Over the past few years, we’ve witnessed the advent of industrialized hacking. It’s long since moved past the stage of script kiddies and phone phreakers. It’s become a lucrative industry run by various mafia, international criminal organizations, street-level gangs, online thugs, and most recently, nation states. Whole underground markets exist where one can obtain all of the necessary tools to open up shop as a fraudster. Criminals can buy and sell hacks, gain access to systems, credit cards, data to correlate with card data, ways to convert credit card numbers into goods or cash, and means of laundering and hiding the ill-gotten loot. An entire industry full of various markets, vendors, products, and payment methods has blossomed around the stolen credit card industry.
For example, just a short while ago, credit card numbers stolen from South African Standard Bank were used to make counterfeit cards used in a coordinated withdrawal from 1400 ATMs across Japan. The hackers were organized and efficient, and managed to use those numbers in a matter of hours to steal 12.7 million dollars. While it’s not clear how they got a hold of those numbers, it’s likely they used malware.
This incident was very similar to the RBS/Worldpay hack in 2008. Once the encryption on the card processing system was compromised, the hacking ring raised the account limits on compromised accounts, and then provided a network of “cashers” with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours. The news video can be found here.
We can see in this post that Kaspersky Labs discovered older Windows-based ATM malware that is making a comeback. The post even contains a video demonstration of the malware. The malware can extract information and even money from ATMs. The post offers some technical information about how the malware works. For example, it notes that, “Once an ATM is compromised and the skimmer malware is resuscitated from its dormant state, cyber criminals can gather pertinent financial data from inserted cards and can even direct the machine to dispense money. And in an additional step to evade detection, the malware can even be instructed to self-destruct.”
…There should be no doubt, detection is the new prevention.
And now we have what might be the “malware hack of the decade” in which SWIFT, a messaging network that financial institutions use to securely transfer money, lost $81 million to hackers. Only a spelling mistake prevented this incident from being a $1 billion heist. It doesn’t stop there; we now know that up to a dozen banks are investigating potential SWIFT breaches. As this article notes, “The Bangladesh bank heist was pulled off with the help of custom malware that was designed to interfere with the software used by banks to perform transactions on the SWIFT global financial network.”
Market Dynamics–The Driver of the Hacking World
The illegal hacking tools and credit card fraud markets operate like any other, they only operate when there is a profit to be made. If the level of sophistication required to break into your hardened enterprise is high, it makes it more difficult to move unnoticed, and impossible for hackers to cover their tracks. Hackers profits go down when an enterprise raises the bar. Their hacking tools become more expensive, the hacking operations take longer, are more complicated, require additional expertise, and basically face the same challenges a legitimate business has: how to find the most effective means to increase profits.
By raising the security posture of an organization to “too expensive to hack” by sheer market forces, an organization is able to shed a lot of risk imposed by the existence of industrialized hacking. By following our recommendations, an organization can become unprofitable for hackers simply by outperforming their competitors’ security postures and allowing their competition to be the “low hanging fruit” of the fraudsters easy money target list.
For example, instead of spending $5K to break in, if hackers need a bankroll of $500k, it becomes much less attractive for the hackers who will turn their efforts to something more financially advantageous. They move on to the weaker targets, like the Bangladeshi Bank. So your objective should be to avoid being a $5K hacking target and become a hardened $500k target. Your hardened enterprise should be ‘too expensive to hack’, fiscally incompatible with hacking profit, and not worth the effort required to break in.
Partnering to Make your Enterprise Safer
So what can banks and other organizations do to protect themselves from similar breaches and be too-expensive-to-hack? Well as we mentioned in this post, plenty! Basics, such as enforcing host based access controls and using best practices will go a long way, but advanced security solutions are needed to protect against threats operating in this crime-for-profit realm. Technology like a file integrity monitoring solution (FIM), using database profiling, a database firewall, and turning on blocking with the database firewall are critical to preventing massive breaches such as these. Using a Web Application Firewall (WAF) to protect publically exposed systems is also key to prevent hackers from getting their initial foothold into your network, where they can attack other systems or move laterally.
However, there’s more. Imperva has partners within our PartnerSphere Technology Alliance Program that can help bring different tools to the fight. For example, ProofPoint can help organizations prevent security alerts and incidents from escalating to full blown breaches. Imperva SecureSphere and ProofPoint Automated Threat Response are now integrated to deliver advanced risk mitigation. Automated ProofPoint Threat Response allows security teams to quickly identify compromised privileged users, take immediate action to quarantine their critical database access and stop a breach. This integration enables joint customers to immediately move compromised users into quarantine, automatically push policy changes into each respective system, and drastically reduce the window of opportunity for attackers.
Another partner, FireEye, provides robust malware detection and mitigation capabilities that can send a signal to alert Imperva SecureSphere when a user has been infected with malware. FireEye’s architecture identifies hosts infected with malware and blocks any data exfiltration attempts by the malware-compromised host directly. Though once a host is identified as being compromised by malware, that host needs to be quarantined, and the malware needs to be removed. This means that one of your productive employees may be shut down for a period of time. IT needs to be brought in, the malware needs to be identified, and the machine needs to be cleaned of the malware. And if that single malware infection has spread, which isn’t uncommon, you could be looking at not one or two employees being shut down, but dozens, hundreds, or more. This is where Imperva SecureSphere comes into play.
Imperva SecureSphere – Raising the Bar with our Partners
Once infected hosts or compromised accounts are identified by ProofPoint or FireEye solutions, Imperva SecureSphere applies the additional intelligence provided to enforce access controls on critical applications and sensitive databases.
In a banking context, this means that you can create custom policies for infected hosts, increase monitoring on those hosts, and selectively isolate access to specific applications and data. If we look at the case of SWIFT, this means that hosts that were infected with malware would have been identified, security personnel would have been alerted to problems with those hosts, and the breach stopped dead in its tracks.
Furthermore, all activity emanating from any infected hosts would have come under higher scrutiny and would have been restricted, both to what applications they could have accessed, and their access to sensitive data.
As you can see, by raising the bar on your security posture, you can let the natural market forces of the cybercrime industry help your organization become too-expensive-to-hack. Imperva, along with our industry leading partners in our PartnerSphere, are here to help you.
For more information on the Imperva-FireEye joint solution, download our solution brief, or contact a sales representative for further information.
For more information on the Imperva-ProofPoint integrated solution, download our FAQ, or contact a sales representative for further information.