This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Fraudsters target 'wire payment switch' at US banks to steal millions

Share this article:

Instead of targeting the bank accounts of individuals or organisations, criminals recently took over the wire payment switch at several US banks to steal millions from their choice of accounts, according to a security analyst.

Avivah Litan, vice president and distinguished analyst at research firm Gartner, told SCMagazine.com in an interview that at least three banks were struck in the past few months using 'low-powered' distributed denial-of-service (DDoS) attacks meant to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring. 

Last week, Litan wrote a blog post on the attack method, which could have resulted in the banks losing much more money than they did, though the fraudulent transactions were in the 'millions', she said in a follow-up interview with SCMagazine.com.

Litan declined to reveal the names of the victim banks, but said that the attacks didn't appear to be linked to the flood of hacktivist-launched DDoS attacks that hit these institutions last autumn and winter. These new incidents are entirely financially driven, she said. 

“It wasn't the politically motivated groups," she said. "It was a stealth low-powered DDoS attack, meaning it wasn't something that knocked their website down for hours."

Litan told SCMagazine.com via email that the attacks “added up to millions [lost] across the three banks”.

The concern with the wire payment switch – a system that manages and executes wire transfers at banks – being targeted is that it could result in much more costly loss scenarios for banks. Traditionally, digital crooks stealing from banks have opted to compromise the computers of banking customers in order to obtain their bank login credentials, access the accounts and then funnel out money.

In this case, the vandals went directly after the banks, according to Litan.

While it is unclear how the attackers gained access to the wire payment switch at banks, saboteurs could have targeted bank staff with phishing emails, an easy way to plant credential-stealing malware on target machines.

Researchers at another security firm have called attention to the trend of DDoS attacks being used as a cover for fraudulent activities at banks.

In April, Dell SecureWorks Counter Threat Unit (CTU) released its '2012 Threatscape Report', (PDF) which highlighted notable trends that developed last year among cyber attackers.

The Dell SecureWorks research team noted that fraudsters have been utilising Dirt Jumper, a $200 crimeware kit that launches DDoS attacks, to draw bank employees' attention away from fraudulent wire and ACH transactions ranging from $180,000 to $2.1 million in attempted transfers.

Last September, the FBI, Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3), issued a joint alert about the Dirt Jumper crimeware kit being used to prevent bank staff from identifying fraudulent transactions.

In the alert (PDF), the organisations said criminals used phishing emails to lure bank employees' into installing remote access Trojans (RATs) and keystroke loggers that stole their credentials.

In some incidents, attackers who gained the credentials of multiple employees were able to obtain privileged access rights and “handle all aspects of a wire transaction, including the approval”, the alert said – a feat that sounds daringly similar to recent attacks on the wire hub at banks. 

“In at least one instance, actors browsed through multiple accounts, apparently selecting the accounts with the largest balance,” the alert said.

Litan suggested that financial institutions 'slow down' their money transfer system when experiencing DDoS attacks in order to minimise the impact of such threats.

In an email sent to SCMagazine.com on Tuesday, Limor Kessem, a cyber crime and online fraud expert at RSA's FraudAction Research Lab, said her firm had not seen the wire payment switch attacks in the wild, but that RSA's customers had shared information about this threat with the research team.

"The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first," she said. "That's when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place."

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

NCA wants security pros to become cybercrime fighters

NCA wants security pros to become cybercrime fighters

The UK's National Crime Agency is on the hunt for cyber security professionals to "join the fight against some of the world's most significant cyber criminals" on salaries ranging from ...

GCHQ head says agency was 'never involved in mass surveillance'

GCHQ head says agency was 'never involved in ...

Sir Iain Lobban says GCHQ staff "are normal decent human beings who watch EastEnders and Spooks".

Apple Mac OS criticised for sending search results to third parties

Apple Mac OS criticised for sending search results ...

Apple is under pressure to make changes to the Spotlight feature on the new Mac OS X Yosemite 10.10, which tracks location and sends data back to the firm and ...