“Double, double, toil and trouble; fire burn and cauldron bubble. … Something wicked this way comes.” From Shakespeare’s Macbeth.
The recent trend in spyware is a more-sophisticated attack involving a cauldron brew of social engineering phishing scams (trickery), installation of remote access tools (deception), and exploitation of website or PC vulnerabilities.
Spyware is a targeted attack, directed at very specific people to gather specific information such as account numbers and passwords. This operation sets the stage for spyware to play a prominent role in an all-out assault on the financial sector.
The spyware installs itself through pop-up ads located on many popular websites that anyone can visit. Then the spyware waits for the computer to visit a targeted bank site and captures the login keystrokes. The passwords are captured before the browser software encrypts the information.
Last year, more than 50 major financial institutions were targeted in several attacks. The stolen information has been tracked to various locations, such as Estonia, Russia, Ukraine, and Greece. This year, Sumitomo Mitsui Banking Corp. reported a failed $424 million hacking attempt using key logging spyware.
How big is the problem?
Spyware is so prevalent that it is becoming nearly impossible to find computers that do not contain at least some intrusive code. A multi-year study by Webroot and Earthlink, who tested more than 4.6 million systems, reported that 55 percent had some form of spyware. Key loggers, the most egregious spyware, were found on 7 percent of all computers, even PCs in enterprise environments. They also identified more than 4,000 websites that contain some form of spyware for distribution.
Spyware is among the fastest-growing threats to computer users. The National Cyber Security Alliance predicts that those infections will soon surpass computer viruses. A recent Gartner report noted that theft from personal bank accounts was the fastest-growing type of financial fraud. The FTC reported that the combination of Internet fraud and identity theft cost consumers $437 million in 2003 with some estimates for the financial sector to lose $8 billion by 2006!
Legislative action has moved into high gear at both the state and federal level. Twenty-nine states now have some form of anti-spyware legislation. However, only nine of these provide for criminal penalties.
For example, a recently enacted California law prohibits the deceptive collection of personal information, such as passwords or credit card numbers, but does not have a provision for consumer notification. Consumers are able to seek up to $1,000 in damages if they think they have fallen victim to the intrusive software.
This year, two legislative actions passed in the House and are pending in the Senate. The Safeguard Against Privacy Invasions Act, H.R. 29 (also known as the Spy Act) requires notice, consent and uninstall capability for information collection software. The Spy Act would also give the FTC authority to police violations of the law and to levy fines of up to $3 million in the most pernicious cases.
The other pending bill is the Internet Spyware (I-SPY) Prevention Act. H.R. 744 criminalizes unauthorized computer access or copying software to obtain personal information with intent to defraud. Criminal penalties include five years of imprisonment and budgets $10 million for enforcement.
Other existing applicable laws are the Computer Fraud and Abuse Act and the USA Patriot Act.
FDIC defines the risk
The FDIC issued guidance on mitigating risks from spyware in FIL6605 in July 2005 to inform financial institution about the risks posed by spyware within an institution’s network and on customers’ computers.
It determined that spyware exploits vulnerabilities, reduces security settings, and establishes new channels that circumvent firewalls. The attackers can intercept sensitive communications by monitoring keystrokes, email, and Internet activity. The monitoring may lead to the compromise of sensitive information, including user IDs and passwords.
Spyware consumes system resources and productivity and may compromise the bank’s ability to conduct business by disrupting Internet connections. This can provide the attacker the ability to control corporate computers to send unsolicited spam or malicious software.
Confidentiality can be compromised by rerouting communications through third-party servers, circumventing encrypted communication methods. Identity thieves may then impersonate the customer using the IDs and passwords collected.
Spyware increases a financial institution’s vulnerability to various types of “redirected attacks.” Inappropriate information received by the customer from redirected sites can damage the financial institution’s reputation.
Redirected attacks are:
Effective risk mitigation to spyware requires the layered approach to security promoted by the FFIEC. This set of best practices is required since no single solution is adequate to mitigate the multi-phased approach used by spyware.
Security monitoring should be in place for your firewalls and intrusion detection systems to analyze traffic for actual attacks, new threats and vulnerabilities. Monitoring should include inbound and outbound traffic. Software patches, anti-virus, and anti-spyware updates should be maintained. E-mail should be scanned for spam and blocked.
Regular assessments must be conducted to verify that controls are effective and expand audits to consider spyware threats. Institutions should have acceptable use polices for non-work related browsing and software installation. To reduce risk, users should carefully read licensing agreements, stay away from peer-to-peer file-sharing networks, avoid sites that offer pirated software or adult material, and regularly scan their systems for infiltration. Browser security settings should be at “high” to avoid software being surreptitiously installed while the Internet is browsed.
Some clues that one may be infected include a sluggish computer, pop-up ad inundation, hijacked home pages or redirection to unintended sites. Standard anti-virus and security software offers limited protection. Software that specifically scans and removes spyware includes Spybot and PestPatrol.
These recommendations include maintaining control of a financial institution’s Internet services to keep current and review your installed trusted root certificates on Web servers and to begin investigating multi-factor authentication for online banking.
Since publication of the spyware guidance in July, the FFIEC has released new guidance on Internet banking that sets 2006 as the deadline for achieving two-factor authentication compliance for institutions offering Internet-based financial services.
Guy Morgan is the CEO and founder of farm9, Inc., in Emeryville, Calif., a network security company providing regulatory-compliant solutions to the financial services industry. For more information, visit www.farm9.com.
© Copyright BankNews, November 2005