Banks and financial institutions are well aware of the risks posed by malicious cyber activity. However, because most of this activity takes place in underground forums, few institutions recognize how rapidly the threat environment has evolved. And risks are growing. In the past year, the number of accounts compromised by credential theft and fraudulent transactions tripled. Losses from account takeovers topped $5 billion in 2017, according to the research firm, Javelin, up 120% from the previous year.
Across the deep and dark web, the maturation of the cyber underground has given rise to a sophisticated ecosystem in which niche players with specialized skills collaborate on different stages of a variety of cyber attacks, with some offering a complete as-a-service bundle for their particular specialty. There are marketplaces to sell tools and techniques, “libraries” and chat rooms to share knowledge and information, digital wallets to store stolen funds, and even unofficial mediators to referee and adjudicate disputes.
That maturation is raising the attackers’ skill base. Unless banks make concerted effort to address this activity, they and their customers are likely to become increasingly vulnerable.
Sidebar: Unpacking the three stages of the account takeover
In the first stage of the takeover process, cybercriminals target a customer’s account login credentials. Methods including phishing, banking Trojan malware, brute force tools that target online banking platforms, and social engineering such as hoax phone calls where hackers pretend to be bank representatives. Most of these attacks rely on human error to succeed - sloppy password practices, failure to notice subtle changes in a bank’s URL, and other social engineering practices that lure victims into opening an innocent-seeming email, downloading malware, and other tricks.
The second stage involves accessing compromised accounts and moving funds to drop accounts. This requires circumventing bank security controls such as two-factor authentication and anomaly detection tools that block suspicious login attempts in order to get inside the customer’s account. Methods include SIM swaps (taking control of the legitimate client's phone number); associating rogue phone numbers with the bank account; social engineering; SMS-grabbing malware; cloning phone identifiers; and more.
The third stage is the cash out. Methods include ATM withdrawals, purchasing digital currencies, transferring funds to online payment platforms, or buying goods or gift cards. Often money is sent using mules, some witting and others not, to cover tracks and funnel the funds over to the final drop account. After taking his or her cut, the threat actor in charge of the cash out then dispenses the funds to their “client” (the fraudster who retained their services) with clean, untraceable Bitcoin being a favorite medium.
The Growing Account Takeover Threat
Here are four reasons that bank account takeover activity is likely to rise.
1. The underground has given rise to a specialist ecosystem. Far from a Wild West, the underground has emerged as a highly organized global network. There are coders who develop malware, data miners who make sense of the stolen data for ease of sale, money specialists who identify ways to profit from the data, and network administrators who manage compromised systems that spread malicious payloads. The ecosystem model means that threat actors no longer need to manage the whole takeover on their own.
For banks, it means that greater firepower is being trained against them. BlueVoyant’s threat intelligence practice tracks activity and criminal actors across the cyber underground. Anas47 is one of them. His end-to-end fraud-as-a-bundle phishing package is capable of disseminating tens of thousands of phishing emails that come from legitimate-looking IPs using a dedicated proxy service. In chatroom dialog, he touts the bundle by saying, “Why do you want to do it yourself? I have all the required tools. You just need to buy the VIP,” (a proxy service used by many cyber criminals).
Anas47 notes that he sends “20,000 emails every day” from which he usually nets the credentials of “30 people.” That 0.15% success rate can generate handsome returns in the form of a bank account holder’s full name, date of birth, PayPal credentials, credit-card numbers, Verified by Visa details and other information. The cost to buy his kit is a modest $41. The economies of scale for Anas47 are nonetheless attractive, since it’s easy enough for skilled threat actors like him to churn and rechurn campaigns, refreshing mailing lists and making slight messaging changes as they go.
Anas47 is just one player in a crowded field. Sleek-looking schemes, such as the Advanced Banking Phishing Kit offered by an operator in another highly vetted Russian underground forum, are popular, since they include polished, legitimate-seeming online banking pages that can trick bank customers into entering their personal information.
These lookalike pages are registered under imposter domains, with URLs that mimic legitimate bank names. The ease and scale with which such attacks can be automated and mounted all but guarantees that a certain percentage of their customers will fall prey.
2. Threat actors often opt for basic, low-cost tools. While sophisticated tools are readily available, many threat actors intentionally choose simple methods for their low cost and effectiveness. JuniorCosta, active in a Brazilian instant messaging underground group, says he prefers less technical methods when it comes to the two-factor authentication workarounds that are his specialty, such as SIM swaps that take control of a user’s SIM card and tricks that involve associating his mobile number with the compromised account. These methods “take more time” he explains, than more technical methods like SMS-grabbing malware, “but are more certain.”
Likewise, brute force attacks have been around for ages, but automated tools now make it easier and faster for hackers to crunch through thousands of password combinations, often relaying requests through open proxy servers that make each request appear like it's coming from different IP addresses to avoid being flagged or locked out by bank controls. The speed with which these tools can be created, sold and deployed can be stunningly fast. On August 7, 2017, a Russian threat actor named Coco began trafficking brute force tools for various US banks. Six days later, one of the US banks on that tool's target list spotted such an attack and reported it to us.
3. The combination of digital networks and human runners has made it easier for cyber criminals to move large amounts of stolen funds without raising suspicion. “Lixkill,” for instance, employs teams of runners or “mules” to conduct physical ATM cash withdrawals in Canada, the U.S. and Australia. Mules then deposit the money into “clean” accounts, managed by lixkill. He is careful to keep the transfers to a daily maximum and sometimes even splits deposits among several accounts to prevent bank systems from flagging them as suspicious. For his services, he charges 50% of the stolen funds, then sends the rest back in Bitcoin, which are "clean", untraceable and ready to use. The whole thing “takes three-to-five days,” he said.
4. Insiders are another worry: Jmoney579, a British threat actor in an English-Russian speaking forum, claims to have an insider who is a manager in a British bank who can facilitate the cashout phase. “I’ve got a manager who can attach payees onto the log and I can transfer from the log into the payee drop,” he says. A UK instant messaging underground group is populated with many English threat actors. “Shane Munroe” is looking for insiders with compromised accounts and would like to meet face to face to build trust. “YL Fundz” claims to have insiders at several major UK banks and is looking for logins to cashout. These are just a handful of the threat actors who deal with insiders, populating underground communities globally.
What can banks do in response?
To thwart takeover activity, banks need to start by beefing up basic security practices. While financial institutions regularly train employees on smart password practices, such training often lacks bite. Banks need to step up enforcement and mandate strict password complexity requirements while embracing tools that make it easier for employees and customers to manage and update their passwords regularly.
In-app and in-platform security controls can help banks reduce the risk of credential theft. Banks should deploy anti-bot and anomaly detection security controls in all public-facing services. Those controls include anti-session hijacking, anti-caching, secure key generation and management, along with end-to-end encryption. Secure Virtual Keyboards can also help mitigate keylogging and related credential theft techniques.
Two-factor authentication on login for all public-facing services is crucial. We recommend banks use out-of-band (OOB) two-factor authentication, which sends the authentication request through a separate communication channel, rather than relying solely on SMS. A software token sent to an authenticator application on a customer’s smartphone, for instance, would render an attempted SIM swap useless. Biometric voiceprint and fingerprint solutions and key fobs that generate random two factor authentication codes are other effective methods.
Finally, banks should regularly employ anti-money laundering monitoring activities and strictly enforce document authenticity verifications to prevent forged documents from being used to opening drop accounts.
The examples reported here represent a fraction of what we see in the cyber underground. From our ongoing intelligence-gathering, it is clear that banks and others are becoming increasing vulnerable to account takeovers. It’s crucial that financial institutions understand the evolving threat landscape and move quickly and concertedly to take appropriate protections.
About the authors: By the BlueVoyant Threat Intelligence team