EU security body warns on sophisticated new online banking attacks

Banks should assume that all PCs are infected, says ENISA

The European Union's computer security agency has warned banks to treat all PCs as if they are infected with sophisticated variants of Trojan malware, following reports of successful attacks on users of online banking that netted the perpetrators "tens of millions of dollars".

The warning was issued by the European Network and Information Security Agency (ENISA) following the "High Roller" series of cyber-attacks that had exclusively targeted wealthy individuals.

The warning was issued in view of the high level of automation and sophistication exhibited by the attackers. Bank security measures, such as two-factor authentication and fraud detection, were circumvented in the attacks.

Furthermore, the fraudulent transactions were hidden by additional malware, which inserted Javascript code into pages to make it more difficult for the victims to see what had happened and to blow the whistle.

The attacks had three phases, claims ENISA. First, targets were identified using "online reconnaissance" and phishing. Apparently wealthy targets were singled out and targeted. When their PCs were compromised, malware was loaded onto their PCs. These included versions of Zeus, SpyEye and Ice 9 Trojans tailored for the banking websites used by the victims.

"Later, automated fraudulent transactions were carried out in the name of the user and hidden from them behind warning and waiting messages," said ENISA in a statement.

The malware was used to transfer sums from all accounts to mules abroad, who would then withdraw the cash and send it back to the perpetrators using money transfer services, such as Western Union.

"Many online banking systems, some with one-time transaction codes, calculators or smartcard readers, work based on the assumption that the customer's PC is not infected. Given the current state of PC security, this assumption is dangerous. Banks should instead assume that PCs are infected," warned ENISA.

It added that strong cooperation will be needed to combat the threat. "The cyber-attack was carried out using command and control servers dynamically located across the globe using, for example, fast flux botnets and bullet-proof hosting providers. Criminals use these tricks to make law enforcement and notice-and-takedown more complicated."

While the Zeus Trojan has been around in the wild since 2007, it is the sophistication of the latest attacks that have concerned ENISA, which fears that they could become more widespread.