Don't have a login yet?
Sign up now
01 February 2013
A brutal war is raging in cyber space as sophisticated criminal gangs seek to harness the power of smart devices and next-generation networks to siphon data – and cash – from big business. Richard Irving finds out how service operators are fighting back.
At precisely 12.43pm on July 19 last year, an
anonymous computer hacker penned the final lines of code on a
devastating new programme that went on to siphon more than $46
million from bank accounts across Italy, Spain, Germany and The
The audacious heist, which targeted at least 30,000
business and retail customers from 33 banks, is the largest
fraud ever to specifically target smartphone users and is
likely to raise fresh concerns over the safety of
Forensic investigators found the telltale time stamp
as they painstakingly unpicked the malicious software, or
malware, behind the raid, subsequently dubbed
The robbers used a sophisticated new version of a
programme called Zeus, named after the Greek god of all gods,
which first came to light in July 2007 in an attack on the
US’s Department of Transportation and which is
freely available on the black market today for as little as
The software burrows its way deep into a computer
where it hides, undetected, until the user logs in to a bank
website. At that point it wakes up, intercepting the process by
asking the victim to download a new security application to
their mobile phone in order to complete the login.
In reality, the bogus app is a spin-off of the Zeus Trojan,
known as Zeus in the Mobile, or Zitmo and once it worms its way
onto the phone’s operating system, it takes over.
Part of the programme orders the victim’s computer
to make unauthorised bank transfers and part of the malware
intercepts corresponding security texts from the bank,
replacing them with automatic transaction approvals.
Attacks using so-called mobile malware are still rare
but Eurograbber is worrying because it marks the first time
that criminals have been able to use smartphones to circumvent
the two-stage authentication process that many banks use in
Perhaps more alarmingly, the raid was coordinated across
Android, iPhone and Blackberry devices, dispelling a long-held
notion that Blackberry’s operating system in
particular is relatively immune to attack.
Cyber security is fast
becoming a big business play for communications providers, as
they look to upsell some of the bruising lessons they have
learned in the war on cyber crime to their own enterprise
Late last year, AT&T put a key marker down when
the carrier forecast that the market could be worth $40 billion
a year in the future. Speaking to Wall Street investors at a
Morgan Stanley TMT conference, Frank Jules, president of the
group’s global enterprise unit, conceded that
attacks on AT&T’s own network had doubled in
the past four months.
"Every major chief information officer that I meet wants to
talk about security. We see attacks on a daily basis and they
are now getting smaller instead of coming in huge waves, which
were easier for us to detect," he said. The enterprise chief
believes that spending on cyber security will double or even
triple in the coming years, creating a $1 billion-a-year
business opportunity for the company.
A more sober estimate comes from Frost &
Sullivan, the US firm of analysts, which puts the market for
managed security services at around $15.6 billion by 2016, up
from $8 billion at the end of 2012. That is nevertheless a
large chunk of new revenue among service providers facing a
significant squeeze on their margins and largely reflects the
fact that stolen data now generates more revenues to criminal
elements than the worldwide trade in illegal drugs.
Interoute, one of Europe’s largest fibre
network providers, views security services slightly
differently. "Network providers are in the business of offering
the means to facilitate computing, data sharing and
communication and all of those things are more vulnerable than
ever before," says Mark Lewis, vice president of architecture
and development. "If we are going to convince people to give us
all of their IT infrastructure, then we have to be able to
assure them that we have sufficient defences to guarantee that
it’s going to work."
Fixed and mobile networks occupy something of a
unique space in the cyber battlefield. On the one hand, they
are critical cornerstones of both national and global
infrastructure and are therefore credible targets for
persistent attacks. So much so, in fact, that the US is pushing
to re-write the Geneva Convention in order to redefine a
state-sponsored attack on its telecoms systems as an act of
And on the other hand, they are beloved and
much-trusted consumer brands. And that, says Ciaran Bradley of
AdaptiveMobile, a Dublin-based consultancy specialising in
mobile network security, puts them in a very tricky position.
"When customers have a security issue with their PC, they
don’t get on the phone to Microsoft to switch
operating system. But mobile phone subscribers are as used to
paying for connectivity as they are for their phone. If they
experience a problem, they will go straight to the help desk
and if they think the network is at fault, they will terminate
their contract then and there."
estimate that at least one fifth of all smart devices are now
infected with malware of some sort and they warn that the
switch to 4G networks, combined with the launch of Internet
Protocol version 6 (IPv6), which provides an almost infinite
realm of new internet addresses behind which cyber criminals
can hide, will create a "fraudster’s heaven".
Moreover, mobile networks are intuitively more prone
to attack than PCs because they already boast a built-in
payment mechanism – it is easier to monetise an attack
on a phone than a computer because it is possible to trick a
handset into making silent calls or text messages to premium
Adrian Culley, a technical consultant for Damballa, a
US firm which develops network security systems, warns that the
threat to telecoms networks from odious malware is roughly
equivalent to the number of connections on that network,
Set against the context of rapid growth in
smartphones, the risks are indeed alarming. Forecasters at
Analysys Mason, for example, believe worldwide sales of
smartphones will jump from 691 million in 2012 to 869 million
this year. Moreover, handsets supporting iOS and Android
software will account for more than 80% of the entire market,
making them a credible and attractive target for criminal
elements that might have previously preferred to focus on
And if Ericsson’s forecasts for growth
in the machine-to-machine (M2M) market are right and the number
of connected devices swells to 50 billion by the end of the
decade, then the task facing security experts is indeed
mindboggling. "Any operating system can and will be attacked,"
says Culley. "There are a lot of very well financed hackers out
there who are working hard to exploit these systems."
His comments will chime with security sources that
are tracking the architect behind Zeus. Investigators believe
the software is marketed by a sophisticated group of cells
operating across Europe and the US. It is believed that, at its
heart is a Russian developer who writes the source code and
then licenses the software to numerous criminal elements.
Various incarnations of Zeus are readily available –
in a single day in August 2011, for example, Microsoft
estimates that more than 167 million emails containing the
malware were sent out by the gang. But Zitmo appears to be
something of a premium offering which the programmer is thought
to have made available to only a select group of his top
'customers’. Investigators believe the software
sells for vast amounts of money and comes with a full
after-sales care package that promises to patch any bugs and
offers regular upgrades to stay ahead of the authorities.
So far efforts to bring the developer to book have
failed: the latest version of Zitmo emerged just two weeks
after Microsoft hailed a significant victory in the cyber war
against Zeus, bringing a civil law suit against what the
software giant claims were two senior lieutenants in the crime
ring and smashing two critical command and control servers.
Culley, who worked for several un-named government
agencies during a 12-year stint at the Metropolitan
Police’s computer crime unit, says Zitmo
highlights the challenge facing network operators trying to
protect their architectures from rogue attack. Criminals are
getting increasingly ambitious as networks become faster. Rogue
programmers are no longer interested in hacking their way into
commercial enterprises or developing viruses to paralyse
systems. Instead, they are looking to create highly
sophisticated tools that can avoid detection so that they can
go on to reoffend time and again.
"Malware is very difficult to find," says Culley. You
can treat viruses by reducing the world down to a list of good
code and bad code and gateway technologies can lock out most
hackers who try to get in through the back door, he explains.
But so-called "advanced threats" such as Zitmo are highly
complex pieces of computer code that often have many moving
parts, most of which are completely innocuous.
Moreover, the task will
get harder as the roll-out of 4G networks gathers pace. As
AdaptiveMobile’s Bradley explains, the good guys
will have to get better: "With 2G and 3G networks, you can
essentially inspect every single packet of data to ensure that
it’s not carrying a payload with security
implications. But that just isn’t going to be
possible with a 4G network – the sheer amount of
traffic flowing through the pipes will just be too great."
Instead, he explains, network operators will have to
employ behavioral analysis techniques that compare the way
traffic is actually running with how it should look if all were
well and how it might operate during a malicious attack.
Analysts can run such comparisons at the protocol level, which
means they do not have to gain access to proprietary source
One factor that security experts have been quick to
pounce on is that advanced threats need to be told when and
where to make their move. At Damballa, Culley’s
motto is simple: when malware talks, we listen. "The
interesting thing about rogue programmes like Zitmo is that
they have to phone home for instructions – and
that’s when we can pick up on them," he says.
A further complication
with the switch to 4G technology is that it will hasten the
trend for employees to access and manage work-related tasks on
their own smart devices – a phenomenon known as bring
your own device (BYOD). The inference, says Culley, is that a
company currently has some discretion to approve or reject the
devices that it will allow workers to use. But that will
change. "If they are not already, employees will soon be coming
to work with all manner of web-enabled consumables, from
Wifi-ready credit cards to digital passports.
You’re not going to be able to stop devices such
as these entering the work space."
A growing concern is that so-called "hacktivists"
might harness the trend towards bringing powerful new smart
phones to the office in order to orchestrate distributed
denial-of-service (DDoS) attacks. A powerful device on a
high-speed 4G network could certainly do a lot of damage, and
it’s something that security experts are conscious
of, but so far, DDoS attacks on mobile networks are not well
"On a busy day, our network will catch more than a
dozen individual DDoS attacks," says Jeff Finch, security
services product manager at Interoute. "10 years ago, there
were probably around 880 specific malware threats to networks.
Today, there are more than 4.8 million." Such is the frequency
of attacks that you would probably have to go back a decade or
more to find a single 24-hour period during which Interoute did
not experience a specific malware threat.
Nowhere are these attacks more prevalent, than among
the US’s target-prone banking sector. Last
September an Iranian group claiming to be the "Cyber Fighters
of Izz ad-Din al-Qassam" launched the largest DDoS attack ever
on Chase, Bank of America, Wells Fargo and UBS. The group held
good on a threat to launch a follow-up attack on the sector in
the week before Christmas, raising concerns that the DDoS
attack might be a smokescreen for a more malicious cyber attack
aimed at stealing funds while security experts were
If the banking community needs urgent help, then
service providers stand ready to step up to the plate with a
fast-expanding suite of security services. Last autumn, Level 3
entered the fray with a portfolio of anti-virus and intrusion
prevention devices as well as a specific service aimed at
helping customers ward off DDoS attacks.
Dale Drew, the service provider’s chief
security officer, says that the company has access to a
plethora of security threat data, enabling its experts to
identify and neutralise an attack before it reaches a
customer’s network. "We are in effect establishing
a new benchmark of security with a multi-layered portfolio of
protection that we believe is unparalleled in the industry," he
says. The initiative covers everything from the way the network
was originally designed and constructed in the ground to
proprietary protocols and algorithms that extend to the
Interoute is effectively going one step further,
focussing its security effort in the cloud. It offers a variety
of levels of protection from DDoS scans at the transport level
to firewall protection at the application level. Each layer
comes as a separate add-on service that can be tailored to the
needs of individual customers.
Finch says that it is entirely up to the customer to decide
what sort of cover it needs – different customers have
a different perception of what constitutes a "clean" connection
but the onus will nevertheless continue to be on security
services providers to produce as clear a picture of the overall
threat as they possibly can.
It's a war out there, make no mistake, and the cyber army is
mustering its forces for a blizekrieg that will accompany the
roll-out of 4G mobile networks. Commanding the dark forces are
a swathe of generals, or botnets – each of whom
control vast legions of internet-connected computers that they
have infiltrated without their owners’ knowledge.
Below we highlight the most wanted of 2013…
Often known as the "God of all botnets", Zeus is a
Trojan horse that squirrels its way into computers and steals
banking information. The malware spreads mainly through emails
and drive-by infections, where a computer can be attacked just
by visiting an already infected website. It is estimated that
close to 1,000 servers around the world are still sending out
Zeus infections into an unsuspecting world.
One of the fastest growing botnets of 2012, Citadel, and a
mobile offshoot known as Citmo, use similar computer code to
Zeus. Dubbed "Zeus on steroids", the botnet’s
developers harnessed their own marketing expertise, setting up
a members-only social networking site to serve as a help desk
and spurring a 20% increase in Citadel attacks during last
One of the most influential players in the distributed
denial-of-service (DDoS) sphere, it is estimated that Cutwail,
which is also known by the aliases Pushdo and Pandex, is
capable of sending more than 74 billion spam emails a day
– or 51 million every minute. The botnet has been
known to attack, among others, the FBI, CIA, Twitter, Paypal
One of the cheaper versions of malware now available,
SpyEye also targets banking information. It is especially
pernicious because it tricks the victim into thinking that
their money is still safe by generating bogus bank statements.
It is estimated that around 300 servers are still pushing out
Also known as TDL-4 or TDSS, Alureon is a type of gamekeeper
turned poacher. Once installed in a computer, it first hunts
out, then destroys, competing malware, then intercepts network
traffic, looking for usernames, passwords and credit card data.
Variations of the virus can spoof popular websites and it is
estimated that 1 in 10 of the US’s Fortune 500
companies is still infected.