Security firm McAfee on Thursday released a report warning that massive bank cyber attacks on 30 U.S. banks has been planned, with the goal of stealing millions of dollars from consumers’ bank accounts.
McAfee’s research upheld an October report from RSA, the security wing of IT giant EMC Corp.
RSA startled the security world with its announcement that a gang of cybercriminals had developed a sophisticated Trojan aimed at funneling money out of bank accounts from Chase (JPM, Fortune 500), Citibank (C, Fortune 500), Wells Fargo (WFC, Fortune 500), eBay (EBAY, Fortune 500) subsidiary PayPal and dozens of other large banks. Known as “Project Blitzkrieg,” the plan has been successfully tested on at least 300 guinea pig bank accounts in the United States, and the crime ring had plans to launch its attack in full force in the spring of 2013, according to McAfee, a unit of Intel (INTC, Fortune 500). (McAfee was founded by John McAfee, who is wanted for questioning as part of a Belize murder investigation, but he no longer has any ties to the company.)
Project Blitzkrieg began with a massive cybercriminal recruiting campaign, promising each recruit of a share of the stolen funds in exchange for their hacking ability and busywork. With the backing of two Russian cybercriminals, including a prominent cyber mafia leader nicknamed “NSD,” the recruits were tasked with infecting U.S. computers with a particular strain of malware, cloning the computers, entering stolen usernames and passwords, and transferring funds out of those users’ accounts.
The scheme was fairly innovative. U.S. banks’ alarm bells get tripped when customers try to access their accounts from unrecognized computers (particularly overseas), so banks typically require users to answer security questions. Cloning computers lets the cybercriminals appear to the banks as though they are the customers themselves, accessing their accounts from their home PCs — thereby avoiding the security questions.
And since most banks place transfer limits on accounts, recruiting hundreds of criminals to draw smallish amounts out of thousands of accounts is a way to duck those limits. The thieves could collectively siphon off millions of stolen dollars.
As terrifying as that sounds, the fact that the project is out in the open is a huge deterrent. RSA first uncovered the scheme in the fall, and independent security researcher Brian Krebs linked the report to NSD in the following days. Since then, the project appears to have gone dark.
NSD has effectively disappeared from chat forums, Krebs told CNNMoney.
“I can’t find him anywhere,” Krebs said. “Either bringing this to light scuttled any plans to go forward, or it’s still moving ahead cautiously under a much more protective cover.”
In either case, knowing what they’re up against could be a blessing for banks. McAfee said it is coordinating with law enforcement officials and working with several banks to prepare them for the potential attacks.
The financial industry is accustomed to fending off skilled cyberthieves. It gets hit every day by thousands of attacks on its infrastructure and networks, according to Bill Wansley, a senior vice president at Booz Allen Hamilton who specializes in cybersecurity issues.
Those are just the attacks that get discovered. Not a single financial industry network that Booz Allen examined has been malware-free, he noted.
“If you catch something early on, you can minimize the threat,” Wansley said. “It’s definitely worthwhile to get a heads up.”
For example, in September an Iranian group claiming to be the “Cyber Fighters of Izz ad-Din al-Qassam” announced that it would launch a major denial-of-service attack against the largest U.S. banks. Few took the threat that seriously, but Booz Allen took advantage of the heads-up to work with some of the targeted banks.
What followed was the largest direct denial-of-service attack ever recorded, preventing the public from accessing the websites of Chase, Bank of America (BAC, Fortune 500), Wells Fargo, US Bank (USB, Fortune 500) and PNC Bank (PNC, Fortune 500) — intermittently for some, and as much as a day for others. The banks that were better prepared were the least affected, he said. (Who actually sponsored the attacks remains a subject of debate. Security experts believe the Iranian government had a hand in them.)
The Cyber Fighters are at it again, declaring that they will be launching attacks on banks’ websites this week as part of “Operation Ababil.” The banks are preparing.
“Security is core to our mission and safeguarding our customers’ information is at the foundation of all we do,” said Wells Fargo spokeswoman Sara Hawkins. “We constantly monitor the environment, assess potential threats, and take action as warranted.”
“Protecting Citi and its clients from criminal information security threats is a critical priority for us,” said a Citigroup spokeswoman. “We have a focused information security strategy and dedicated resources to execute it.”
Chase and PayPal did not respond to requests for comment.
Still, the war against cybercriminals isn’t going so well for the financial industry. In July, threat detection software maker Lookingglass found that 18 of 24 of the world’s largest banks were infected with popular strains of malware that the industry believed had been eradicated, suggesting that banks are prone to re-infections. In June, McAfee uncovered “Operation High Roller” — a cyberattack that could have stolen as much as $80 million from more than 60 banks.
Since consumers are federally protected from taking the hit when funds are stolen from their accounts, the banks eat the loss. And as the attacks grow more sophisticated, their annual price tag keeps rising.
“There are absolutely attacks going on right now that we don’t know about, some of them minor, some major,” Wansley said. “There’s a lot going on out there, and frankly, we’re only seeing the frequency and severity pick up.”