Malware For Lease

A new botnet is helping cybercriminals phish for community bank customers

Computer hackers typically cast their phishing nets expecting to hook megabank customers. After all, the overwhelming odds are that the most computers infected by random phishing emails or drive-by malware infections from nefarious websites will be owned customers of the largest chain banks.

But what about all those phishing emails that catch community bank customers? In the past, many hackers haven’t had the resources to make use of those infected computers.

Well, that’s not necessarily the case anymore. Some cybercriminals with no technical backgrounds are paying to use other cybercriminals’ special botnets to cheaply launch customized phishing expeditions aimed at previously lower-value targets: community bank customers.

Through various phishing attacks driven by a botnet platform called Vawtrak, cybercriminals are commandeering the computers to obtain the personal passwords of more bank customers. Last fall Vawtrak botnet attacks became the second most common malware distributed via phishing downloads, according to Sophos Ltd., a security company in the United Kingdom that discovered the botnet.

What Banks Can Do
Community banks can take an active approach to protect their customers against Vawtrak botnet attacks. Here are a few cybersecurity steps to consider:

  • Offer two-factor authentication and require customers to take advantage of it.
  • Step up monitoring for suspicious activity, such as a higher-than-normal number of new payees being added at once.
  • If a phishing campaign is discovered, track down the original phishing emails and warn customers to watch out for them.
  • For the duration of a cyberattack campaign, stop automatic approvals of unusual high-value money transfers between accounts, large withdrawals, ACH payments to new destinations or wire transfers.
  • Call the customer to confirm unusual or particularly large transactions, have the customer come to an office in person or have the customer call in to confirm it.
  • When confirming a customer’s identity by phone, ask additional questions, like which branch the customer normally visits. Don’t forget that a hacker may be able to spoof the number they are calling from, and have access to your customers’ computer files and social media accounts.

—Maria Korolov

The Vawtrak botnet has been used against the common big brands in banking, including Bank of America, JPMorgan Chase, Citibank and Wells Fargo. But more recently it also has been used to target regional financial institutions. And community banks are likely just as vulnerable to the Vawtrak outsourcing business model, says Maxim Weinstein, senior manager at Sophos. “Vawtrak does make bank account theft available to a broader audience of attackers, including those without the technical skill to develop or operate their own banking malware,” he says.

Many botnets are used for phishing attacks against banks. But what makes Vawtrak unusual is that it specializes in targeting smaller regional and community banks, and because it does the hacking for its unsophisticated criminal customers, essentially anyone, anywhere can hire Vawtrak to commit a cyberattack to gather login information to access and transfer money from a bank’s customer accounts.

Making money indirectly from cyberattacks through its crimeware-as-a-service model, Vawtrak’s owners have been renting out their botnet platform to other, less sophisticated cybercriminals. Specialists with the Vawtrak botnet even step in to write custom attack code, design realistic Web pages or write highly credible emails for their criminal clients, who never have to learn how to program software to commit cyberattacks.

Weinstein points out that none of the tactics Vawtrak uses are new or innovative. Other hackers have used them as well. The worrisome new development is that they are available to a much larger segment of the criminal population, and are easy enough to customize to make it worthwhile for them to go after smaller and smaller targets.

Read full article at Independent Banker.