How do you return stolen bank credentials?

How do you return stolen bank credentials?

Summary: Sceptical that Australians are targeted by cybercrime? Late last year the Australian Computer Emergency Response Team (AusCERT) was asked to repatriate hundreds of Commonwealth Bank customer credentials which had been stolen via the ZeuS trojan.

SHARE:

update Sceptical that Australians are targeted by cybercrime? Late last year the Australian Computer Emergency Response Team (AusCERT) was asked to repatriate hundreds of Commonwealth Bank customer credentials which had been stolen via the ZeuS trojan.

graham-ingram-auscert.jpg

AusCERT GM: Graham Ingram
(Credit: ZDNet.com.au)

German researchers, Thorsten Holz, Markus Engelberth and Felix Freiling from the University of Mannheim's Laboratory for Dependable Distributed Systems came across hundreds of Australian credentials late last year. They wanted to study the underground economy that trades in stolen digital credentials.

Holz's team acquired the credentials by setting up a "honey pot" — a network of servers, designed to attract malware infections and phishing emails. They used the infected machines to locate what the researchers called "dropzones" — servers that host the stolen credentials, mostly based in Russia, the US and China.

They had in total acquired around 170,000 stolen credentials taken from 70 of the active "dropzones".

The two malware families they had looked at in detail were Limbo/Nethell and ZeuS/Zbot/Wsnpoem: Limbo was analysed for email and social networking credentials, and ZeuS for banking credentials.

Australia ranked surprisingly high in terms of Limbo-infected computers the researchers had analysed. The 6,568 Australian infections were well behind Russian, UK and US numbers which were over 20,000 each, but were not far behind Germany's 10,633 and Poland's 8,598 in the sample.

Even more surprising was that Australian customers of the Commonwealth Bank topped the list in the study's analysis of stolen banking credentials.

The researchers had found 10,755 unique bank account credentials and 5,600 credit card details. Looking solely at bank account credentials, the 851 Commonwealth Bank account credentials made up roughly 10 per cent of the sample — well ahead of other banks in the study which mostly sat at 30 or below.

Exactly why the bank's customers ranked so high in the sample of stolen credentials is not explained by the researchers, but Craig Scroggie, vice president of Symantec's Pacific operations, says that it has less to do with a bank's security than it does the consumer's computing habits. For example, even though banks now offer free or subsidised antivirus, such as Westpac's offer of Symantec's PC Tools range, consumers still choose "free ware" or "no ware".

The only "banking" related service to top Commonwealth Bank's customers was eBay's PayPal: 2,263 of its customers' credentials made up a quarter of the total. Others in the top five were HSBC Holdings, Bank of America and Lloyds Bank. For more detailed information, see the researchers' blog.

Holz's broader findings though were not so surprising. "Attackers steal thousands of credentials from infected machines", they said. Also the value of credentials were twofold: money held in compromised accounts, and the value of credentials as tradable commodities.

Symantec-estimated-value-credentials.JPG

Symantec: Global Internet Security Threat Report, April 2008. Estimated value of credentials by type.

But as the research wound down Holz faced a choice: destroy the data, or, as he ultimately did, hand it to AusCERT, which runs a log file repatriation system called Lumberjack.

AusCERT general manager Graham Ingram points out, "It wasn't just raw, meaningless data — these were active compromised accounts."

The Lumberjack system is critical in ensuring data is sent to its intended recipient and is used not just by banks, such as ANZ, Westpac, the Commonwealth Bank, but other targeted institutions such as the Australian Taxation Office and the Queensland Government. Other organisations across the UK, US and Canada also use the system.

"There is significant value in getting that data back to the owners," explains Ingram of the service. "It means the owner can confirm with the person who lost the credentials that the data was stolen. They can also identify the means by which it was stolen and it provides a timeline of events."

Demand on the Lumberjack system has grown immensely in the past three years. In 2006 it repatriated 10 gigabytes (GB) of data. This tripled to 30GB in 2007, and in 2008 it more than doubled to 70GB of raw log data.

"Some of the files we get can be gigabytes of text. We're talking about enormous numbers in terms of the accounts involved in that," says Ingram.

GB of repatriated data
(Credit: AusCERT)

AusCERT wasn't involved in the actual research, but Ingram says of the results, "It just confirms most peoples' suspicions".

So are Australia's banks winning the war on internet fraud?

Symantec's Scroggie reckons it's the wrong question. "I wouldn't say the banks are winning or losing the war on fraud. The issue is being driven by consumer awareness and education," says Scroggie, which is a role that both financial institutions and government have an interest in promoting.

AusCERT's own survey last year of 1,001 Australian internet users shows why this is the case. It found that one in seven people were using a compromised device, while 30 per cent admitted to clicking on links sent from an unknown source. The survey also revealed the complexities consumers face in configuring security updates, and evaluating perceived versus actual risk.

But some security professionals disagree. A security consultant from Securus Global, who wished to remain unnamed, says Australia's banks are in a pickle over increasingly sophisticated security threats.

"Every time they build a technical defence the attackers overcome it in weeks or days. There's very little they can do. The banking industry has no where to run to," he told ZDNet.com.au.

The only information about how Australia's banking industry is handling the problem is the Australian Payments Clearing Association, which produces a quarterly report on the state of banking fraud.

Although the report is based on statistics voluntarily submitted by banks, the figures reported last December show a clear trend. "Card not present" (CNP) fraud, which includes internet, phone and fax transactions, jumped 30 per cent over the past 12 months. The value of fraud in this category increased from 38 cents to 50 cents for every $1,000 transacted and is by far the most valuable for fraudsters. It was seven times the value of local debit and credit card fraud, and 40 times the value of cheque fraud.

But AusCERT's Ingram reckons the banks are actually handling the problem quite well, the battle is being won not by introducing security technologies, such as two-factor authentication, or the offer of free antivirus, but through process. Many banks have adopted analytic systems to flag anomalous transactions. When a large transaction is attempted to a previously unknown account, it is flagged and delayed, giving the bank time to check with the account holder whether they had authorised the transaction.

But if education is a key to stopping the growth of fraud, the obstacles are huge. "It can be useful if you are notified by your institution," says Ingram. Whether or not this occurs, however, is at the discretion of the institution: there is no obligation to inform account holders of a breach, meaning that victims are left in dark about what other information may have been stolen.

A spokesperson for the Commonwealth Bank said the bank was aware of Holz's research, and that it worked with several external agencies and international security bodies to understand the threats.

The bank did notify the 851 customers, said the spokesperson, and provided them with instructions on how to avoid exposure to such threats in the future. On the bank's side, it locked the compromised accounts, while advising affected customers to change passwords, check their home PCs for potential vulnerabilities, and "take additional precautions when online".

"Furthermore, trust, privacy and security are at the very core of what we offer our customers. The Commonwealth Bank takes security very seriously [and] is committed to actively helping customers protect themselves online. This is demonstrated by offering NetBank customers two-factor authentication, the ability [to] authenticate CBA emails via a personalised 'NetBank Inbox' and discounted internet security software," the spokesperson said.

Topics: Security, Banking, Malware, AUSCERT

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Microsoft Security

    On Monday November 3, 2008 I received an email from a Jerry Steward entitled Keys of Activation containing an attachment called Activation_key.zip Jerry is a fake name for ojtw@bock-partner.com received via the server p23180-adsau07doujib3-acca.osaka.ocn.ne.jp somewhere in Japan. The website www.bock-partner.com belongs to an organisation in Neubrandenburg, Germany. Possibly the security on these sites has been compromised.

    The sender wrote this message

    Hello,

    Your account was temporarily suspended on demand. Please, activate your account using the keys which are in the attached Word file.

    If you have any questions you can address to one of our offices in your city.

    The attachment was not a Word file but an executable file containing a virus. The concerning thing is that only 6 out of 39 virus scanners detected this file as a virus and the others gave it a clean bill of health. Interesting considering many of the top names in anti-virus detection did not pick this up. I can only put this down to the newness of this virus. Some 2 days later I ran the same test again, this time 17 out of 39 virus scanners detected the virus. Surprisingly the CA (Vet) anti-virus company completely failed to recognise the problem. This is the same company that the Commonwealth Bank of Australia uses to produce its Net Bank Guard Dog security solution.

    Solution: Never use Windows with Administration privileges. Better still, use Linux or Apple for Internet Banking.
    anonymous