In May 2004, an employee of a consulting firm noticed that $20,000 had been transferred from his online banking account. He immediately notified the financial institution, which then initiated a password change to protect the victim’s assets.
Despite this countermeasure, a further $20,000 was transferred out of the victim’s account within a day or so. Someone, without any proper authorization, had access to the victim’s bank account via the internet. The financial institution reviewed the online access of the account and found unauthorized logins originating from Europe.
At this point, the financial institution did a thorough scrub of its information security posture, and it concluded that a security lapse at its end was not the probable cause. Another potential source of compromise was the victim’s personal computers. Therefore, the victim provided his home and work computer systems for forensic analysis.
Our forensic review focused on examining the victim’s systems for indicators suggesting his credentials were stolen from his PC.
The dates of the initial unauthorized logins at the financial institution gave us a starting point for the review. However, our initial search for Trojans, viruses and malicious software, combined with a review of the registry, did not reveal any evidence of compromise. However, a detailed forensic examination resulted in the identification of files that were keystroke capture log files.
One of the victim’s systems had been compromised by a Trojan that specifically targeted financial data. The Trojan performed targeted collection involving keystroke logging to capture creditcard numbers, URLs, user IDs and passwords. These keystroke logs were periodically sent to an email server in Europe. The Trojan uninstalled itself after two weeks or so of collection, removing its executable components, registry entries, and the keystroke capture log files.
The creator of the Trojan stayed ahead of anti-virus software by constantly producing and fielding variants, which were uninstalled every two weeks. From a post-intrusion perspective, this un-installation mechanism also complicated forensic analysis.
Despite the removal of all its components, evidence of the Trojan persisted. Due to the location of the keystroke capture log files in the “C:Windows” system file area, and the fact that they were named with a “.ini” file extension, the operating system considered each keystroke capture log file a system file. This allowed the forensic examiner to perform analysis of the Microsoft System Restore Points.
System Restore believed the keystroke capture log files were system files because they were continually modified, they had a “.ini” extension, and they were located in a Windows system directory. The result is that the Windows Restore snapshots contained a historical backup of the keystroke capture activity in a compressed format.
Examination of the compressed contents of the “C:System Volume Information” restore folder identified 12 files containing keystroke capture logs. These contained hundreds of pages of material, covering the entire timeframe of the compromise. These logs confirmed the compromise and facilitated an accurate damage assessment. The victim’s online bank account and the corresponding user ID and password were compromised via this Trojan.
So what did the financial institution learn? It spent hundreds of thousands of dollars to determine whether it was the source of the initial compromise. It should have immediately asked computer forensic professionals to review the contents of the victim’s personal computer as well. Forensic review of the victim’s personal computers is often the first, critical step to solving how online bank accounts are compromised.
Kevin Mandia is president and founder of Red Cliff Consulting