is familiar with how researchers have helped authorities during previous cases. “Typically it’s a game of connecting the dots,” he said. Experts look for observable data such as the IP address -- the network location -- of machines used in a hack, online identities, and banking transaction logs. With this information, they can follow the assailant’s online footsteps.

Another way to ID the suspect: If the individual is not using a virtual private network and then connects to a social network, like Facebook, authorities can obtain online activity logs from the perp’s Internet service provider and the social media company to tag the culprit. “This really only happens if the activity first off is monitored and can be correlated with actual malicious activity and [the] activity of accessing a social media site from the same location,” Sherstobitoff said.

The virus obtains sensitive details from customers that are necessary to mimic user settings through so-called man-in-the-middle attacks that invisibly redirect customers to a password-stealing website during their online banking sessions.

The sleuthing is all about “putting together the real name to the underground virtual identity,” Sherstobitoff said.

In recent crackdowns on hacktivists, FBI court papers chronicled how agents successfully used public data and warranted digital surveillance to identify the real identities of tricksters.

Once, for instance, the feds detected public signals broadcasting from a wireless router inside a Chicago building known to be the suspect’s residence, according to legal filings. Through other signals, they determined the media access control, or MAC, address of the computer tied to the router. A MAC address is a unique serial number for hardware that often identifies the device’s manufacturer, which in this case was Apple. A cooperating witness knew the suspect used a MacBook. He then reported to the authorities that the suspect was online at the time they identified the computer’s signals—helping confirm the device and the accused person’s computer were one and the same.

McAfee researchers anticipate Justice will employ some of the same maneuvers to prosecute any potential cyber thieves.

Based on the chatter seen so far, it is expected recent publicity may prompt the gang to change its game plan but still pull off heists of the same magnitude. The media attention “probably is going to decrease the likelihood of it happening as how they originally envisioned it,” but likely will hit with the same severity as intended, Sherstobitoff said.  

Regardless of whether a crime goes down, federal agents are on the lookout, according to RSA’s experts.

“The move is both risky and peculiar considering recent law enforcement operations in the underground leading to extensive fraudster arrests by the FBI,” Mor Ahuvia, an RSA cybercrime communications specialist, wrote back in October, when the firm first chronicled the conspiracy.