Attacks On Banks
by Roel Schouwenberg - Senior Anti-Virus Researcher, Kaspersky Lab BNL - Monday, 17 November 2008.
Acting as a money mule may seem like an easy way to make money, and some mules may be under the impression they are performing a legitimate job. However, they are legally viewed as being accessories to a crime, in contrast to victims who fall for a phishing scam. Mules run the risk of being tracked down and arrested, particularly if they reside in the same country as the victim. There are several advantages for cyber criminals in using money mules. Firstly, if the mule(s) is located in the same country as the fraudster, automated bank systems are less likely to tag the transactions as suspicious. Secondly, the fraudster can use several mules and split the amount to be transferred for instance, s/he may choose to transfer $5,000 in ten transactions rather than $50,000 in a lump sum. This limits the likelihood that the transaction will be stopped as potentially suspicious, and also limits the losses if one or two transactions are stopped. Naturally, there is a risk in working with money mules; the cyber criminals have to be sure they can trust the chosen mule. There is, after all, little to no guarantee that the mule won't simply disappear with the money that was transferred to his/ her account.


When looking at the question of phishing, it's important to have a clear definition of it. This article defines phishing as spoofed messages which allegedly come from a (financial) organization and which are designed to trick the user into giving up confidential information. This is strictly a matter of social engineering, and once malware is involved, the attack can no longer be considered phishing. The never ending stream of phishing emails and phishing construction kits clearly demonstrate that phishing is still a very effective way of getting users to give up their credentials. There are several reasons for this. Firstly, user education has not had the desired effect, and people are still clicking on the links included in phishing email. Related to this, users are either unaware of security mechanisms (such as https), don't pay sufficient attention to them, or simply ignore warnings about invalid or un-trusted web site certificates. Additionally, in an effort to maximize their returns, cyber criminals are constantly devising ever more ingenious social engineering schemes to deceive the more security-savvy user.

The second problem is that the defences of the majority of financial institutions can be breached by a very simple (phishing) attack. A quick review of the security measures taken by a number of banks in the USA, UK and elsewhere showed that they employ a simple static username and password to access the online banking system. All a cyber criminal has to do is obtain the username and password and s/he is free to perform almost any transaction. Another disadvantage of using a static username and password is that data can be stored and this means that unauthorized users or cyber criminals don't have to process the data in real time; this job can be done later. Banks which have better security policies will use at least one dynamic password: a single-time password that is only valid during a specific session. This dynamic authentication can be used either when the user logs on or signs a transaction and preferably both. Using this approach means it is impossible to sign a transaction with an expired password, and ideally makes even logging on impossible.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th