March 16, 2010

Over the past nine months, I have spent a substantial amount of time investigating and detailing the plight of dozens of small businesses that have had their bank accounts cleaned out by organized criminals. One of the most frequent questions I get from readers and from my journalist peers is, “How many of these stories are you going to tell?”

The answer is simple: As many as I can verify. The reason is just as plain: I’m finding that most small business owners have no clue about the threats they face or the liability they assume when banking online, even as the frequency and sophistication of attacks appears to be increasing.

I am now hearing from multiple companies each week that have suffered tens of thousands or hundreds of thousands of dollar losses from a single virus infection (last week I spoke with people from four different companies that had been victimized over the past two months alone). In each of these dramas, the plot line is roughly the same: Attackers planted malicious software on the victim’s PC to steal the company’s online banking credentials, and then used those credentials to siphon massive amounts of money from the targeted accounts. The twists to the stories come in how the crooks evade security technologies, how the banks react, and whether the customers are left holding the (empty) bag.

In most cases I’ve followed, the banks will do what they can to reverse the fraudulent transactions. But beyond that, the bank’s liability generally ends, because — unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them.

Earlier this month, I spoke with the CEO of Eskola LLC, a Treadway, Tenn. roofing firm that had $130,000 stolen from its online bank accounts in a series of five unauthorized wire transfers in late January. The bank was able to reverse most of those transfers, but Eskola was unable to recover more than $30,000 of the stolen money.

“It really took our bank by surprise and triggered a whole series of internal reviews, because they told me they’ve been hit several other times since then,” Jon Eskola said. “They said so far this year, it’s been the number one thing that’s come across their plate, and that this type of crime had increased 500 to 600 percent over a year ago.”

Even in rare cases where the victim’s bank eats the loss, the company hit by the fraud often goes a month or two without the operating capital. In the waning days of January and the beginning of February, thieves hit Orange Family Physicians, a medical practice in Orange, Va., stealing $46,000 and sending it in sub-$8,000 chunks to a half-dozen money mules around the United States. The practice later found that the controller’s PC had been infected with the ZeuS Trojan, a prolific and powerful family of malware used to steal banking credentials and control infected PCs from afar.

Donna Diaz, the controller for Orange Family Physicians, said their bank was only able to reverse $6,000 of the total stolen. For several weeks, it appeared that the bank had no intention of reimbursing Orange for the loss. About the same time that a reporter started snooping around on their behalf, however, the bank refunded all of the missing money.

Diaz said she first learned about the fraudulent payments when the bank sent her an overdraft notice. She said the bank should have flagged the fraudulent transactions as unusual, since they were initiated from four different Internet addresses — none of which were previously associated with the practice.

“When I first talked to the bank, my question to them was, ‘We’ve always done the same five payroll transactions a month, this was outside the norm, so why didn’t you flag them?’” Diaz recalled. “They told me because [the thieves] answered the secret questions correctly and because the amount was under $10,000 and their daily limit, they let it go just based on the amount.”

Jon Eskola said his company had “completely revamped” its in-house process for moving money: While two people from Eskola Roofing have always had to sign off on a payment, that informal dual approval was separate from the bank’s online system, which only required that customers provide the correct user name, password, and answers to secret questions.

Now, when Eskola’s company needs to move money electronically, the bank won’t approve the payment unless it receives confirmation from the company via an out-of-band form of communication, such as a phone call, fax or text message, he said, although he declined to specify which mode his company was using going forward.

Eskola said the banks could do a better job educating customers about the risks they face with banking online, but he allowed that business owners also need to take their share of responsibility.

“The banks need to raise this issue front of mind for small businesses, but the guy who runs that small business really needs to step up and be responsible for his end, too,” Eskola said.

Diaz said she’s all about being responsible, and that she’s learned a great deal from the episode. She said she recently purchased a new laptop, which she uses only for checking her bank’s Web site and for managing the company’s books. “Other than that, it gets locked up in my desk, and I don’t use it for browsing the Web or checking e-mail. I pay my bills on it, do my Quickbooks stuff, and that’s it.”

Still, Diaz said, most small businesses owners likely don’t have a clue about the sophistication of today’s threats online, or what they stand to lose if they are not hyper-vigilant.

“It’s really kind of sad because it doesn’t seem like there’s much awareness out there by the general public or businesses about how big a deal this can be,” Diaz said. “People think everything is safe in banking online, when it’s really not.”

Indeed, too many company owners remain ignorant of this type of crime and their exposure to it until they become a victim, said Marc F. Quince, special agent for the Virginia State Police‘s Bureau of Criminal Investigation.

“There are no simple answers,” Quince said.  “Law enforcement, financial institutions, and computer users need to do a better job all the way around preparing themselves for this type of attack.”


57 thoughts on “eBanking Victim? Take a Number.

  1. Steve Werby

    Brian, great article. Keep the articles on online banking fraud coming.

    Jon Eskola, CEO of a roofing firm that lost $30k, said it well – “The banks need to raise this issue front of mind for small businesses, but the guy who runs that small business really needs to step up and be responsible for his end, too.”‘

    Online banking fraud was the primary topic of a presentation I gave to small biz loss prevention professionals a few weeks ago. It was an eye-opener for most of them. Many of these business owners are either completely unaware of the risk or have been lulled into a false sense of security by their IT staff/vendor/cousin because they are running an antivirus solution or have 2-factor auth via a token that requires keyboard entry.

    My advice to small biz owners? Contact your bank to find out what your liability is, ask what controls they have in place and find out what your options are to reduce your risk. If the answers you get are inadequate, let them know. And if your bank doesn’t offer multi-factor authentication or transaction confirmation that’s out-of-band, use a locked-down, dedicated workstation for nothing, but accessing your bank website or use a live boot distro. Or acknowledge that you’re playing Russian roulette.

  2. uk immigration lawyer

    The banks are the only people able to do anything about this; and they won’t do anything at all unless they’re shouldering the losses.
    There is a huge difference in security measures taken by banks in different parts of the world – from what I’ve seen Sweden is ahead of the UK and the UK is ahead of the USA but all banks have room for improvement.
    Well done for telling the stories… silence works wonders for the status quo; and the status quo is siphoning large amounts of money from innocent companies.

    1. Anthony

      That’s not entirely true… Banks can do alot but the browser can still be hijacked on the users end no matter how the authenticate.

      1. infosec_pro

        Anthony, you missed the point. The discussion was about banks doing more to raise awareness of the risks.

        Problem is that the banks have a disincentive to do so. They want to raise the customer acceptance of online banking, not diminish it by raising concerns about security. As long as they bear no liability for losses their interests are not aligned with their customers as far as preventing losses.

      2. JCitizen

        Dear Anthony:

        If you have a chance to read more of the comments you’ll see that there are several solutions to the browser session high-jack issue. Now whether the solutions work, will have to be tested.

        I’ve tested older hook layer solutions that did work, even if your PC was infected. However those utilities are obsolete; I am sure, several companies have a solution to that loophole for now ; however, we must be aware of end runs by the criminals at every instance.

  3. d

    Well, Brian you can certainly say – and tell your peers – you are doing your part to make this activity well known. By now, why it’s not a major story in the media is beyond me. I work at a small business, but I bet most of our employees don’t know the bank only protects consumers and not businesses that bank online. Besides some automatic payments, we don’t bank online. With the convenience of online banking, any businessperson who established their company in the last decade probably banks online without giving it any thought. For personal banking, I use a credit union. Last year this institution started requiring clients to remove all headgear and sunglasses to receive service. They didn’t announce it beforehand; they simply made it a requirement. I talked to the branch manager and she said it was in response to robbery. Since the number of small businesses pales in comparison to the number of non-business clients, I guess it will be a while before banks admit to online robbery and make the issue known to the small business community. Or maybe they might stumble upon KrebsOnSecurity!

  4. wslc

    Great series and another good article in it.

    I passed on this information (and the link to your website) to my bosses at our small business & they were both grateful & alarmed.

    Maybe this is a feature of business banking, but why is it so easy for someone to initiate remote wire transfers? I know that when I’ve needed to do a wire transfer to a child at college or in Europe on a study abroad program, I have to call up my credit union & speak to a real person or persons in order to have to the transfer go through.

    Thanks again for your work, Brian!

  5. JCitizen

    You keep pounding on that reporting Brian!! We have to continue to put the pressure on the banking industry and our political representatives to do something about the ridiculously lax security concern in this sector.

    I am advocating for this cause with my federal and state representatives, as well as states attorney general, local banker associations, Federal Trade Commission, Federal Bureau of Investigation, and local law enforcement authorities.

    If I ever end up actually working in the IT infrastructure in the banking services sector, I will be like a junk yard dog on this. I may not be hired very long but I intend on making a difference for the customers; both individual and businesses.

    You go like a pit bull Brain, we are all backing you up!

    1. TheGeezer

      They don’t take the initiative because they don’t have the financial incentive.

      They don’t have the financial incentive because there is no regulation giving them a financial incentive.

      There is no regulation because too many of our congressional representatives don’t want regulation.

      Our representatives don’t want regulation because their campaigns are financed by the very institutions that profit from not having regulation.

    2. Matt

      Unfortunately in this case requiring a bank to use a .bank extension would not have helped. The Zeus Trojan involved is hijacking the browser with a correct URL in the address bar and then injecting deceiving html into the browsers page to trick the user into giving up valid authentication codes it can then use in the background to transfer money out. There really isn’t any fault on the part of the user or an obvious way the bank could recognise the fraudulent transactions without impeding the usability of the system, the problem is a transaction authentication one.

    3. Pete

      Because the idea is complete shite?!

      Trivial DNS changers that fake sites or browser helper objects that inject content into legitimate pages pwn this “security idea” in their sleep & more fool them for supporting it.

      TLD’s are about to become a vanity commodity as ICANN line their pockets and have even more swish meetings in the future.

      http://www.elliotsblog.com/vanity-tlds-vtld-approved

      The idiots run the asylum my friend!

      1. Matt

        I have to agree Pete, I personally busted registrars influencing ICANN voting in the early days when they had a chance to recover from the mess but money talks as the old saying goes. If ICANN had have kept things simple it might have been possible to educate the average user about basic address fraud but with every ridiculous extension enabled it is almost impossible. Now that the browser address is irrelevant with the browser injections it might actually be creating a false sense of security for people who do carefully check.

  6. wahnula

    Like everyone else said, keep at it! One quote I found especially relevant:

    most small businesses owners likely don’t have a clue about the sophistication of today’s threats online, or what they stand to lose if they are not hyper-vigilant.

    I am the sysadmin of our SMB (10 machines) and I make sure all the machines are AV-current, updated through WSUS, and our network is firewalled & as secure as possible. Thanks to your articles, I have been bending the boss’ ear incessantly about banking fraud targeting small business.

    He replied “the only PC that accesses our bank account is my wife’s…” I choked. This PC is off the company network and is on his unsecured home wireless network. Not only that, but when I had to reload XP Pro on it recently (it would barely run), I found the A/V had EXPIRED IN 2007! I had to scan it for viruses and malware before I let it on my home network to repair it. Luckily (or miraculously) it came up clean.

    Our new policy is to bank in-person or ONLY on the office network with an Ubuntu box I built from spare parts. The bank has been informed NOT to issue wire transfers from our account under any circumstances.

    So, you have made a difference to this small business, keep banging the drum, it is being heard.

  7. Jared

    Keep it up BK. Banks have a herd mentality. When one takes fraud seriously the others will follow. Unfortunately I think it will require legislation to motivate. Large businesses encountering fraud prefer to hide vs. fight like the small biz community. In my experience, Banks evaluate fraud %’s across the P&L so unless something changes the equation, small business will continue to take losses.
    As a small business owner, I’ve contacted my credit union and take precautions thanks to your coverage.

  8. Rob

    Most of the banks out there are still wrapped in dealing with their loan losses. This issue needs to be dealt with more effectively but it is easy to understand the time being put elsewhere for a little while longer. Banks have to deal with the “orders” from their respective regulatory bodies first and the regulators aren’t saying anything new about MFA.

  9. mrmikel

    I disagree with the “There are no simple answers…”

    It should be standard policy at all financial institutions to require a whitelist of acceptable recipients of money transfers from each of their customers. Not on the list…no transfer. Any change to the whitelist must by in person or by phone to someone who would recognize the voice.

    1. JCitizen

      This is what I advocate as a short term solution; we regular folks use the same thing for spam; why not the electronic transfer process?

    2. Matt

      The Zeus trojan is getting around the whitelist security concept, in fact it downloads the various different security procedures of over 4000 online financial websites when it starts up. The problem is in a real business who they need to pay can change from a day to day basis and if the user needs to visit a branch to authorize these new accounts then there is no point in having internet banking. You cant have security without considering usability, too many IT security people ignore usability and their methods end up being entirely ignored by users. I am not sure how secure authentication based on recognising a users voice would be or if that would be possible for anything other than very small banks but it would probably pose a less technical challenge to the attackers than existing systems.

      1. JCitizen

        That is why I called it a short term solution; but some of these scams use the same main trans ID every time they rob someone of their money. Like HOSTING SALES 888-678-8560 WA , a well know scam that keep on paying and paying – to the scammers, that is.

        Same old transaction ID every time.

      2. Mike

        there are different ways to transfer money and to pay bills. some of those methods have fraud protection built in, some do not. some are reversible, some are not. why would someone want a non-reversible, non-fraud-protected mechanism enabled by default in their online banking account–regardless of whether they use that feature–if they had another option? this isn’t about what customers want, this about what the banks want customers to use (some methods are also more profitable for the bank than others) and customer ignorance (the banks are financial experts, not small business owners). there are many reasons why someone might want online banking functionality, and it is not correct to say that if people couldn’t initiate transfers without a whitelist that there would be no point in having online banking. the only reason that commercial online banking accounts aren’t better protected is that doing so would cost the banks money and at the moment they aren’t liable for the loses–so they just don’t care. don’t make the mistake of believing any other excuse.

        1. JCitizen

          Mike;

          This is so true! However I advocate the least costly solutions, so the bank/credit association does not pass down huge expenses to the customers/members.

          I’m going to get very active on my association meetings from now on.

          Some of these entities refuse to implement even the most basic protections; and this seems unreal to me.

  10. Mike F

    There are available tools that companies as well as individuals can use to mitigate man in the middle browser attempts.

    I have researched both of these and I think this may be a very effective method for end-users to protect themselves in the event that their current AV is either not up-to date or unknowingly been compromised.

    Take a look at them, its just research that I have done being that I work in the financial industry and I also have a company that focuses on computer and internet safety. I am always looking for ways to help end-users through educating them on ways they can safely transact business on the ‘net.

    1. Trusteer – Rapport – http://www.trusteer.com/presentation-how-it-works
    2. SafeCentral – http://www.safecentral.com

    1. Rob

      @Mike F

      Not very convincing. Are there independent third party research reports out there?

      1. Mike F

        Not sure if there are any 3rd party reports to be honest. There are reviews and awards for the Trusteer Rapport product available on their website with links back to the source. Apparently they are gaining the trust of some large institutions who are partnering on with them, so they must be doing something right. I still hold to the believe that its a good place to start.

    2. JCitizen

      That safe central looks like a Novel client we used in some school systems. It was not of the Microsoft kernel, and took over the desktop, and locked the operating system down. I never heard it was compromised, despite having malware inside the school LAN.

      If you are a FaceBook member you can now get Prevx Safe Online; which acts like a bubble at the kernel level around whatever browser you are using. It will only allow legitimate processes to communicate between you and the browser and the web-site it is connected to. I’ve been testing it against Snoopfree Privacy Shield, and they are not compatible of course; but it makes claims that it can thwart kernel mode rootkits, so that is a bit difference. Snoopfree can only handle screen and keyboard hooks and not communication to the web.

      This should foil the usual Zues variants, until the criminals find another way around the problem.

      I do not work for any company or person; I only hate malware and criminal network crackers to pieces!!

  11. Bart

    So, is there a trend of where the banks are picking up the malware? Is it employees who respond to the emails for fake watches and drugs, or is it certain kinds of adult sites?

    1. Charles

      It’s been a couple of years since I did information security work for a bank.

      But I’d bet heavily it _wasn’t_ porn sites.

      That’d be a firing offense anywhere I’ve worked in the last 12 years. Particularly so at a bank.

      More to the point, detection of this sort of abuse is trivial if you examine the web proxy logs. Anonymizing proxies really don’t help, since use of such leaves traces of its own. Once the evidence is firmly in hand, termination usually follows within hours. I’m not guessing about that process, either. That’s the way I worked these when I worked for a major, major bank that shall remain nameless.

      If I were guessing, I’d guess targeted attacks.

      All this takes is a few harvested internal bank email addresses, the ability to “manufacture” trust, and a kit that’ll turn out malicious PDF/Word/Excel docs. Malicious PDFs have been quite popular this last year, amounting to almost half the reported total.

  12. Ron Lepofsky

    Brian: Great article on e-banking risks and liabilities. I will reference this article in my next blog. Regards, Ron Lepofsky, CISSP

  13. fchaffin

    Brian, great article. I think online banking is a very important topic. Please keep the articles on online banking fraud coming.

  14. AlphaCentauri

    There is still the rather obvious strategy of having banks cooperate together to bait the scammers. If they respond to every spam soliciting money mules with thousands of fake identities and sham bank accounts, it becomes very difficult for the scammers to transfer the funds to real money mules without tipping off the banks’ investigation co-op with information about who is being targeted. Once you identify the victim, you can freeze the transfers and identify any real mules. It only works if all the banks share information, of course, but I don’t think it would violate any anti-trust or privacy laws.

    1. Matt

      Going on the offensive is noble but I believe the scammers would have some sort of vetting process to weed out the fake applications. The ones I have seen request a copy of the mules passports so that could be a legal problem for the vigilantes who would need to generate fake passport images, probably not something a bank could be involved with. Another aspect is I believe they transfer a small x% to completely unrelated innocent parties just to mess with investigators. Their trojan to base communications are all well encrypted so thats not an easy disruption point. In all its a tough nut to crack even for law enforcement who have much greater access than a vigilante.
      As far as banks cooperating every indication is the opposite. The classic recent security debacle was the CAP readers the 3 big UK banks rolled out to all their customers. The OTP token devices were bought and rolled out on an EMV standard with the idea that anyone with say a Barclays bank card could plug it into their family members RBS device and authenticate and thereby reduce the amount of devices needed out in the community since they are quite chunky… Well typically they each ended up modifying their standards just enough that the competitors cards wouldnt work in each others devices.

      1. JCitizen

        If this is like Chip and PIN, there are cracks for those devices out there. That was a very expensive failure – this is why I don’t blame the banks over here for being very cautious about new ideas on hardware/software security.

      2. AlphaCentauri

        Those are very good points. But I think the reality of dealing with money mules is that your vetting process could be a bit messy. I’m sure lots of them don’t own passports or even drivers’ licenses. These are folks who are out of work and not very sophisticated about fraud. They probably ask a lot of questions more than once. Lining up mules is probably time consuming, and lining them up when there are thousands of equally befuddled fake applicants could remove a lot of the profit incentive.

        The fake IDs would require the cooperation of law enforcement to set up sting operations. But they could do double duty providing leads to locate the ZeuS botherders by questioning people who show up at international borders with the known fake information.

  15. Terry Ritter

    There *is* a simple solution.

    It is simple to get, not so simple to install, but simple to use. It will immediately avoid almost all current malware, ignore current infections and stop future infection. That solution is to boot Puppy Linux from DVD.

    It is time to stop dismissing something that can protect most users by calling it unprofessional, difficult or short-lasting:

    * Linux has issues, but is more than good enough to secure on-line banking or browsing. Most current malware cannot run on Linux.

    * Puppy Linux is easy to use. My wife likes it. Just have somebody to set it up for you.

    * By booting from DVD, we avoid any existing Microsoft Windows infections.

    * By booting from DVD, we also avoid the scary part of malware: A single user mistake is enough to infect a Windows hard drive and then persist forever. The era of “removing” malware is the past: Nowadays the OS must be re-installed.

    See my articles on ciphersbyritter.com (for example:
    http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM )
    After the Puppy DVD is set up, most user time is spent in Firefox, not Linux.

    1. JCitizen

      We discussed the Puppy Linux CD/DVD idea at Tech Republic; it is a very good solution. Just make sure and keep the DVD updated , and don’t use RW discs so there is no way to write to it during a session.

      And hopefully most folks have compatible NIC cards, but that usually isn’t a problem these days. Shoot – the banks should offer them as a service, although someone would have to get paid for burning so many CDs for the customers.

      Maybe an enterprising company will offer something like it on a GPL license and take off like a rocket!! I can just see them on the “seen on TV” ads!

      Only $9.95 gets you as complete security as you can get; (and include a package manager that updates quick) Most banks sites should easily handle Mozilla.

    2. Matt

      Sandboxing is not a bad idea and you are correct it is a solution which is better than many security methods which only shift the security problem elsewhere. It is secure and cheap to implement. I wouldnt call it unprofessional though actually I would say it is if anything too professional and may bamboozle the average joe. The average non IT person I know has no idea what linux is or how to boot from a different drive and wouldnt be able to set it all up which is a negative, the delicateness of DVD’s and lack of DVD player in many netbooks and mobiles would be a barrier for mobility too.

      It would also be a pain that alot of online banking actions are made in response to information on the primary operating system such as accounting software, emails with invoices, a website, instant messages etc and that information would be lost in the fresh boot.

      The average person might also balk about the time it takes to power out of say windows and then reboot into linux do their thing then power out and reboot back into windows.

      I think it’s a good solution for businesses with low transaction volumes and high value transactions, they can have a cheap dedicated netbook (one with a DVD drive) sitting next to their accounting computer but of course that doesn’t make it a cheap solution and also adds a bit of time and possibly accounting errors for the person who has to manually transpose from machine A to machine B.

      1. JCitizen

        If using dual boot or Linux CD in a small business, managers could use a dedicated PC for all online transactions. They could even lock the thing down or physically locate it in a secure location for such use.

        I would think in a dual boot configuration a removable or locked down network drive could store any records needed for transactions. Just anything to add an isolation factor.

        Same for VMs; only use sandboxes or VMs for banking or purchasing and that alone. Make sure one is not using XP applications that introduce a vulnerability to that VM. On XP running native, you wouldn’t notice or it would crash. But on an XP VM, Vista or Win 7 you could end up pwned.

        I see a lot of amateur users who have no trouble using Returnil as a VM, and it is apparently fairly intuitive to install and use, as folks give it good reviews at CNET. However an amateur would not be able to just uninstall it if they didn’t like it, as it automatically creates a partition for the virtual environment.

        Any of these ideas is better than what I am doing, but my in-depth defense is combat proven in my honey pot lab. You could say I try set an example for my clients, as they will only do the minimum and not usually take even the steps I do to protect themselves.

        I don’t think I’d have much trouble convincing an SMB to take these steps however. My business clients are so paranoid they only do business over the phone, snail mail, or physically visit the bank and vendors to make payments.

  16. Ben

    AV is dead as a sole solution for home users. MS has “DEP” which is a half-assed solution but it is not enough. Either more AV vendors need to offer more in depth security suites or we will continue to run down the same path.

    Whitelisting needs to be incorporated/used more and made more user friendly for the average joe..

    Marcus Ranums “Enumerating Badness” paper still holds true. We still do default accept (aka Blacklisting) as a primary line of defense on Windows machines for the most part (read: home users.) Malware authors are generating malware at a far greater rate than AV vendors can create signatures. Until something major changes we will continue to see news stories like this.

    1. JCitizen

      I use solutions that don’t necessarily need file definitions to do their job. Some of them don’t even need definitions at all.

      A mix of behavior based HIPs, heuristics, and low kernel level process guards, can go a long way to ending dependence on those old concepts.

      However I keep one good utility that still uses the old method just as a back up scanner, to pick up on dormant files left over, that hide from the HIPs.

      I really don’t see any suite in my future at all. The best solutions now purposely code for cooperation with the best defenses. The ones I use, take completely different methods, processes, and strategies for each utility, to do the job. This keeps the malware criminals coding off kilter at every step of the dirty process of malicious intent.

    2. Terry Ritter

      Partly because Web specs were hacked out individually (as opposed to being part of a comprehensive security design), stopping all incoming malware (which a user generally has requested) is difficult to the point of being impossible.

      On the other hand, stopping even requested malware *is* possible by not having what the malware needs to run. This is the advantage of a different operating system (OS) or even a different processor instruction set. Since about 93 percent of browsing occurs under Microsoft Windows, almost all malware targets Windows.

      The chance of using a computer running malware can be minimized by starting each session clean and limiting unnecessary browsing. Unfortunately, Microsoft Windows users cannot expect to start out clean, since a single human mistake can infect Windows, which then remains infected until the OS is re-installed. A similar problem exists for any OS which boots from an easily-writable hard drive, because subverted software cannot protect the drive. Avoiding malware attack is important, but infection is a continuing problem.

      Currently there exists no tool or set of tools which can detect all modern infections. Indeed, when scanners run under a subverted OS there is every opportunity for a modern rootkit infection to hide. Because advanced malware can hide particularly well, scanning from inside the OS may be more of a deception than a help. By having the bot download a few crude viri, the system can be “cleaned” while the advanced malware hides and runs.

      Instead of trying to scan every file for every known malware, Microsoft could issue a “live” DVD to check their own files, and thus expose any infection. That might require OS fixes to reduce or eliminate files which change dynamically, but Microsoft created that security problem, so they can take whatever effort they need to fix it.

      Microsoft owns the malware problem, and will continue to do so as long as Windows remains the largest target. The current strategy of patching known problems is not enough, as we see by increased numbers of increasingly dangerous malwares. But Microsoft does have options:

      * Microsoft could develop tools to certify a Windows installation as clean for use in on-line banking.

      * Microsoft could develop a fast OS re-install to clean up any infection.

      * Microsoft could supply a new “live” on-line banking and browsing OS.

      * Microsoft could support hardware re-design to prevent infection.

      Do not hold wait for Microsoft. For online banking and browsing, run Puppy Linux from DVD. Start with
      http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM

      1. JCitizen

        Great post Terry!

        Microsoft does have one very effective tool, and that is ‘steady state’. You have to use another partition, USB external, or hard drive to store your files, but many of us do that anyway for disaster recovery. Many of the new PCs being sold have at least two drives in them now.

        It is true that malware could end up in your file storage, but if it can’t affect the operating system, it can’t do much damage. You would still want at least one AV solution with real time protection on-board for when you unlock the drive and are doing maintenance and updates, to the operating system and applications, house keeping, etc.

        But from what I understand it is just a matter of unlocking and locking the drive. Each time you reboot all files attempting to remain resident are lost, nothing can write to the operating system drive/partition.

        My local college uses a paid solution called Deep Freeze, and they haven not had a major breech in 20 years! But as far as I can tell, the free Microsoft steady state is the same thing.

  17. anonyjw

    Even though I haven’t seen it mentioned here, I’m sure free products like Sandboxie can also help fight the Trojan scourge…

    1. JCitizen

      Anything like that can help. But be aware that certain applications that were coded for XP have vulnerabilities that while running on XP in native mode were of little consequence, but while in VM on any Windows OS, may subvert your protection inside a VM, and compromise the security of the installation. This depending on whether Sandboxie uses virtual machine technology; which I’ve always understood it does.

      Also, even with a VM, it is generally advised that only banking/shopping be done with that VM to be sure to enjoy the full benefit of virtualization protections.

      But let’s face it, anything you can implement in this technology to a blended/in-depth defense is good; and definitely better than what the majority of PC customers do, which is very little, I’m afraid.

  18. prairie_sailor

    Brian – while I find your articles informative, something I’m not seeing in these articles is details about the compromised systems themselves. We all know here that virtually every system compromised is a Windows based system however that is only a small part of the story. Some information I would like to see (if possible or available):

    Which version of Windows?

    Are all of the patches & service packs installed?

    All of the other installed software up to date?
    (Shockwave, Flash, Adobe Reader, Office, Quickbooks, Java, printer drivers, web browsers, media players, etc)

    Any software installed which was not part of the business functions of the computer (i.e. screensavers, personal media players, games, etc)

    Unused software (i.e. the “trial” games that often ship on retail computers) removed?

    Were the compromised machines being used for personal uses – (facebook, personal email (web based or POP3))

    Were the users running with administrative or “Power user” privileges, on windows 7 or vista computers this should be based on the group membership of the accounts, not the status of UAC

    Were all administrative accounts either disabled or protected with a STRONG password (no dictionary words, dogs or kids names etc)

    Is the security software up to date (including the latest detection engine – not just latest definitions)

    What firewall is being used(Windows or 3rd party)

    Is a hardware firewall in use (i.e. router)

    Wireless connections protected with strong (i.e. WPA2 encryption) and a good passphrase?

    1. BrianKrebs Post author

      @prairie_sailor & george. most of the the systems being infected are using the latest patch levels of Windows XP.

      generally speaking, the people I am speaking to either don’t know those technical details, or they don’t care to disclose them. but in any case, it doesn’t matter. the attackers in every case used the ZeuS Trojan, which involves social engineering — tricking the recipient of a Zeus-laden e-mail into downloading and running an attached file. There have been one or two examples of ZeuS being distributed through software exploits, but those are the exception, and far from the rule.

      The major Anti-virus programs out there do a horrible job of detecting ZeuS, across the board, even when they are up to date.

      I don’t want to overmythologize ZeuS, which has already been pretty badly hyped, IMHO, but these attacks go well beyond the typical attacks that could be dealt with reliably by your traditional tools. The biggest defense you have against these types of attacks are smart users; if you lack that, well…

      1. Terry Ritter

        “these attacks go well beyond the typical attacks that could be dealt with reliably by your traditional tools. The biggest defense you have against these types of attacks are smart users; if you lack that, well…”

        While better computer education cannot hurt, it also cannot be the solution:

        All humans make mistakes, even computer experts. But even a single human mistake can be enough to infect a Microsoft Windows hard drive forever (or at least until Windows is re-installed). And there are no tools which guarantee to detect that infection.

  19. George

    Donna Diaz has several comments in this article, but there is no mention by her how her computer was infected, which, in turn, led to the large financial loss by Orange Family Physicians. Would have been nice to know.

    Also, Brian, keep writing up these incidents. Thanks for the write-ups.

  20. Sari Greene

    Like all high risk activities, secure online banking requires a partnership of defensive and offensive controls. In this case, the controls need to be instituted on both the customer and financial institution side. While banking customers must do their part (AV, firewall, patching, separate PC etc…) it is important not to create a false sense of security. Zeus and its ilk are insidious. Our nDiscovery log analysis service has identified Zeus penetration on very well secured network environments.

    Many financial institutions as well as NACHA – the Electronic Payments Association (http://www.nacha.org/) are taking this threat very seriously. For those institutions that aren’t, their next regulatory exam will be a wake-up call. The regulators are focusing in on ACH and Wire Transfer procedures. They are not only expecting institutions to have implemented strong (multifactor) authentication but also out-of-band verification, fraud detection, monitoring, credit line/limit reviews and customer (and internal) education. They are also being asked to be on the lookout for patterns of “money mule” activity.

    I work directly with a number of financial institutions. They recognize that this is not only a financial and reputational relationship issue but also one that directly impacts the strategic initiative of Internet based banking. Believe me; they are looking hard at internal controls. It is in their best interest to keep their customers information and funds secure.

    Sari Stern Greene
    http://www.sagedatasecurity.com

  21. Eliézer

    Olá! òtimo Post, realmente esse problema veem se alastrando a um bom tempo e curioso saber que em um pais com tantos profissionais como nos USA tenha esse tipo de problemas, é por isso que os bancos pagam tão caro por esse recursos. Realmente aqui no Brasil é uma lacuna enorme de prejuizos, qualquer um pode se aproveitar disso!

    Att,
    Silva; Eliézer

  22. c.cobb

    Brian, thank you so much for this series. While reading another of your articles a couple of months ago, I noticed a few responders mentioning Puppy Linux and started looking at that.

    While the concept is brilliant there are, as JCitizen noted above, still some security holes. The primary issues being that Puppy Linux LiveCD/DVDs and LiveUSBs want to save the session state upon shutdown, and there is full access to connected devices.

    However, the concept of a LiveUSB for secure banking is compelling, and seems far more convenient — carrying a tiny USB stick attached to your car key ring is the ultimate “portable PC.”

    As such, I spent a little time creating a modified Puppy system as an attempt to find a workable USB solution. First, I disabled the “save session” option during reboot or shutdown.

    However, since it is still necessary to make changes to the system from time to time, I also created a new “remastering” process to update a LiveUSB, and simplified the process by eliminating all the dialogs (the original LiveCD remastering asks a lot of complex questions). On my older PC, this new process completes in about three and a half minutes.

    I also replaced “Seamonkey” with FireFox and added the Java Runtime as some banks now use Java Applets during login.

    So now, I envision two separate types of use for the system: online banking, and updating the system.

    To bank, connect the USB and install Puppy into memory, then disconnect the USB device from the computer. Next connect to the network and then access your accounts.

    To update (when a new version of FireFox is avalable, for example), boot the system without connecting to the network, update from a local hard disk, make other system changes, etc, and then remaster back to the LiveUSB device. After updating, if continuing on to a banking session, just remember to remove the USB from the computer first.

    There are a lot of people commenting here who obviously have a lot of experience with IT issues, and I would be interested to hear any feedback you have. A preliminary and experimental “BankPup” version of Puppy is available here:
    http://ccobb.net/demos/puppy/

    I am also experimenting with booting Puppy on a Mac. I have been able to create a single LiveUSB stick that will boot Ubuntu Linux both on my PC and my MacBook so I know the concept works, but multi-booting Puppy remains to be seen.
    Thank you,

    1. Terry Ritter

      For some reason Puppy Linux was intended to be practical without a hard drive, which just happens to be a huge security advantage. Apparently Puppy has never been developed for security use, so there is room for security improvement. It is great to have somebody around who can do some of that. But changes also can bring unexpected consequences.

      “The primary issues being that Puppy Linux LiveCD/DVDs and LiveUSBs want to save the session state upon shutdown, and there is full access to connected devices.”

      But those do not sound like “primary issues” to me, and here is why:

      It is not really true that Puppy “want[s] to save” when ending a session, it just asks if the user wants to save. The security-oriented user should just say “No.” In practice, I only update my DVD every week or two, and then only by using the “save” button on the desktop. My current DVD is about 1/4 full after about 4 months of updates.

      It is true that Puppy can “access…connected devices,” in particular, that would be the hard drive. The users coming from Microsoft Windows can read and write from and to their Windows drive. So when people work in Puppy, they can save their work for later use in Windows, which is good, not bad.

      Yes, it is possible that some rare malware could run in Puppy (!) and then access the hard drive, but that is not infection. Puppy boots from the DVD (or USB), not the hard drive.

      Yes, the mythical malware might damage hard drive data, but that is not preventable. Malware can provide its own device support. Not supporting hard drive access in the OS does not solve the problem.

      If we really want to prevent damage to data on the hard drive (or exposure!), we need to pull out the drive. My laptop now runs without a hard drive, and that works out surprisingly well; much better, in fact, than one would expect. My desktop now has an internal SATA drive caddy so the drive can be removed or replaced in seconds (when the power is off).

      “However, the concept of a LiveUSB for secure banking is compelling,”

      The idea of taking a secure browsing system to arbitrary hardware is compelling, but Puppy has some issues. In particular, the video card setup does not recur on every boot, which, in my experience, means that booting on a different machine can be an unreadable mess. By knowing which selection invokes video setup the system can be recovered, but the process is very disturbing and inconvenient. That should be changed.

      It would be nice if Puppy supported both removal and re-insertion of a flash drive. Puppy will update a flash drive as it stands, as long as the drive remains connected. I have been looking at leveraging the write-protect switch on SD flash cards by using a USB card reader. I found one reader which is so narrow that the write-protect switch is partly exposed, and that might be a solution.

      One big advantage of a flash drive install is, at least potentially, a much faster boot. Also, Puppy supports flash drive encryption. One big disadvantage is that flash drives can be infected much faster, easier, and with less indication than even a writable DVD. With a Puppy DVD, the latest session or sessions can be voided, to get back to an earlier state, but there is no analogous concept in Puppy flash.

      “added the Java Runtime as some banks now use Java Applets during login.”

      Loading Java is pretty scary, since Java has its own security issues. Although JavaScript is needed for most modern browsing, that is different (and should be under NoScript control anyway). Java is a very different story, and may have the potential to compromise the machine without first requiring malware to succeed under Linux, which is very, very scary. That is adding a new attack vector. Obviously, if Java really is needed for use there would be little choice, but otherwise it seems like Java should be avoided if at all possible.

      “To update (when a new version of FireFox is avalable, for example), boot the system without connecting to the network, update from a local hard disk, make other system changes, etc, and then remaster back to the LiveUSB device.”

      It is hard to see much advantage in downloading something for installation, rather than updating automatically online. If we cannot trust Puppy online, we sure cannot trust Windows for download. And if we can trust Puppy, there would seem to be no advantage.

      Nor is updating an unusual event: Updates are required not only for major Firefox steps, but also for the add-ons like NoScript, Safe, Perspectives and all the others. It is easy for Firefox to get the updates. Having to explicitly download and apply each update is significant temptation to avoid the whole process.

      Perhaps the issue here is the “new ‘remastering’ process,” which is unnecessary with incremental DVD updates (saves). If the tradeoff makes updates harder, that is a high price to pay, but it is not clear why that must be so.

      Optimizing Puppy for security is a really good idea. Unfortunately, while everyone likes “security,” there can be a wide range of opinions on the best way to achieve it. But even discussing the problems and tradeoffs may be useful. There may not be just one security version.

      1. JCitizen

        Excellent post Terry;

        This is the road we hashed over at TR on this same subject. I like the LiveCD with update and remastering every so often, and update during session every reboot.

        However as you pointed to the trust issue with update Linux vs. Windows; perhaps simply using a fresh Windows install on a dedicated machine or partition would render the same results using Microsoft’s free Steady State?

        1. Terry Ritter

          Thanks for your support!

          Some things in Puppy Linux do not work as well for me as they do for others. This may be because I run Puppy for security, and so completely from DVD. Most others who run Puppy do so for other reasons and most install to the hard drive. In my view that is just asking for infection, and one of these days we will see it. In any case, the normal remastering stuff has not worked for me, and the end-of-session save stuff often fails, so I use “save” from the desktop instead. Just enough works to make it all practical.

          Since normal remastering does not work for me, the only alternative I know to duplicate the system involves “save.” If we are running Puppy and introduce a plain Puppy DVD (just the .iso burn) and hit “save,” it moves the full configuration to the new DVD. That is a way to duplicate the boot disc, except that different machines will have different video cards and will want a different video configuration. We may want to be careful about accidentally distributing personal information like saved files, bookmarks, saved addresses, the closed tabs list, NoScript and NoSquint site customizations and so on.

          “perhaps simply using a fresh Windows install on a dedicated machine or partition would render the same results using Microsoft’s free Steady State?”

          I can speak to Puppy Linux issues because I use Puppy for almost everything online, and in fact I am using it right now. While I have been aware of Steady State for some time, I have not used it and so cannot speak authoritatively. My concern would be the ability to update the base state, including Firefox and add-ons and their configurations. Of course the Microsoft “Patch Tuesday” updates also must be easy. And then what happens if we change the video card or sound card or whatever? One thing I learned from Puppy was that, without the ability to incrementally update the base configuration, we have a rather unpleasant platform.

          Also I wonder just how comparatively hard Steady State is to set up. People are all the time talking about how difficult Puppy is, although most of the configuration I see is Firefox and add-ons, which we need anyway. I would guess that Steady State would be much larger, to some extent complex, and also require some adjustment and relearning like Puppy. And if it is big and complex and Windows (and, thus, a target), it is reasonable to expect security issues. That has made me reluctant to use it.

          1. JCitizen

            All good questions, that I can’t answer. I can only site that our local college is using a nearly identical paid for solution by Faronics, that has kept them clean for fourteen years, as far as their client machines go. I think they’ve had only one breach, and it was recently – I do believe – because of mistakes by a staff member who trashed the security on a server.

            It has always been my understanding, that once you lock the drive with steady state, it is just a simple thing to unlock it to do maintenance. This may only require rebooting during this operation. Here is more, and also a link to the handbook.

            http://www.microsoft.com/windows/products/winfamily/sharedaccess/faq.mspx

            I don’t use steady state yet, because my in-depth defenses have proven themselves so far. I still take extraordinary steps to protect my credit, though – like a card that generates new card numbers for every vendor. Steady state does, like a VM, need a large partition. They say this is for ‘caching’, so I don’t know how this compares to virtual technology.

            Also, If one’s bank is not secure in the first place, PC security will be pointless. Many banks in our community have questionable security. There is always paypal; but even they have, in the past, been cracked at least once!

      2. Matt

        Id like to say thanks for the post too Terry, Ive been thinking about Puppy all weekend and your posts have cleared up alot of questions Ive had. Cheers.

Comments are closed.