FBI Warns of New Spear Phishing Campaign Using Zeus Variant “Gameover” Malware While Also Launching DDoS Attack
The FBI is warning the public about a cyber-crime ring that not only steals banking credentials but also launches a distributed denial of service (DDoS) attack on the victim’s financial institution as a diversion.
The red herring is the attackers’ way of pulling attention away from illegal wire transfers and rendering the bank unable to reverse the transactions if they are uncovered, according to the advisory from the cyber squad of the FBI’s Denver field office.
“The campaign involves a variant of the “Zeus” malware called ‘Gameover,’” according to the agency. “The spam campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed.
Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication.” Once the accounts are compromised, the DDoS attack is launched. Due to the actions of hackers associated with Anonymous and other groups, DDoS attacks have gotten a significant amount of media exposure in the past two years. Organizations should have a DDoS response plan in place as part of their security strategy in case they are targeted by the attackers, suggests Mike Paquette, chief strategy officer at Corero Network Security.
“As with all incident response plans, advance preparation is key to rapid and effective action, avoiding an all-hands-on-deck scramble in the face of a DDoS attack,” he said. “A DDoS response plan lists and describes the steps organizations should take if its IT infrastructure is subjected to a DDoS attack…highly capable attackers will switch to different attack sources and alternative attack methods as each new attempt is countered or fails. It is therefore essential the DDoS response plan defines when and how additional mitigation resources are engaged and surveillance tightened.”
The use of DDoS as a diversion as part of a larger attack is something of a surprising turn, but it is also a natural escalation in tactics that may only get worse in the future, opined Kurt Wescoe, vice president of engineering for Wombat Security.
A portion of the wire transfers are being transmitted directly to high-end jewelry stores that are then visited by money mules who pick up jewelry worth whatever amount was stolen, according to the FBI.
“Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches,” the FBI said. “The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as “pending” and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.”
The FBI in Denver is asking all consumers to be cautious of opening emails from unfamiliar senders.