New attacks target small U.S. banks

Cybercriminals have launched at least nine highly orchestrated and sophisticated phishing attacks against smaller U.S. banks during the last three months, a security company warned today.

Managed security provider SecureWorks reported that the level of sophistication of such attacks is increasing rapidly.

"In the past three months, SecureWorks has seen nine of its smaller U.S. banking clients phished," said Jon Ramsey, SecureWorks CTO.

"The rate at which smaller financial institutions are being phished is increasing substantially, as are the techniques being used by phishers."

In the most recent scam detected, the phishers used a combination of phishing and hacking to launch their attack, according to Ramsey. Specifically, they implemented botnets and dynamic DNS to host the phishing sites. The phishers hacked vulnerable computers and used them as platforms to host the sites. Then they use compromised desktops to send the emails.

"On Nov. 14, one of our banking clients alerted our Secure Operations Center that someone was trying to obtain sensitive client information through a phishing scam," explained Ramsey.

"Our security analysts immediately began investigating the malicious email being sent to the bank's customers, and after decoding the email found that the phisher was using various types of redirect methods to obscure the true phishing site."

After further investigation, it was discovered that the phisher had transferred authority of the domain name to another DNS server. It was compromised and was acting as a poisoned DNS server. Through this poisoned DNS server nine different compromised host servers were operating sitting in Russia, Japan, Belgium, Germany, and the U.S. They were the fallback host servers, whereby the phisher could host the replacement phishing sites (as others got taken down). Being that there were nine host servers, SecureWorks suspected the phishers were probably using a botnet to control the compromised servers.

SecureWorks traced the desktop and found that a compromised DSL account in Poland was being used to send out the phishing emails. This desktop in Poland and the compromised servers in Belgium, Japan, Russia, Germany, and the U.S were subsequently taken down in 24 hours.

According to Ramsey, this incident marks the first time that SecureWorks has seen phishers use a combination of phishing and hacking against our smaller financial institutions.

"The fact that the phishers/hackers are using more sophisticated techniques such as botnets and dynamic DNS to host the phishing sites (which certainly takes more work on the part of the phisher/hacker to implement) raises the level of play considerably for these smaller banks and credit unions. Using these techniques, phishers can target dozens of small financial institutions at one time and send out thousands of malicious emails simultaneously," added Ramsey.

"And unfortunately, the phishers know that the smaller banks and credit unions don't have the knowledge, personnel and resources in-house to bring down such a sophisticated attack."

SecureWorks, is the managed security provider specialising in the financial market providing security to over 1,100 banks and credit unions across the U.S.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.