You ain’t seen nothing yet.
That’s the collective worry voiced by security professionals who look ahead and see a world with ever more and ever more sophisticated cyber threats to credit unions.
A generation ago it took a gun to rob a credit union. Now the weapon of choice is a computer mouse and these crooks are smarter and more ruthless than the bandits of yesterday
Here are the five threats most likely to cause problems for U.S. credit unions in 2013.
* DDoS - Denial of Service attacks
DDoS attacks made splashy headlines in 2012 as many big banks went down, sometimes for several days, The worse news: expect many more such attacks in 2013, according to Stu Scholly, president of Prolexic, a Hollywood, Fla.-based developer of defenses against DDoS.
Credit unions may well be in the line of attack, Scholly suggested.
The essence of DDoS is simple: the attacker seeks to overwhelm a computer system with a barrage of irrelevant data. Eventually the system cannot handle legitimate requests – member log-ins to online banking for instance – because it so busy fighting off the DDoS blizzard.
The still worse news: botnets – computer networks typically composed of machines whose owners do not know they have been compromised and conscripted into a botnet – now are easily rented by the hour, often for small amounts of money. “A couple hundred dollars should get you a botnet for a day,” said Scholly.
And that botnet might throw off enough traffic to cripple a typical credit union’s Internet abilities.
“Most companies are unprotected against DDoS,” said Scholly.
Who launches a DDoS attack? Some are old-fa1shioned extortion, some are vandalism, but, said Scholly, it’s believed that an increasing number are caused by disgruntled employees (or ex-employees). But anybody with a grudge can now launch a DDoS and that makes this is a threat to reckon with in 2013.
The numbers frighten: Some 36 million Euros have been pilfered from 30,000 bank accounts in several European countries via a newly documented malware threat and what is more frightening is that the exploit, known as Eurograbber, piggybacks on the use of cellphone SMS as a two-factor authentication tool.
Darrell Burkey, a security expert with Check Point Software Technologies in San Carlos, Calif.-explained that in Eurograbber a computer is first infected with a Zeus key-logger variant that cleverly asks the computer user for a cellphone number so an SMS with security code can be sent to the phone.
Click on the link in the SMS and it downloads a version of Zeus for mobile and now the crook is positioned to begin looting the account.
Eurograbber has emerged as the first large-scale attack on financial accounts involving the mobile phone. So far, said Burkey, it has been found only on Android and BlackBerry phones, not iPhones.
There are no known instances of Eurograbber in the United States, in part, suggested Burkey, because not that many institutions here use cellphone SMS as a routine part of two-factor authentication.
Those that do, he suggested, need to study Eurograbber attack in detail.
More broadly, Steve Santorelli, a spokesman with security experts Team Cymru, said that in 2013 the mobile channel will be under intense probing by well-funded criminals. A particular focus, he suggested, will be a hunt for ways to fool the two big apps stores (Apple’s and Google’s) into accepting tainted apps that come with a malware payload. They are not there yet but, suggested Santorelli, their intent is to get there.
Matters were bad enough that in 2012 the FBI issued a warning, saying that it had found evidence bank and credit union employees are increasingly targeted by cybercriminals.
George Tubin, a security expert with Trusteer, predicted: “We will see more of this in 2013. It is extremely dangerous when they gain access to an employee’s computer.”
BYOD - “bring your own device” - policies where employees bring their own iPads and laptops and mobile phones into the credit union and connect to the institution’s network aggravates problems by offering criminals easier targets for deploying malware and key loggers such as Zeus, said experts.
Bottom line: crooks have realized that infecting just one financial institution employee’s computer potentially gives access to many thousands of member records and that is why Tubin sees efforts in this direction intensifying in 2013.
Shamoon is about simply destroying an institution’s data – wiping its records clean – and, said Justin Seitz, a security expert with Immunity in Miami Beach, Fla., “We expect to see these attacks launched against credit unions in 2013, to disrupt the economy.”
Running Shamoon, it is believed, are sophisticated terrorists in the Middle East – sometimes said to be funded by Iran, although that is unproven.
U.S. Defense Secretary Leon Panetta, after he reviewed a Shamoon attack on the Saudi oil company Aramco, called it the most destructive attack yet witnessed against a business.
"More than 30,000 computers that it infected [at ARAMCO] were rendered useless, and had to be replaced," Panetta said in an October speech shortly after details of the Shamoon assault were revealed.
What Shamoon does to an infected machine is erase files, then it deletes the master boot record, preventing the computer from rebooting.
Shamoon deployment thus far has very limited but if Seitz is right, the next year will see much more activity and that is a worrisome prospect, he said.
When at first they don’t succeed, some cyber-criminals are learning from the tactics used by a credit union to detect and thwart them – and they are coming back in 90 to 120 days with an improved scheme to loot the institution and its members’ accounts, said Rob Kraus, a security expert with Omaha, Neb.-based Solutionary, a provider of managed security services.
Discover an in-progress cyber theft, stop it and nowadays that does not mean the fight has been won. Often they will be back, Kraus said.
Kraus also said he has seen evidence that criminals are studying ACH and wireless payments processes, in detail, probing for vulnerabilities and patiently hunting for places to attack. “We are seeing a maturation of techniques as attackers study the system,” said Kraus.
Cyber crooks today, he suggested, are exhibiting higher patience and richer skills, which makes them an ever more formidable foe.