The FBI has warned US financial institutions to prevent employees from accessing the internet on payment computers after a multi-bank heist, which began with phishing emails, netted criminals between US$400,000 to US$900,000 a pop.
The advice was part of an Internet Crime Complaint Center (IC3) fraud alert after multiple reports of large fraudulent wire transfers initiated with stolen payment system credentials from employees at targeted banks.
“Once compromised, keyloggers and RATs [Remote Access Tool] installed on the financial institution employee’s computer provided the actor(s) with complete access to internal networks and logins to third party systems,” the FBI, Financial Services information Sharing and Analysis Center and IC3 warn in the joint alert.
The victims were primarily small to medium sized banks or credit unions, but a few large banks were also caught, according to the alert.
Before initiating a fraudulent transfer, the attackers had used stolen credentials to log into the bank’s systems outside of normal business hours. This provided access to training manuals on the use of US payments systems and gave the attackers access to transaction histories and the ability to modify wire transfer settings of each target.
“In at least one instance, actor(s) browsed through multiple accounts, apparently selecting the accounts with the largest balance,” the alert noted.
The attackers had also hit their targets’ websites with Distributed Denial of Service (DDoS) attacks before and after wiring money offshore. This was “likely” to distract personnel to prevent them from identifying a fraudulent transfer, according to the alert.
Amongst other things, financial institutions were advised to prevent employees from accessing administrative systems at home, implement application whitelisting or host-based IPS, restrict out-of-business hours access to payment systems, and require two staff to authorise large transfers.
The alert also recommends monitoring website traffic for potential DDoS attacks so that staff who handle wire transfers can more closely scrutinise transactions. Banks are urged to “strongly consider” implementing out of band authorisation, and either move training manuals offline, place access controls on them or segregate them from payment systems.