Hackers unleash cash transfer software

Two of the most pervasive and dangerous types of software for stealing money from bank accounts have been improved and can now transfer money automatically without a hacker’s supervision, researchers have warned.

The latest variants of the widespread SpyEye and Zeus programmes have already stolen as much as 13,000 euros at a time from a single account and are in early stages of deployment, according to investigators at Trend Micro Inc, a Japan-based security company that has many banks as customers.

The software is expected to significantly increase the level of cyber-theft or computer-related fraud in markets such as Kenya where online fraud has been growing steadily and commercial banks are estimated to lose Sh3 billion to smart thieves every year.

A recent industry report by Serianu — an IT security consulting firm — found that the high level of exposure by Kenyan companies arises from the fact that most do not update their software in tandem with those of software vendors such as Microsoft and Oracle.

IT security experts said the latest bank fraud software has unique capabilities such as the ability to squat in a local computer and stealing money from a local bank for transfer to a foreign bank account without leaving a trace.

That means any attempt to unravel the fraud would lead investigators to a local computer, whose owner or operator may not know that their machine had been used to commit a crime.

Trend Micro vice-president Tom Kellerman told Reuters that his company’s researchers had seen the new attacks on a dozen financial institutions in Germany, the United Kingdom and Italy.

That is troubling because European banks generally have greater technology defences than those in the US and other parts of the world, and Kellerman said it is “inevitable” that the variants will cross the Atlantic.

The new code has the potential to dramatically escalate the amount being stolen from accounts and a years-old arms race between the banks and criminal groups that are often based in Eastern Europe.

“This has tremendous implications,” especially as Americans move toward banking by phone, said Kellerman. “This attack toolkit ushers in a new era of bank heists.”

Like other security companies, Trend Micro profits by selling software and services to institutions and consumers worried about online spying and account takeovers.

Though written and controlled by different groups, SpyEye and Zeus share the ability to be installed on computers that visit malicious websites or legitimate pages that have been compromised by hackers. Both programmes are sold in the burgeoning underground hacking economy, where they can be customised or improved with additional modules like those just discovered.

The programmes already have used a technique called “web injection” to generate new entry fields when victims log on to any number of banks or other sensitive websites.

Instead of seeing a bank ask for an account number and password, for example, a victimised user sees requests for both of those and an ATM card number.

Everything typed in then gets whisked off to the hacker, who later signs in and transfers money to an accomplice’s account.

Those transfers can be time-consuming, and the hacker has to think about how much can be sent out at once without drawing attention. Multiple, smaller transfers are preferable but take more time.

For the past year or more, some variants have also captured one-time passwords sent from the banks by text messages to client cell phones as an added security measure. But in those cases, a hacker had to be online within 30 or 60 seconds in order to use the one-time password.

The new software allows the criminal to siphon money out while he sleeps.

It could significantly increase the number of hacked accounts and the speed with which they are drained.

Brett Stone-Gross, a senior security researcher with Dell Inc unit Dell SecureWorks, said thieves “will be able to extract more money” with automation.
But he also said the landscape might not be transformed by the development, because the main limiting factor for crime groups is the number of accomplices, known as money mules, that they can hire to accept transfers from victim accounts. Automation will not lessen the need for mules, Stone-Gross said.

Trend Micro spoke online with sellers of the automated transfer modules who were based in Russia, Ukraine and Romania, where arrests and prosecutions are rare. Kellerman said the new software costs between $300 and $4,000 on top of the basic thieving tools, with customised jobs costing still more.

So far, the company has seen it run only on top of Microsoft Corp’s Windows operating system, which is by far the most common for personal computers.

Recent versions of SpyEye and Zeus can present fake account balances to individual bank customers, so they might not realise their savings are being drained until too late.

Kellerman recommended that banks move more toward “out-of-band” authentication, such as direct phone calls to confirm online transfers.

In the US, financial regulators last June also called for such checks and urged banks to explore newer technologies to combat Internet fraudsters.

The Serianu IT security report lists bank account, credit and debit card details as the most looked for data by cyber criminals.

“During our research, we came across a credit card shop that was selling credit card data issued by banks located in Kenya,” Mr Makatiani said adding that government websites and banking institutions remain the most vulnerable targets.

The report says that in February alone 103 government websites were hacked into without disclosing the damage caused.

“Between January and April 2012, a number of Kenyan websites were compromised by cyber criminals,” said Mr Makatiani.

“Most of the sites had employed some application functionality, allowing customers to access sensitive account information upload documents or perform transaction,” he said.

Last year, Deloitte East Africa released a report indicating that the majority of East African firms are not compliant with international standards for electronic payments exposing them to high levels of ATM-related robberies and fraud cases.

Another survey by PricewaterCoopers (PwC) Global Economic crime survey found that countries such as Kenya, South Africa and UK had recorded a 40 per cent increase in fraud cases in 2011 threatening the drive towards a cashless economy.

Latest Central Bank of Kenya (CBK) data shows that the value of plastic card transactions in Kenya jumped 40 per cent to Sh214 billion in the first three months of 2012, despite rising insecurity and fraud cases.

The CBK data indicates that the number of cards in circulation rose to 9.6 million in March 2012 up from 8.2 million in March 2011, benefiting from a growing middle class in the country that is increasingly using plastic money in place of cash. Debit cards were the most popular among consumers accounting for about 82 per cent of transacted values.