Service providers fighting back against fraud
A brutal war is raging in cyber space as sophisticated criminal gangs seek to harness the power of smart devices and next-generation networks to siphon data – and cash – from big business. Richard Irving finds out how service operators are fighting back.
At precisely 12.43pm on July 19 last year, an anonymous computer hacker penned the final lines of code on a devastating new programme that went on to siphon more than $46 million from bank accounts across Italy, Spain, Germany and The Netherlands.
The audacious heist, which targeted at least 30,000 business and retail customers from 33 banks, is the largest fraud ever to specifically target smartphone users and is likely to raise fresh concerns over the safety of next-generation networks.
Forensic investigators found the telltale time stamp as they painstakingly unpicked the malicious software, or malware, behind the raid, subsequently dubbed "Eurograbber".
The robbers used a sophisticated new version of a programme called Zeus, named after the Greek god of all gods, which first came to light in July 2007 in an attack on the US’s Department of Transportation and which is freely available on the black market today for as little as $3,000.
The software burrows its way deep into a computer where it hides, undetected, until the user logs in to a bank website. At that point it wakes up, intercepting the process by asking the victim to download a new security application to their mobile phone in order to complete the login.
In reality, the bogus app is a spin-off of the Zeus Trojan, known as Zeus in the Mobile, or Zitmo and once it worms its way onto the phone’s operating system, it takes over. Part of the programme orders the victim’s computer to make unauthorised bank transfers and part of the malware intercepts corresponding security texts from the bank, replacing them with automatic transaction approvals.
Attacks using so-called mobile malware are still rare but Eurograbber is worrying because it marks the first time that criminals have been able to use smartphones to circumvent the two-stage authentication process that many banks use in money transfers.
Perhaps more alarmingly, the raid was coordinated across Android, iPhone and Blackberry devices, dispelling a long-held notion that Blackberry’s operating system in particular is relatively immune to attack.
On the minds of CIOs
Cyber security is fast becoming a big business play for communications providers, as they look to upsell some of the bruising lessons they have learned in the war on cyber crime to their own enterprise customers.
Late last year, AT&T put a key marker down when the carrier forecast that the market could be worth $40 billion a year in the future. Speaking to Wall Street investors at a Morgan Stanley TMT conference, Frank Jules, president of the group’s global enterprise unit, conceded that attacks on AT&T’s own network had doubled in the past four months.
"Every major chief information officer that I meet wants to talk about security. We see attacks on a daily basis and they are now getting smaller instead of coming in huge waves, which were easier for us to detect," he said. The enterprise chief believes that spending on cyber security will double or even triple in the coming years, creating a $1 billion-a-year business opportunity for the company.
A more sober estimate comes from Frost & Sullivan, the US firm of analysts, which puts the market for managed security services at around $15.6 billion by 2016, up from $8 billion at the end of 2012. That is nevertheless a large chunk of new revenue among service providers facing a significant squeeze on their margins and largely reflects the fact that stolen data now generates more revenues to criminal elements than the worldwide trade in illegal drugs.
Interoute, one of Europe’s largest fibre network providers, views security services slightly differently. "Network providers are in the business of offering the means to facilitate computing, data sharing and communication and all of those things are more vulnerable than ever before," says Mark Lewis, vice president of architecture and development. "If we are going to convince people to give us all of their IT infrastructure, then we have to be able to assure them that we have sufficient defences to guarantee that it’s going to work."
Fixed and mobile networks occupy something of a unique space in the cyber battlefield. On the one hand, they are critical cornerstones of both national and global infrastructure and are therefore credible targets for persistent attacks. So much so, in fact, that the US is pushing to re-write the Geneva Convention in order to redefine a state-sponsored attack on its telecoms systems as an act of war.
And on the other hand, they are beloved and much-trusted consumer brands. And that, says Ciaran Bradley of AdaptiveMobile, a Dublin-based consultancy specialising in mobile network security, puts them in a very tricky position. "When customers have a security issue with their PC, they don’t get on the phone to Microsoft to switch operating system. But mobile phone subscribers are as used to paying for connectivity as they are for their phone. If they experience a problem, they will go straight to the help desk and if they think the network is at fault, they will terminate their contract then and there."
Reason to be alarmed?
Security analysts estimate that at least one fifth of all smart devices are now infected with malware of some sort and they warn that the switch to 4G networks, combined with the launch of Internet Protocol version 6 (IPv6), which provides an almost infinite realm of new internet addresses behind which cyber criminals can hide, will create a "fraudster’s heaven".
Moreover, mobile networks are intuitively more prone to attack than PCs because they already boast a built-in payment mechanism – it is easier to monetise an attack on a phone than a computer because it is possible to trick a handset into making silent calls or text messages to premium rate numbers.
Adrian Culley, a technical consultant for Damballa, a US firm which develops network security systems, warns that the threat to telecoms networks from odious malware is roughly equivalent to the number of connections on that network, squared.
Set against the context of rapid growth in smartphones, the risks are indeed alarming. Forecasters at Analysys Mason, for example, believe worldwide sales of smartphones will jump from 691 million in 2012 to 869 million this year. Moreover, handsets supporting iOS and Android software will account for more than 80% of the entire market, making them a credible and attractive target for criminal elements that might have previously preferred to focus on windows-based PCs.
And if Ericsson’s forecasts for growth in the machine-to-machine (M2M) market are right and the number of connected devices swells to 50 billion by the end of the decade, then the task facing security experts is indeed mindboggling. "Any operating system can and will be attacked," says Culley. "There are a lot of very well financed hackers out there who are working hard to exploit these systems."
His comments will chime with security sources that are tracking the architect behind Zeus. Investigators believe the software is marketed by a sophisticated group of cells operating across Europe and the US. It is believed that, at its heart is a Russian developer who writes the source code and then licenses the software to numerous criminal elements.
Various incarnations of Zeus are readily available – in a single day in August 2011, for example, Microsoft estimates that more than 167 million emails containing the malware were sent out by the gang. But Zitmo appears to be something of a premium offering which the programmer is thought to have made available to only a select group of his top ‘customers’. Investigators believe the software sells for vast amounts of money and comes with a full after-sales care package that promises to patch any bugs and offers regular upgrades to stay ahead of the authorities.
So far efforts to bring the developer to book have failed: the latest version of Zitmo emerged just two weeks after Microsoft hailed a significant victory in the cyber war against Zeus, bringing a civil law suit against what the software giant claims were two senior lieutenants in the crime ring and smashing two critical command and control servers.
Culley, who worked for several un-named government agencies during a 12-year stint at the Metropolitan Police’s computer crime unit, says Zitmo highlights the challenge facing network operators trying to protect their architectures from rogue attack. Criminals are getting increasingly ambitious as networks become faster. Rogue programmers are no longer interested in hacking their way into commercial enterprises or developing viruses to paralyse systems. Instead, they are looking to create highly sophisticated tools that can avoid detection so that they can go on to reoffend time and again.
"Malware is very difficult to find," says Culley. You can treat viruses by reducing the world down to a list of good code and bad code and gateway technologies can lock out most hackers who try to get in through the back door, he explains. But so-called "advanced threats" such as Zitmo are highly complex pieces of computer code that often have many moving parts, most of which are completely innocuous.
4G security fears
Moreover, the task will get harder as the roll-out of 4G networks gathers pace. As AdaptiveMobile’s Bradley explains, the good guys will have to get better: "With 2G and 3G networks, you can essentially inspect every single packet of data to ensure that it’s not carrying a payload with security implications. But that just isn’t going to be possible with a 4G network – the sheer amount of traffic flowing through the pipes will just be too great."
Instead, he explains, network operators will have to employ behavioral analysis techniques that compare the way traffic is actually running with how it should look if all were well and how it might operate during a malicious attack. Analysts can run such comparisons at the protocol level, which means they do not have to gain access to proprietary source code.
One factor that security experts have been quick to pounce on is that advanced threats need to be told when and where to make their move. At Damballa, Culley’s motto is simple: when malware talks, we listen. "The interesting thing about rogue programmes like Zitmo is that they have to phone home for instructions – and that’s when we can pick up on them," he says.
Protecting the banking community
A further complication with the switch to 4G technology is that it will hasten the trend for employees to access and manage work-related tasks on their own smart devices – a phenomenon known as bring your own device (BYOD). The inference, says Culley, is that a company currently has some discretion to approve or reject the devices that it will allow workers to use. But that will change. "If they are not already, employees will soon be coming to work with all manner of web-enabled consumables, from Wifi-ready credit cards to digital passports. You’re not going to be able to stop devices such as these entering the work space."
A growing concern is that so-called "hacktivists" might harness the trend towards bringing powerful new smart phones to the office in order to orchestrate distributed denial-of-service (DDoS) attacks. A powerful device on a high-speed 4G network could certainly do a lot of damage, and it’s something that security experts are conscious of, but so far, DDoS attacks on mobile networks are not well documented.
"On a busy day, our network will catch more than a dozen individual DDoS attacks," says Jeff Finch, security services product manager at Interoute. "10 years ago, there were probably around 880 specific malware threats to networks. Today, there are more than 4.8 million." Such is the frequency of attacks that you would probably have to go back a decade or more to find a single 24-hour period during which Interoute did not experience a specific malware threat.
Nowhere are these attacks more prevalent, than among the US’s target-prone banking sector. Last September an Iranian group claiming to be the "Cyber Fighters of Izz ad-Din al-Qassam" launched the largest DDoS attack ever recorded
on Chase, Bank of America, Wells Fargo and UBS. The group held good on a threat to launch a follow-up attack on the sector in the week before Christmas, raising concerns that the DDoS attack might be a smokescreen for a more malicious cyber attack aimed at stealing funds while security experts were distracted.
If the banking community needs urgent help, then service providers stand ready to step up to the plate with a fast-expanding suite of security services. Last autumn, Level 3 entered the fray with a portfolio of anti-virus and intrusion prevention devices as well as a specific service aimed at helping customers ward off DDoS attacks.
Dale Drew, the service provider’s chief security officer, says that the company has access to a plethora of security threat data, enabling its experts to identify and neutralise an attack before it reaches a customer’s network. "We are in effect establishing a new benchmark of security with a multi-layered portfolio of protection that we believe is unparalleled in the industry," he says. The initiative covers everything from the way the network was originally designed and constructed in the ground to proprietary protocols and algorithms that extend to the cloud.
Interoute is effectively going one step further, focussing its security effort in the cloud. It offers a variety of levels of protection from DDoS scans at the transport level to firewall protection at the application level. Each layer comes as a separate add-on service that can be tailored to the needs of individual customers.
Finch says that it is entirely up to the customer to decide what sort of cover it needs – different customers have a different perception of what constitutes a "clean" connection but the onus will nevertheless continue to be on security services providers to produce as clear a picture of the overall threat as they possibly can.
Capacity’s most wanted: the five most dangerous botnets of 2013
It's a war out there, make no mistake, and the cyber army is mustering its forces for a blizekrieg that will accompany the roll-out of 4G mobile networks. Commanding the dark forces are a swathe of generals, or botnets – each of whom control vast legions of internet-connected computers that they have infiltrated without their owners’ knowledge. Below we highlight the most wanted of 2013…
Often known as the "God of all botnets", Zeus is a Trojan horse that squirrels its way into computers and steals banking information. The malware spreads mainly through emails and drive-by infections, where a computer can be attacked just by visiting an already infected website. It is estimated that close to 1,000 servers around the world are still sending out Zeus infections into an unsuspecting world.
One of the fastest growing botnets of 2012, Citadel, and a mobile offshoot known as Citmo, use similar computer code to Zeus. Dubbed "Zeus on steroids", the botnet’s developers harnessed their own marketing expertise, setting up a members-only social networking site to serve as a help desk and spurring a 20% increase in Citadel attacks during last year.
One of the most influential players in the distributed denial-of-service (DDoS) sphere, it is estimated that Cutwail, which is also known by the aliases Pushdo and Pandex, is capable of sending more than 74 billion spam emails a day – or 51 million every minute. The botnet has been known to attack, among others, the FBI, CIA, Twitter, Paypal and NATO.
One of the cheaper versions of malware now available, SpyEye also targets banking information. It is especially pernicious because it tricks the victim into thinking that their money is still safe by generating bogus bank statements. It is estimated that around 300 servers are still pushing out SpyEye malware.
Also known as TDL-4 or TDSS, Alureon is a type of gamekeeper turned poacher. Once installed in a computer, it first hunts out, then destroys, competing malware, then intercepts network traffic, looking for usernames, passwords and credit card data. Variations of the virus can spoof popular websites and it is estimated that 1 in 10 of the US’s Fortune 500 companies is still infected.