The number of customers that RBS has – many of whom found themselves struggling to log on to the bank’s online banking on 31 July this year due to a distributed denial of service (DDoS) attack
launched by cyber criminals. The attack targeted RBS on a date that would have been payday for many of its customers – plenty of whom took to social media to vent their frustrations at not being able to access their accounts.
A DDoS attack targets an organisation’s servers and floods them with traffic, often from hundreds of unique IP addresses, in order to block legitimate users from accessing the service.
The attack on RBS was the latest example of a growing and worrying trend. Until recently, the victims of DDoS attacks have tended to operate in unregulated, even illicit sectors, such as online gaming, and are therefore unlikely to contact the authorities for help.
Now, however, cyber criminals are regularly contacting legitimate businesses operating in the private sector and extorting ransom payments in return for refraining from or stopping DDoS attacks. Payment is typically made in the anonymous online currency, Bitcoin.
The number by which attacks by extortion hacker group DD4BC spiked to globally
in June alone, according to Met Police’s cyber crime unit FALCON. Little is known about the location of DD4BC, or even whether it is a single group or several in different parts of the world, but its victims report a similar method of attack: a ransom demand followed by a short DDoS attack to demonstrate the potential impact. If the victim refuses to pay the Bitcoin ransom, more money is demanded and a full-scale attack is launched.
In May this year, the group targeted a number of high-profile organisations in Switzerland, prompting the Swiss Governmental Computer Emergency Response Team to warn companies about the threats other firms were facing from DD4BC.
The team also advised victims on how best to respond, telling them: “Rather than give in and pay DD4BC a certain amount of Bitcoins, we recommend that victims talk to their internet services provider (ISP) to discuss mitigation techniques, such as IP-based rate limiting or a [temporary] Geo IP address filter.” Affected firms were also urged to file a criminal complaint at their local police station.
Europe's first cyber security ETF launched
In a move that underlines growing investment in cyber security, ETF Securities and ISE ETF Ventures recently launched Europe’s first cyber security exchange-traded fund (ETF).
The ETF will include a number of listed cyber security companies that cover activity from both emerging and established organisations.74%
The proportion of the UK’s adult population using the internet to buy goods and services as of 2013, while the nation’s estimated online spend that year was £91bn. As the number of e-shoppers in the UK grows, so does the threat that the nation’s firms face from cyber attacks, as criminals exploit the increasing use of digital technology by businesses and their customers.
“The G20 has stated that the UK is the most cyber dependent economy of its member nations,” noted the nation’s National Crime Agency (NCA) in a summary
of its National strategic assessment of serious and organised crime 2015
. “This growth has led to a rise in the threat to the UK from cyber crime.”
The amount a DDoS attack can cost the victim per hour, according to research by information services and analytics firm Neustar. And this is before you factor in the loss of trust from an affected company’s customers.
The FBI warned of the dangers that such attacks pose to businesses after more than 100 companies in the US, including banks and brokerages, received DDoS threats between April and August this year.
Five-figure sums are typically what cyber criminals demand from their victims. And with the demand comes a dilemma: to pay up or not? When companies have a reasonable idea of the identity of their would-be attacker, the decision is relatively simple: some are known not to follow up on their demands, and can be ignored. Others will take the payment and then attack over and over again with renewed and increasing ransom demands. Some use DDoS attacks as a smokescreen to hide other activities, such as the theft of data or money.
As the NCA’s report states: “There is a growing threat from multi-step, blended attacks. Examples include the use of DDoS attacks as a deliberate tactic to divert a victim organisation’s system defences. Under the cover of the diversionary DDoS, a more damaging network intrusion or exfiltration attack is then launched.”
But what, exactly, can financial institutions do to protect their customers’ data, their reputation and their profits? Effective defences typically combine attack detection, traffic classification and response tools, so that the system is able to block illegitimate traffic, while allowing legitimate users to access the site.
However, some organisations may simply choose to weather the attack rather than pay either a ransom or the cost of increasing their systems’ security, but with cyber attacks on the rise, adopting such a strategy represents a huge gamble for financial services firms.
New dogs, old tricksCyber criminals are learning lessons from old-fashioned financial chicanery, writes George Littlejohn MCSI
In mid-August, US investigators unveiled what the Securities and Exchange Commission Chair Mary Jo White called a “brazen” insider-trading scheme, “unprecedented in terms of the scope of the hacking, the number of traders involved, the number of securities unlawfully traded and the amount of profits generated”.
For more than five years, hackers and traders across the US, Ukraine, Russia and other countries worked together to intercept more than 150,000 press releases from newswires to investors, using the advance notice of results and mergers to pocket $100m or more from illicit trades. White, speaking alongside Secretary of Homeland Security Jeh Johnson, added: “The traders were market-savvy, using equities and options … to maximise their profits.”
This sophistication is the worrying new face of the cyber underworld. One gang of crooks lifted millions online from British banks, using an alarming new type of Trojan, a common piece of malware designed with theft in mind. This variety was different in one key respect – it could hide or appear to have died, giving the impression it had been deleted, only to reinstall itself later.
The bright sparks who created the nasty beast littered the code with fragments of Shakespeare’s Merchant of Venice, for no apparent reason. This new malware was first identified by Gal Frishman, Malware Research Group Leader at Trusteer, a computer security division of IBM. Frishman, who is based in Tel Aviv, dubbed the malware ‘Shylock’ and galvanised the global efforts to bring it down, involving enforcement agencies in the UK, the US and elsewhere.
The literate crooks were based in Russia, where cyber crime can be as glamorous and highly paid a career option as working for Goldman Sachs or Google is in the west. Surprisingly to some, the Russian authorities co-operated. Europol persuaded Eugene Kaspersky, eponymous founder of one of the world’s leading security-software makers, to get the Soviet registry – through which much of the scam was run – to suspend 75 Shylock domains, allowing the scheme to be attacked and destroyed.
Sir David Omand, former Director of GCHQ and UK Intelligence Co-ordinator and now Visiting Professor at King’s College London, told the Review that these two cases are just the latest examples that illustrate the growing threat from cyber generated and cyber enabled crime.
Sir David says: “The global reach of the internet brings endless opportunities for criminals to rake in multiple gains from a single type of attack and to exploit traditional insider dealing, thanks to the way that information becomes vulnerable through being communicated on the internet.
“Such is the power of the internet as a medium for spreading disinformation that, as a recent hack demonstrated, it is not hard for criminals to short stocks before spooking a market.”
He warns: “Expect more upsets.”
The original version of this article was published in the September 2015 print edition of the Review.
|Combating Financial Crime & Managing Cyber Security exams
We are currently changing the structure and content of our Certificate in Combating Financial Crime.
View the factsheet Register your interest
From late 2015, a new Combating Financial Crime unit will be available. This updated syllabus has an increased international focus and an emphasis on the practitioner response to financial crime.
It is designed to complement a new unit Managing Cyber Security. This will be examined for the first time in January 2016.
The two units will be available as standalone awards, and in partnership as the Level 3 Certificate in the Prevention of Financial and Cyber Crime.