Keeping Cyber Thieves From Holy Grail

Credit unions have experienced an explosion in severe cyber attacks this year. Of Dell SecureWorks' 582 credit unions that use its managed services, for instance, the number of attempted attacks increased 885% compared with 2010.

Had the attacks not been blocked by firewalls, IDS/IPS, and similar devices, and had there not been continuous monitoring, there could have been data breaches and monetary loss.

Those credit unions are not alone. The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, reported in March that malicious cyber attacks were the root cause of 31% of the data breaches studied in 2010. That is an increase from 24% in 2009 and 12% in 2008.

Although the threat landscape is constantly changing, the top threats are designed to steal data and money and to control a user's computer.

In 2010, the top threat among credit unions that we monitor was the ZeuS Trojan. It tracks keystrokes and Web sites visited and can steal data stored on a computer. When a computer user visits his online bank account, the person controlling ZeuS can see every keystroke made and use that information to move money from the owner's bank account to another bank account the controller has set up.

How To Steal $70 Million

Last year, one hacking group used ZeuS to steal $70 million from U.S. and UK banks. This year, the use of ZeuS to attack credit unions has dropped to the No. 2 spot, while the Bamital Trojan Search Hijacker has jumped to No. 1. Bamital is spyware that can be used to send pop-up ads, direct victims to infected Web sites, monitor visited Web sites, record keystrokes and hijack search results.

What is really going on when a member's computer is hijacked? Quite a few things. Trojan horse malware that hijacks a computer redirects search results so that you don't actually find what you are looking for. Let's say you type "telephones" into Google or another search engine to find the latest telephone models and calling plans. If a search hijacker Trojan is on your computer, then the first links you see could be for Web sites that are not the true results that a noninfected computer would display.

Or, when you type in "telephones," you could see a link to a well-known phone company that would direct you to a fake Web site that looks like the Web site of the real phone company with its same design and logo. The fake site is designed to trick you into clicking on links that download more malware onto your computer. And if a teller's computer or that of another employee were infected and connected to the CU's network, that malware may worm its way onto servers and other computers tied in to the network.

How To Get Infected

Much of the malware infecting computers is the result of users visiting Web sites that have links that download malware and of users clicking on attachments in e-mails. In many cases, the Web sites in question exploit vulnerabilities present on the computer to install malware without the user's knowledge. The criminals use what are called "exploit kits," which are sold in the criminal underground.

No matter how many protections a credit union has throughout its system, an employee visiting the wrong Web site or clicking on the wrong attachment or links in an e-mail may infect others.

What can credit unions do? Set policies in place so that computers that are used to access member accounts cannot be used to surf any Web sites or open any e-mails. That way, if computers that are used for e-mailing and surfing become infected, the corporate network is safe. This may requiring setting aside computers that are not tied to the CU's network and are used by employees to surf the Web on their breaks.

Finally, have an intrusion detection system, an intrusion prevention system (IDS/IPS), or a mission-specific solution, that detects malicious malware. Lastly, monitor your system 24/7, and as soon as you are alerted to any malicious activity, remediate it immediately before the malware spreads into your system. When cybercriminals notice that they are inside a network that processes money, they have found the Holy Grail and can start transferring funds immediately.

Don Jackson is the director of the CTU research team at Dell SecureWorks.