Agencies could be prone to new kind of sophisticated cyberattack

The government should watch out for "man-in-the-browser" attacks that have been used to steal money from financial institutions, security expert says.

Federal computer networks are vulnerable to the same type of sophisticated cyberattack that recently cost a global bank more than $1 million in a month, according to a security company official.

Hackers used a "man-in-the-browser" attack to steal a total of $1,077,000 from about 3,000 customers of a large financial institution between July and August, a report released by M86 Security on Tuesday indicated. In such attacks, the perpetrator installs on the victim's computer Trojan horse software capable of modifying Web transactions in real time. The report did not name the bank because an investigation is currently under way, but said the victims were located primarily in the United Kingdom.

While big payouts often are the motivation for man-in-the-browser attacks, hackers could use a similar strategy to steal classified or other sensitive information from federal agencies, said Bradley Anstis, vice president of technology strategy for M86 Security.

"Any websites that [enable] large financial transactions or [the exchange] of sensitive information, of which government has quite of a few, are at risk of this type of cyberattack," Anstis said. He noted advanced security controls, including multifactor authentication, won't protect systems from man-in-the-browser attacks, because the software running on infected machines "looks over the shoulders" of users who have the appropriate credentials.

Unlike phishing attacks, which infect computers when users click on a malicious link in an e-mail, man-in-the-browser attacks load malware onto computers when users visit legitimate websites that also have been compromised, typically via third-party advertisements. The Trojan horse remains dormant on the infected computer until users visit a particular site -- in this case their financial institution -- and enter credentials to access their account.

As a user logs in, the perpetrator uses the malware to gain account access, intersect transactions and manipulate requests. If a user requests a money transfer to pay rent, for example, the hacker will reroute funds to an external account; when the bank asks for authorization for the transfer, the malware routes the request back to the user, who enters the required information, "assuming that the bank is doing a great job at protecting his or her information," Anstis said. The malware even allows the perpetrator to adjust the user's balance online and in downloaded PDF documents as needed, to evade detection.

The attackers seem to target accounts with larger balances, ensuring sizable transfers don't result in overdraft notifications that alert victims. Stolen funds are transferred to what are known as money mule accounts, which are legitimate banking accounts whose owners often are unaware they're participating in criminal activities. Money mule accounts are used only a few times within a certain time frame.

"These types of attacks really take cyberthreats to a whole other level," Anstis said. "There's little the organization or [computer] user can do."