Main » 2011 » Март » 16 » The attack on the bankclient or hunting for a million
11:28
The attack on the bankclient or hunting for a million
The modern man all the variety of malicious software is described by the word "virus". However, the viruses in the classic sense of their (self-replication with the main feature) no longer occupy leading positions in the ranking of computer threats. The first place went worms and trojans - they can either extort money (and infamous Trojan.Winlocker Trojan.Ransom), collect user information (passwords, contact lists, for which they are sent to increase coverage), and steal large sums of money without the consent of the victim (and she can be as simple user and the large company or a bank).

Obviously, the criminals involved in writing the malicious code is not for fun - the image of a teenage hacker breaking a local school system, rooted in the past. Now, cybercrime is a huge and very rich black market with high turnover, growing with each passing day.


The scope of the situation is difficult to estimate - to judge need only to news feeds, which are increasingly referred to "malware", "cheaters" and the astronomical amounts of money. But even this approach does not give a complete picture - information about the majority of cases remains inaccessible to the public (because of imperfection of Russian legislation, not necessarily the company to disclose leaks of personal data). It should be understood that the information in the press is rarely detailed, and describes the incident in general terms without specifics, which makes the reader does not bind happening in real life. The case, described below, occurred most recently in a Russian company, whose representative spoke to us as the developer of information security solutions, to help in the investigation of the incident and shared information.

I managed to speak to the system administrator, the company is only through sheer luck not lost a million rubles, and the script of this incident is more like the plot of a film about hackers than the events that happened in real life. For obvious reasons, the system administrator chose to remain anonymous.

Goal - the client of the Bank


The victim in this case almost became a Moscow-based company, which is a client of one of the major banks. The reason that attackers are interested in is this company - the use of services provided by Bank DBS (e-banking). With one of the machines of the computer park of the company carried out regular access to DBS Bank, this is the computer and was attacked.

Despite the antivirus installed on your system (by the way, from well know manufacturers), the malicious code has been implemented and enforced without any obstacles. This is a rather striking example of failure signatures in the fight against targeted attacks and zero-day threats.

Not by chance was selected and the date of the attack - it all happened on 29 December, in fact, before the New Year. If the attackers managed to carry out his plan, loss would not notice for at least another ten days.

Scenario attack


Unfortunately, we could not figure out how the malicious application fell on the victim machine. But with some certainty we can assert that no action insider dealing could not have done. One of the evidence - a unique malicious code, antivirus software is not seen (and, accordingly, is not in the antivirus databases). If it was a mass attack, it would be noticed quickly enough, the signature of malware have brought to the base in almost the next day, after which the attackers plan would fail.

Accordingly, had to be someone who has information about using this company RBS, the approximate amount, and even possibly the use by means of information security.

Given the opportunity to participate in the incident insiders, malware could access the system any way you like - sent by e-mail from trusted senders, brought on a flash drive one of our clients, or even running an insider on the machine by hand.

Malicious Trojan was either controlled remotely, or work independently. Only known that the Trojans worked the following scenario:
Waiting for the moment of connecting to the system key (certificate issued by the bank, located on external media)
reading key
Read username and password to access the RBS
Request to transfer money to an account cracker - an attempt to bring about one million rubles (in the case of battery life - just sending all the data an attacker)
Download an application called kill.exe, which eliminates the traces of malware is very rude - killing the entire system (an application created in a directory with the driver file when trying to read that the system collapsed)

Next actions an attacker could discover only after the withdrawal of the attacked machine failure, and then only on logs left on the proxy server. From losing large sums of money the company saved a fluke - an attacker tried to withdraw a fixed amount of money which the account was not, since shortly before the employees paycheck.

How many times asserted the world


This incident - not the first and certainly not the last one in the history of cybercrime. Saved the company's finances by chance - only a well established fact. Not everyone was so lucky - according to the system administrator, a victim of fraud has become another partner company, whose account an increase of six times the amount of money. Hope it is only on the successful outcome of the investigation.
Views: 432 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: