Zeus Criminals Launch DDoS Attacks to Hide Fraudulent Wire Transfers

FBI warned of a new spear-phishing campaign that tricks users into downloading Zeus malware and then looting their bank accounts. The criminals also launch DDoS attacks on banks.

The Federal Bureau of Investigation has warned of an elaborate spear-phishing campaign that wires money out of victims' accounts under the cover of a distributed denial-of-service attack against the bank.

The new spear-phishing campaign masquerades as emails from the National Automated Clearing House Assocation (NACHA) and downloads a variant of the Zeus banking Trojan onto the victim's computer, theFBI Denver Cyber Squad said in its warning issued Nov. 23.

The malware steals the user's online banking credentials and launches a DDoS attack on the financial institution to hide the fact that it is also transferring money out of user accounts. The DDoS attacks may also make it difficult for the financial institution to stop or reverse the transfers even if they are detected in time.

The email informs the recipient that there was a problem with a transaction at their bank and it was not processed. By clicking on the link in the email, the recipient is directed to a Website that downloads the Zeus variant called "Gameover" to the recipient's computer, the FBI warned. Gameover is capable of keylogging to steal banking credentials as well as defeating several forms of two-factor authentication mechanisms the banks may be employing.

The new spear-phishing campaign involves "personal and business bank accounts, financial institutions, money mules and jewelry stores," according to the warning.

Attackers are becoming increasingly smart and stealthy in their DDoS methods, Mike Paquette, chief strategy officer at Corero Network Security, told eWEEK. While a brute-force or flooding type of DDoS attack can be relatively easy to identify, it requires high-performance and sophisticated real-time analysis to recognize and block attack traffic while simultaneously allowing legitimate traffic to pass, according to Paquette.

Application layer attacks, such as the one posed by the recent Apache Killer, are "more insidious" and require the financial institution to have a thorough understanding of the typical behaviors and actions of their actual customers, he said.

Paquette suggested that financial institutions should automate DDoS defense to create user profiles to identify suspicious traffic, much in the same way automated credit card fraud-detection technologies look for unusual spending activity.

A portion of the wire transfers is being transmitted directly to high-end jewelry stores, according to the warning. The criminals contact a jeweler looking for precious stones and luxury watches. They promise to wire the money directly to the jeweler's account and someone will come to pick up the merchandise.

Once the fraudulent wire transfers are complete, a money mule comes to the actual store to pick up thousands of dollars of goods, the FBI said. Even though the transaction is reversed when the fraud is discovered, the jeweler is unable to recover the goods.

DDoS attacks against high-profile targets are generally perpetuated by intelligent, determined and persistent adversaries, and this "new breed" of attackers will switch to different sources and methods as necessary, Paquette said. Therefore, advance preparation is key to being able to respond to these DDoS attacks effectively, Paquette said. A response plan lists the steps the institution should take during a DDoS attack.

Hiding malicious activity by distracting the defenders with a DDoS attack is not new. The perpetrators who breached Sony's PlayStation Network and Sony Online Entertainment services earlier this year appear to have taken advantage of the fact that the entertainment giant's IT staff was busy trying to contain the DDoS attacks that had been launched by the Anonymous hacktivists.

Institutions shouldn't rely on just the Internet service providers to be able to mitigate the DDoS attack, but should deploy technology in-house to serve as the front-line defense against both flooding type and application-layer DDoS attacks, according to Paquette. DDoS mitigation tools need to be deployed alongside monitoring services so that organizations can rapidly identify and react to sustained attacks.

"Continuous and automated monitoring is required in order to recognize an attack, sound the alarm and initiate the response plan," Paquette said.