How do you return stolen bank credentials?

Sceptical that Australians are targeted by cybercrime? Late last year the Australian Computer Emergency Response Team (AusCERT) was asked to repatriate hundreds of Commonwealth Bank customer credentials which had been stolen via the ZeuS trojan.
Written by Liam Tung, Contributing Writer

update Sceptical that Australians are targeted by cybercrime? Late last year the Australian Computer Emergency Response Team (AusCERT) was asked to repatriate hundreds of Commonwealth Bank customer credentials which had been stolen via the ZeuS trojan.


AusCERT GM: Graham Ingram
(Credit: ZDNet.com.au)

German researchers, Thorsten Holz, Markus Engelberth and Felix Freiling from the University of Mannheim's Laboratory for Dependable Distributed Systems came across hundreds of Australian credentials late last year. They wanted to study the underground economy that trades in stolen digital credentials.

Holz's team acquired the credentials by setting up a "honey pot" — a network of servers, designed to attract malware infections and phishing emails. They used the infected machines to locate what the researchers called "dropzones" — servers that host the stolen credentials, mostly based in Russia, the US and China.

They had in total acquired around 170,000 stolen credentials taken from 70 of the active "dropzones".

The two malware families they had looked at in detail were Limbo/Nethell and ZeuS/Zbot/Wsnpoem: Limbo was analysed for email and social networking credentials, and ZeuS for banking credentials.

Australia ranked surprisingly high in terms of Limbo-infected computers the researchers had analysed. The 6,568 Australian infections were well behind Russian, UK and US numbers which were over 20,000 each, but were not far behind Germany's 10,633 and Poland's 8,598 in the sample.

Even more surprising was that Australian customers of the Commonwealth Bank topped the list in the study's analysis of stolen banking credentials.

The researchers had found 10,755 unique bank account credentials and 5,600 credit card details. Looking solely at bank account credentials, the 851 Commonwealth Bank account credentials made up roughly 10 per cent of the sample — well ahead of other banks in the study which mostly sat at 30 or below.

Exactly why the bank's customers ranked so high in the sample of stolen credentials is not explained by the researchers, but Craig Scroggie, vice president of Symantec's Pacific operations, says that it has less to do with a bank's security than it does the consumer's computing habits. For example, even though banks now offer free or subsidised antivirus, such as Westpac's offer of Symantec's PC Tools range, consumers still choose "free ware" or "no ware".

The only "banking" related service to top Commonwealth Bank's customers was eBay's PayPal: 2,263 of its customers' credentials made up a quarter of the total. Others in the top five were HSBC Holdings, Bank of America and Lloyds Bank. For more detailed information, see the researchers' blog.

Holz's broader findings though were not so surprising. "Attackers steal thousands of credentials from infected machines", they said. Also the value of credentials were twofold: money held in compromised accounts, and the value of credentials as tradable commodities.


Symantec: Global Internet Security Threat Report, April 2008. Estimated value of credentials by type.

But as the research wound down Holz faced a choice: destroy the data, or, as he ultimately did, hand it to AusCERT, which runs a log file repatriation system called Lumberjack.

AusCERT general manager Graham Ingram points out, "It wasn't just raw, meaningless data — these were active compromised accounts."

The Lumberjack system is critical in ensuring data is sent to its intended recipient and is used not just by banks, such as ANZ, Westpac, the Commonwealth Bank, but other targeted institutions such as the Australian Taxation Office and the Queensland Government. Other organisations across the UK, US and Canada also use the system.

"There is significant value in getting that data back to the owners," explains Ingram of the service. "It means the owner can confirm with the person who lost the credentials that the data was stolen. They can also identify the means by which it was stolen and it provides a timeline of events."

Demand on the Lumberjack system has grown immensely in the past three years. In 2006 it repatriated 10 gigabytes (GB) of data. This tripled to 30GB in 2007, and in 2008 it more than doubled to 70GB of raw log data.

"Some of the files we get can be gigabytes of text. We're talking about enormous numbers in terms of the accounts involved in that," says Ingram.


GB of repatriated data
(Credit: AusCERT)

AusCERT wasn't involved in the actual research, but Ingram says of the results, "It just confirms most peoples' suspicions".

So are Australia's banks winning the war on internet fraud?

Symantec's Scroggie reckons it's the wrong question. "I wouldn't say the banks are winning or losing the war on fraud. The issue is being driven by consumer awareness and education," says Scroggie, which is a role that both financial institutions and government have an interest in promoting.

AusCERT's own survey last year of 1,001 Australian internet users shows why this is the case. It found that one in seven people were using a compromised device, while 30 per cent admitted to clicking on links sent from an unknown source. The survey also revealed the complexities consumers face in configuring security updates, and evaluating perceived versus actual risk.

But some security professionals disagree. A security consultant from Securus Global, who wished to remain unnamed, says Australia's banks are in a pickle over increasingly sophisticated security threats.

"Every time they build a technical defence the attackers overcome it in weeks or days. There's very little they can do. The banking industry has no where to run to," he told ZDNet.com.au.

The only information about how Australia's banking industry is handling the problem is the Australian Payments Clearing Association, which produces a quarterly report on the state of banking fraud.

Although the report is based on statistics voluntarily submitted by banks, the figures reported last December show a clear trend. "Card not present" (CNP) fraud, which includes internet, phone and fax transactions, jumped 30 per cent over the past 12 months. The value of fraud in this category increased from 38 cents to 50 cents for every $1,000 transacted and is by far the most valuable for fraudsters. It was seven times the value of local debit and credit card fraud, and 40 times the value of cheque fraud.

But AusCERT's Ingram reckons the banks are actually handling the problem quite well, the battle is being won not by introducing security technologies, such as two-factor authentication, or the offer of free antivirus, but through process. Many banks have adopted analytic systems to flag anomalous transactions. When a large transaction is attempted to a previously unknown account, it is flagged and delayed, giving the bank time to check with the account holder whether they had authorised the transaction.

But if education is a key to stopping the growth of fraud, the obstacles are huge. "It can be useful if you are notified by your institution," says Ingram. Whether or not this occurs, however, is at the discretion of the institution: there is no obligation to inform account holders of a breach, meaning that victims are left in dark about what other information may have been stolen.

A spokesperson for the Commonwealth Bank said the bank was aware of Holz's research, and that it worked with several external agencies and international security bodies to understand the threats.

The bank did notify the 851 customers, said the spokesperson, and provided them with instructions on how to avoid exposure to such threats in the future. On the bank's side, it locked the compromised accounts, while advising affected customers to change passwords, check their home PCs for potential vulnerabilities, and "take additional precautions when online".

"Furthermore, trust, privacy and security are at the very core of what we offer our customers. The Commonwealth Bank takes security very seriously [and] is committed to actively helping customers protect themselves online. This is demonstrated by offering NetBank customers two-factor authentication, the ability [to] authenticate CBA emails via a personalised 'NetBank Inbox' and discounted internet security software," the spokesperson said.

Editorial standards