AFP compiles the most alarming—and informative—payments fraud news relevant to corporates in AFP Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization.
CHICAGO—Treasury and finance professionals who attended the 10th Annual CTC Corporate Treasurers Forum last week received an in-depth look at GameOver Zeus, the botnet responsible for stealing at least $125 million, including routine $1-million wire transfers. Kory Bakken, Special Agent of the Federal Bureau of Investigation, Chicago Division, went into detail about the powerful botnet, and how law enforcement agencies came together to bring it down.
Treasurers and finance executives need to understand how GameOver Zeus and other botnets operate so they can better secure their organization’s money.
What is GameOver Zeus?
Bakken noted that GameOver Zeus is an evolved version of the Zeus botnet. Zeus, a Trojan with the ability to steal banking log-in credentials, was sold as a package to cybercriminals on the black market from 2007 to 2011. “Anytime somebody would log into their banking website, it would grab the username, password and anything else that might look good,” he said. It would then put all of that data in a spreadsheet and send it back to the cybercrooks.
The author of Zeus eventually “retired” and sold his code to a new up-and-coming programmer. And so in 2011, the new Zeus owner decided to eschew selling off Zeus as a package the way that his predecessor did, and instead opted to use it himself. “So instead of a bunch of cybercriminals all over the world using Zeus, he now consolidated Zeus into something called GameOver Zeus,” Bakken said. “This was operated out of Russian and Ukraine.”
One of Zeus’ problems was that it had a command-and-control (C&C) server, with a bunch of victim computers underneath it that the server would use to spread malware. “If you could work your way up and find that command-and-control server—which is what the FBI was very good at—you could cut off the head of that server and then suddenly all of the victims underneath it would dry up, and you would knock out that botnet,” Bakken said.
GameOver Zeus was a different animal. It was written as a peer-to-peer network. Victim computers were not only in communication with the C&C server—they were in communication with each other. So should the C&C server be shut down, a victim computer—which, under the original Zeus, would have thus no head computer to “talk to”—now would search for other victim computers until it eventually finds a new C&C server and eventually the botnet is up and running again.
“At the FBI, we always looked at this like organized crime; you cut off the [head] and everything underneath it goes away,” Bakken said. “That didn’t happen with GameOver Zeus. So we were left scratching our heads.”
GameOver Zeus is primarily a keylogger and credential stealer with man-in-the-browser capabilities. It also has a remote desktop controller, similar to GoToMyPC software. “So if your machine has been compromised with peer-to-peer Zeus, they have basically GoToMyPC on your machine and they can see everything you’re doing,” Bakken said.
GameOver Zeus also has session writing, which is its “really scary” capability, Bakken said. This begins when a computer logs into a banking website. A criminal has already compromised that computer and can see everything the user is doing. “That criminal—in the split second that you establish a session on a website—has grabbed that session ID and acts like he’s you. And so in the background, he is now running your banking session in another window. Unbeknownst to you, he is stealing all your money and is also using Webinjects to make sure that your account balance never diminishes. So you don’t realize the money in your account is going down as he’s in there.”
Even multifactor authentication methods are vulnerable to GameOver Zeus. Oftentimes, multifactor authentication for banking websites involves sending a text message to your phone. GameOver Zeus can compromise mobile phones and intercept text messages.
What is man-in-the-browser?
With man-in-the-browser (MITB) malware allows cybercriminals to affect computer browsers and alter the way users view web pages. So when a user with an infected computer attempts to log into a bank website, the site may ask for additional information (check card numbers, PINs, social security numbers, etc.) that that the criminal put in there.
“Your bank is not normally asking you for this, but the customer doesn’t know that,” Bakken said. “They’re used to banks changing their user interface on a regular basis, and they think that the bank now requires them to enter this information, and they blindly do so.”
That information that victims enter does actually end up going back to the banks, as well as the cybercriminals. One would assume that a bank strangely receiving a customer’s social security number or other private information should set off a red flag; however, many banks are not catching this. “This is something that needs to be addressed,” Bakken said. “Banks need to be looking out for additional information being sent from the customers.”
Multifactor authentication methods used to protect wire transfers have also proven to be vulnerable to GameOver Zeus. The Department of Justice estimates that individual fraudulent wire transfers conducted through Gameover Zeus commonly exceed $1 million.
For large companies that make wire transfers, banks have now instituted a rule that there must be one person who initiates the wire and a second person on another machine must authenticate it. “So you have two people authenticating,” Bakken said. “How credible is it that you’re going to be able to attack two different machines at once?”
With Webinjects, cybercriminals don’t have to. The first user receives an error message, saying that his or her session has been locked out and requests that another authorized user log into the machine. “So that person who initiates the wire transfer sees their CFO walking by, who also has a login at that bank. They say, ‘Can you log into my computer for me so I can open up my account?’ Now that attacker, who has the login credentials and the RSA token for that first person, has the login credentials and the RSA token for the second person. They have everything they need to be able to initiate and approve we transfers out of that company, all from compromising one machine,” Bakken said.
Sinkholing GameOver Zeus
GameOver Zeus was designed to thwart law enforcement’s attempts to bring it down. “We finally caught up to them this month,” Bakken said.
Following Russia’s invasion of the Crimean Peninsula, Ukrainians began working with the U.S. Soon after, the U.S. was able to locate some of the servers that were being used by the operators of GameOver Zeus. “We end up copying those command-and-control servers, and we end up finding some more in the UK,” said Bakken. “Now we’ve got some great intelligence.”
The FBI worked with private partners like FireEye and Microsoft, on a plan that was put in play on June 2. “We moved on all these command-and-control servers,” Bakken said. “We took them down fast. We also figured out their algorithm for creating new command-and-control servers and new domains, and we shut it down. This is called sinkholing. So all these bots—millions of computers that had been compromised throughout the world—they tried to ‘phone home,’ and who they phoned was the FBI. So because they phoned the FBI, we know all the machines that are compromised.”
The FBI estimated that about 30 percent of the affected machines have been sinkholed. Within a day of the FBI executing its plan, Cryptolocker had been completely shut down.
“They estimated that it was over $100 million that went out over GameOver Zeus,” Bakken said. “Also, the estimate was $27 million in two months for Cryptolocker [malware spread by GameOver Zeus]. I think these estimates are low, for what these two programs were doing. Either way, we knocked off two of the biggest problems on the Internet.”
Treasury and finance professionals who are interested in learning more about Cyber Risk should attend the gtnews Forum and Awards for Global Corporate Treasury and Finance, June 23 in London. The 2014 Banking Banana Skins survey, performed by PwC and the Centre for the Study of Financial Innovation (CSFI), will be presented at the event by David Lascelles, Senior Fellow, CSFI. The report reflects an alarming jump in concern about technology risk and criminality as it relates to cybercrime. Additionally, the opening keynote speaker of the forum is Darren Argyle, CISSP, CISM, Head of EMEA Information Security Practice and CSO, Symantec.