Hackers unleash cash transfer software
Posted Thursday, June 21 2012 at 20:15
The software is expected to significantly increase the level of cyber-theft or computer-related fraud in markets such as Kenya where online fraud has been growing steadily and commercial banks are estimated to lose Sh3 billion to smart thieves every year.
Those transfers can be time-consuming, and the hacker has to think about how much can be sent out at once without drawing attention. Multiple, smaller transfers are preferable but take more time.
For the past year or more, some variants have also captured one-time passwords sent from the banks by text messages to client cell phones as an added security measure. But in those cases, a hacker had to be online within 30 or 60 seconds in order to use the one-time password.
The new software allows the criminal to siphon money out while he sleeps.
It could significantly increase the number of hacked accounts and the speed with which they are drained.
Brett Stone-Gross, a senior security researcher with Dell Inc unit Dell SecureWorks, said thieves “will be able to extract more money” with automation.
But he also said the landscape might not be transformed by the development, because the main limiting factor for crime groups is the number of accomplices, known as money mules, that they can hire to accept transfers from victim accounts. Automation will not lessen the need for mules, Stone-Gross said.
Trend Micro spoke online with sellers of the automated transfer modules who were based in Russia, Ukraine and Romania, where arrests and prosecutions are rare. Kellerman said the new software costs between $300 and $4,000 on top of the basic thieving tools, with customised jobs costing still more.
So far, the company has seen it run only on top of Microsoft Corp’s Windows operating system, which is by far the most common for personal computers.
Recent versions of SpyEye and Zeus can present fake account balances to individual bank customers, so they might not realise their savings are being drained until too late.
Kellerman recommended that banks move more toward “out-of-band” authentication, such as direct phone calls to confirm online transfers.
In the US, financial regulators last June also called for such checks and urged banks to explore newer technologies to combat Internet fraudsters.
The Serianu IT security report lists bank account, credit and debit card details as the most looked for data by cyber criminals.
“During our research, we came across a credit card shop that was selling credit card data issued by banks located in Kenya,” Mr Makatiani said adding that government websites and banking institutions remain the most vulnerable targets.
The report says that in February alone 103 government websites were hacked into without disclosing the damage caused.
“Between January and April 2012, a number of Kenyan websites were compromised by cyber criminals,” said Mr Makatiani.
“Most of the sites had employed some application functionality, allowing customers to access sensitive account information upload documents or perform transaction,” he said.