Thieves use DDoS to distract banks during cyber heists

A DDoS attack on a bank’s website could very well be a precursor to a wire transfer raid.
  • Liam Tung (CSO Online (Australia))
  • — 25 September, 2012 11:25

The FBI has warned US financial institutions to prevent employees from accessing the internet on payment computers after a multi-bank heist, which began with phishing emails, netted criminals between US$400,000 to US$900,000 a pop.

The advice was part of an Internet Crime Complaint Center (IC3) fraud alert after multiple reports of large fraudulent wire transfers initiated with stolen payment system credentials from employees at targeted banks.

“Once compromised, keyloggers and RATs [Remote Access Tool] installed on the financial institution employee’s computer provided the actor(s) with complete access to internal networks and logins to third party systems,” the FBI, Financial Services information Sharing and Analysis Center and IC3 warn in the joint alert.

The victims were primarily small to medium sized banks or credit unions, but a few large banks were also caught, according to the alert.

Before initiating a fraudulent transfer, the attackers had used stolen credentials to log into the bank’s systems outside of normal business hours. This provided access to training manuals on the use of US payments systems and gave the attackers access to transaction histories and the ability to modify wire transfer settings of each target.

“In at least one instance, actor(s) browsed through multiple accounts, apparently selecting the accounts with the largest balance,” the alert noted.

The attackers had also hit their targets’ websites with Distributed Denial of Service (DDoS) attacks before and after wiring money offshore. This was “likely” to distract personnel to prevent them from identifying a fraudulent transfer, according to the alert.

Amongst other things, financial institutions were advised to prevent employees from accessing administrative systems at home, implement application whitelisting or host-based IPS, restrict out-of-business hours access to payment systems, and require two staff to authorise large transfers.

The alert also recommends monitoring website traffic for potential DDoS attacks so that staff who handle wire transfers can more closely scrutinise transactions. Banks are urged to “strongly consider” implementing out of band authorisation, and either move training manuals offline, place access controls on them or segregate them from payment systems.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Trend Micro Data Loss Prevention

Comprehensive Data Loss Prevention Lowers Cost and Complexity

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »