DDoS Attacks Behind Unauthorized Wire Transfers, ACH Fraud: Report


Distributed denial-of-service attacks are primarily seen as a nuisance to companies that rely on the Internet to conduct business, but a new study has found an attack scenario that has been successful in draining up to $2.1 million from a bank account.

Security researchers at Dell SecureWorks said a short-lived DDoS attack against a financial institution could be an indicator of an unauthorized wire transfer. The firm said it has worked closely with banks and other financial firms affected by the Dirt Jumper DDoS attacks and determined that a technique being used by financially motivated cybercriminals involved a short-lived "test" DDoS attack to determine if the botnet being used could cripple the targeted bank site.

"If the test was successful, then the threat actor performed another DDoS attack in the near future, but this time the DDoS attack occurred shortly after an unauthorized wire or Automated Clearing House (ACH) transfer out of a compromised account," according to the Dell SecureWorks report issued last week. "The fraud attempts were nontrivial and were usually in the six-figure range, with some attempts in the millions of dollars."

[Related: 5 Reasons DDoS Attacks Are Gaining Strength]

The money wire transfers were being made to banks located in Russia, Cyprus and China, Dell SecureWorks said. The study found attack patterns that revealed that short-lived denial-of-service attacks were an indicator of an unauthorized wire transfer. Longer attacks, which last hours to days, were indicators of fraudulent ACH transfers, Dell SecureWorks said. The total dollar values of attempted fraud ranged from $180,000 to $2.1 million.

The financial industry is well aware of the technique, which was first spotted in September 2012. The Financial Services Information Sharing and Analysis Center (FS-ISAC) issued a fraud alert warning about DDoS attacks and the use of the Dirt Jumper botnet to carry them out.

"The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer," the FS-ISAC said in its alert.

The FS-ISAC urges financial institutions to closely monitor for spikes in website traffic and have a plan in place to notify individuals assigned to handle wire transfer requests to more closely scrutinize them. Out-of-band authorization can also help mitigate the risk of a successful attack.

The FBI warned about a similar attack technique used by the cybercriminals behind the Zeus Gameover banking Trojan in 2011 in which DDoS was used to steal wire transfers made to high-end jewelry stores.

Dell SecureWorks said DDoS is an increasingly used tool because automated tools are easy to obtain and botnet services can be rented at relatively low cost. Dirt Jumper, which is also called Pandora, can be purchased for $200. At least four or more other DDoS tools similar to Dirt Jumper exist helping fuel waves of new attacks, the firm said.

PUBLISHED APRIL 29, 2013