Shawn Ballesty of All Mounting and Diecutting Services in Sydney saw $18,000 vanish from his business’ bank account after malicious software infected the company’s computers. Photo: James Brickwood
At first, Shawn Ballesty thought the delay in his rent payment arriving in the landlord’s account was normal.
Then the landlord rang again: “Hey mate, your rent wasn’t paid,” Ballesty recalls his landlord saying, knowing he made the online transfer himself.
“So I thought, I’ll send it again, just in case, then sort it out with the bank.”
Once more, a payment was made and a receipt issued, but the money didn’t arrive.
The Commonwealth Bank traced the transfers and advised both had been hijacked and, invisibly to Ballesty, deposited into a third party’s account with another bank. A computer at Ballesty’s business – All Mounting and Diecutting Services, on Sydney’s northern beaches – was infected, the bank explained.
A banking trojan – malicious software – had been installed on it without his knowledge. Ballesty was just one of thousands of people across Australia and the world to have their business bank account fleeced by cyber criminals.
Such malware is often distributed via infected email or instant message links sent via spam, attachments, pirated software or visits to infected websites.
“It got out of control, they were intercepting it while I was doing stuff [online],” Ballesty says.
Along with the rent, other smaller amounts were taken: a total of $18,000 stolen in less than a week.
Australian banks have been quietly working to deal with the problem, in particular a trojan called Carperb, which has infected about 150,000 PCs in Australia. Once installed, it presents a fake transaction page and allows the attacker to view the victim’s browser in real-time.
The malware has been customised for clients of the Commonwealth Bank, ANZ, Westpac, the Bank of Queensland, Bendigo Bank, Adelaide Bank, Teachers Mutual Bank, DefenceBank, Suncorp, Bankwest and NAB, according to the Russian security company Group-IB, which is helping the banks.
“Right after the user goes online and wants to make a transfer, they will intercept his session on the browser and spoof the destination of the transfer absolutely silently,” Andrey Komarov, head of international projects, says.
But banks aren’t the only ones fighting. In June Microsoft and the FBI – aided by authorities in more than 80 countries, including Australia – launched a major assault on one of the world’s biggest cybercrime rings, which is believed to have stolen more than $US500 million from bank accounts in the past 18 months.
The operation was aimed at a different trojan, Citadel. The Citadel botnet – a web of 1400 networks of 5 million zombie computers infected with malware – has been used, Microsoft says, to steal from dozens of financial institutions including American Express, Bank of America, Citigroup, eBay’s PayPal and HSBC. The company alleges Citadel is controlled by a boss known as Aquabox who sells malware kits on the internet underground and takes a cut from the money stolen. The software disables antivirus programs on infected PCs to stay undetected.
Other banking trojans act in similar ways. After a three-year manhunt, 24-year-old Nigerian man Hamza Bendelladj is facing charges in the US in connection with selling and supporting SpyEye, which also allows hackers to hijack victims’ bank accounts as they log in from their own computers.
“At the highest level, most of the internet is operated by responsible organisations, but you have a few folks that have bad seeds that are going to a level of sophistication – real criminal enterprises,” says TJ Campana, director of security at Microsoft’s Digital Crimes Unit at its US headquarters near Seattle.
These are tech-savvy groups and individuals committing fraud online, mostly financial fraud. But there’s a war taking place on the internet.
It’s a war between those who say they are trying to make it more expensive for criminals to bypass their security, and the criminals trying to stay a step ahead of their suitors.
The war on spam – the mainstay of malware spread, fake drug marketing and other scams – began several years ago.
According to independent researcher and author Brian Krebs’ analysis of spam data from security vendor Symantec, spam volumes have decreased from 6 trillion messages in 2008 to about 1 trillion at the end of 2012. Just three years ago spam accounted for more than 90 per cent of global email volume. In January, it dropped to 64.1 per cent.
Joint operations between law enforcement in several countries, Microsoft, security vendors such as Symantec and McAfee, and security researchers have netted major crackdowns on spam senders (Mt Colo ISP was closed in September 2008) and spam botnets (Waledac in January 2010, Rustock and Kelihos in 2011, Bamital in January). Control and command servers for the zombie networks distributing the ZeuS and SpyEye malware were also cut off in March, and arrests relating to cyber financial fraud are taking place more regularly.
Does that mean the good guys are finally winning?
“That’s a tough question,” Campana says. “Spam still exists, but when we talk to the Windows Live team, they have a pretty good service in filtering out spam, they think they’re getting there.”
Campana makes no apologies for Microsoft’s role in cybercrime fighting. “Malware is bad for our customers, it causes this very bad experience on our products. We want to make it easier for our customers to protect themselves and harder for the bad guys to make money.
“If you infect one of my customers, you are getting them to send spam, to commit fraud,” he says.
The actions, mostly driven through the company’s legal manoeuvring of civil lawsuits, help it defend its revenue streams on several fronts. By reducing spam and malware spread, it reduces pressure on its Windows Live (previously Hotmail) infrastructure, reduces the likelihood of infection on its customers’ PCs, protects its Windows brand and reduces the drain on its advertising revenue caused by click-fraud also perpetrated by botnets.
Krebs says the takedowns and arrests are positive steps in the fight against cybercrime, but they may not be a deterrent for all. “It seems clear that only a very tiny fraction of people involved in cybercrime ever are brought to justice for their role in this economy,” Krebs says.
“I spend a great deal of time on a large number of underground forums dedicated to credit card and identity theft and all manner of cybercrimes, and it seems that not only are the numbers of forums that help people get started in this industry increasing, but these forums are now more popular than ever.”
Krebs says most online scammers make little money and rely on user-friendly downloadable tools offered by other members of the underground. He believes there is only a relatively small number of organised cyber criminal organisations. Campana says there may be only a handful of “families” in Eastern Europe, Brazil and Asia. Many of them are already under active criminal investigations.
“The reality is the folks who are offering turkey solutions – be they cash-out services, malware writers, bot installation kits or exploit kits, or spam rentals – really drive the underground economy. And business is booming,” Krebs says.
We’re not losing
Dmitri Alperovitch of CrowdStrike, a security consultancy to corporations and governments, says most countries want to collaborate to identify and prosecute cyber criminals, but, like all crime, cybercrime will always be with us.
“It’s certainly becoming harder for criminals to get away with it as prosecution is starting to catch up and arresting these crooks more often but others continue to join their ranks all over the world,” he says.
“I think spam is one area where the volumes have dropped down precipitously. Of course, low-volume phishing attacks and web-based scams have taken their place, so it’s hard to call it a complete victory.”
While it is hard to say who is winning, Phil Kernick, security expert with CQR, says society is not losing. “Criminals are making more money than they ever made, but so is society – the internet is tremendously useful,” Kernick says.
Corey Nachreiner, director of security strategy for Watchguard Technologies, says everyone needs to understand how cyber criminals operate in order to protect themselves. “Some are specifically targeting very small victims because they stay under the radar.
“I don’t think home consumers should go crazy with it, but they need to realise they need to be careful with visiting a website that can infect their computer.” The bank returned Ballesty’s money, but not before his business accounts were frozen, without him being able to process wages and other payments for a week. A security adviser from the bank even delivered a list of security measures the business must adopt, including staff cyber-awareness training and a warning it won’t refund moneys lost to the same scam again.
Ballesty says he and his staff are a lot more cautious with their online activities now, even on their breaks and outside work hours.
– with Liam Tung