Zeus in Cyber SphereZeus Expert at Verizon: Trojans Will Hit Every Channel
Dave Ostertag, global investigations manager for Verizon Business' Investigative Response unit, says Zeus, now in its eighth version and the world's most sophisticated malware, is constantly evolving. This more-than-a-decade-old Trojan, which first appeared in Europe and then made its way to the U.S., is now striking businesses and institutions in Asia-Pacific. It also has been linked to attacks against mobile banking
"We're just starting to see attacks against mobile devices," Ostertag says. "We have spent a lot of time and have come up with security measures for additional systems on mobile devices, but we really don't have the security on them that we have in more traditional types of systems. We really don't have a lot of detection-prevention systems on mobile devices, and they are wide open, exposing their vulnerability."
Mobile, Ostertag says, is the next, if not already, Zeus target. Zeus' fluid evolution poses great challenges for businesses, governments, financial institutions and law enforcement. But the industry is making headway, Ostertag says, through global collaboration.
During this interview, Ostertag discusses:
- How global agencies and financial institutions are fighting Zeus attacks;
- Measures businesses and institutions can take to protect databases from Zeus attacks; and
- Why emerging banking channels, such as mobile banking, are vulnerable.
Ostertag is the global investigations manager for Verizon Business. With more than 30 years of investigative experience in the government and security arenas, Ostertag coordinates forensic investigations conducted by Verizon's Investigative Response unit. Ostertag has taken the lead on many highly publicized large data compromise investigations over the past few years. In addition, Ostertag is considered a leader in criminal and civil investigative techniques and is a certified expert witness. Ostertag has worked extensively with law enforcement in the investigation, identification, arrest and prosecution of individuals and groups involved in international organized criminal data-compromise and fraud.
Zeus Hits Online Banking, Mobile BankingTRACY KITTEN: Zeus is branching out from the online channel and is now hitting mobile devices. What can the banking industry and law enforcement expect the future to hold? Dave Ostertag, global investigations manager of the Investigative Response Team for Verizon Business, share his thoughts.
DAVE OSTERTAG: I've been tracking Zeus since we first saw it in the U.S. I used to work for one of the major financial institutions, a major card brand, and first fought Zeus back in the mid-90s, when we first started seeing it; and I have battled it and worked against it since then - a it has gone through what is now the eighth version of Zeus, as it has been modified and changed through the years, to be a part of that ongoing battle between putting security measures in place and the bad guys modifying what their business practices are to circumvent those security measures.
Zeus: 'Sophisticated' MalwareKITTEN: Zeus, rightly named for its supreme power, is quickly becoming one of the most frightening threats the United States has ever faced. It's the sophistication of Zeus that makes it most concerning. What is it about Zeus that makes it so superior from a malware perspective?
OSTERTAG: I think Zeus is probably the example of the longest-running piece of malware that we've seen, and the reason that it has continued through those years is that it works; it simply works. The makers of Zeus modify it to circumvent whatever security measures are put in place. You have a constant dance of creating of a new security measure, circumventing that security measure, and ongoing. Zeus seems to have first appeared in Europe, and followed a year to two years later in the United States, where first consumers were affected and then businesses and, ultimately, banks. We've seen that same progression in the United States, and now I'm hearing from Asia-Pacific countries, Australia, in particular, where they are just starting to battle Zeus, and they're seeing it throughout businesses and banks.
Keyloggers and Man in The MobileKITTEN: Zeus is often referred to as a keylogger, meaning it affects a PC and then tracks keystrokes, making it ideal for tracking bank account information. But, a few incidents of a Zeus attack on mobile devices have been discovered. Can you explain how this so-called Zeus Mitmo or "man in the mobile" attack works?
OSTERTAG: What is done here is that the authentication piece itself is not compromised. Rather than compromise that, the malware hijacks the session, once the credentials have been used and the secure session is over. So, rather than attack and steal the credentials in these types of attacks, and in similar attacks on non-mobile devices such as laptops and desktop systems, the authentication piece is completed; but the session is open, and typically there is a spoof page that appears on the user's screen that appears to be a legitimate transaction screen. But behind the scenes the script runs and completes its own transaction with the routing number, the account number and the amount generated by the script, and the transaction being conducted by the script has faded long before the user completes what they think is the transaction on the spoof screen. Typically, the user will see another spoof screen, saying that their transaction cannot be completed at this time, such as "Please try it later." Behind the scenes, the script is run with the fraudulent transaction.
Multifactor Authentication: Mobile Banking and Online BankingKITTEN: One of the things that has come up related to this "man in the mobile" attack, is that this type of attack can take advantage of two-factor or two-part authentication measures that have been put into place to actually protect transactions. So, for instance, before a user can log in to his or her online bank account, they have to get an authentication code that is sent to them via text to their mobile device. But, again, it's an attack that is facilitated by the compromise of a PC. So, if a PC is compromised, then this authentication code, in some way, is compromised; then the fraudsters have not only the mobile device, but they also have the PC. What can the industry do to combat those types of attacks?
OSTERTAG: Typically, in those types of attacks, it's not the authentication, again, that is compromised, it's that the session itself. We see a lot of, or some level of, success in using systems similar to fraud-prevention systems on credit card accounts, where history of the accounts, historical data regarding transactions. Some of the characteristics of the transaction that are taken into account in those types of systems are the amount of the transaction and the ultimate destination bank for the transaction. For instance, if it is someone in the U.S. who typically only does transactions within the U.S. for hundreds of dollars, and suddenly you have a transaction for tens of thousands of dollars or hundreds of thousands of dollars with a bank in another region of the world, that would be something that would trigger out-of-band authentication.
Mobile and MalwareKITTEN: What threat do you see the mobile channel posing for security? Is it more vulnerable to malware or other types of attacks than we think?
OSTERTAG: I don't know if it is more vulnerable, yet. You know, we're just starting to see attacks against mobile devices. I think we have to wait to see exactly how vulnerable they are to these types of attacks. Obviously, it's going to happen. You talk to these guys about why they do a certain thing and they say because it works and because we get money there. We have spent a lot of time and have come up with security measures for additional systems on mobile devices, but we really don't have the security on them that we have in more traditional types of systems. So, I think that right now we really don't have a lot of detection-prevention systems on mobile devices, and they are wide open, exposing their vulnerability; and, obviously, the folks that create these types of malware are looking in that direction and are trying to find vulnerabilities and exploit those vulnerabilities. This is the next area that they are going into and we are just going to have to watch it and combat it as we see them modify their tactics.
Zeus: Finding and Fighting MalwareKITTEN: From a high-level perspective, what are your top recommendations for financial institutions when it comes to protecting, detecting and mitigating the risks associated with Zeus or Zeus-like malware, whether it hits the online channel or the mobile channel.
OSTERTAG: I think that one of the easiest recommendations, the cheapest and the most simple is to use dedicated systems, a laptop or a desktop, that is only used for conducting financial transactions. The system is not used for e-mail or surfing the Internet, and it's not going to get infected if it is only used for those financial transactions. Unfortunately, in the real world, what we find is that employees don't follow the policy and will use those systems for e-mail or to surf the Internet, and those systems ultimately get infected and then have problems with Zeus. Some of the more recent security measures out there, like having a virtual system on a USB stick that opens up a virtual machine on the system that is being used for the financial transaction, is a brilliant idea. The only use for that virtual machine is for ACH transactions or financial transactions. You don't have the possibility of the employee misusing that system against policy for uses other than the financial transactions. Zeus is, for the most part, a Windows-based attack, and use of a Unix system can combat some of those Windows-based pieces of malware. I think that measures in that area are very effective. We have seen some degree of success in using behavior-based detection systems, rather than signature-based, in looking for those activities related to Zeus, such as the hooking activity, where the malware hooks itself to another application. To find it, you have to look for the application it's been hooked to, rather than looking for the malware itself; there has been success in some of those tools, in detecting and ultimately getting rid of Zeus on the systems.
Zeus: Global Law Enforcement Fights BackKITTEN: We've seen two arrests that were linked to Zeus-related crimes. And those recent arrests prove that law enforcement is taking Zeus seriously. When we get outside the financial industry, of course, law enforcement plays a very important role. What do those arrests tell us about courses of action the U.S. government and law enforcement are taking to fight those crimes?
OSTERTAG: Part of our work at Verizon is working with both U.S. federal law enforcement as well as international law enforcement; and while we can't talk about specific efforts related to fighting Zeus, I think that these arrests show that federal law enforcement in our country and other countries take it seriously, and are looking at Zeus as a product of organized crime, and not just individuals conducting the Zeus scams. So, I think that this is just an indicator to let everybody know that they are truly taking it seriously, and they are truly doing investigations into organized criminal groups and not just individuals. I would say that this is just a precursor for larger and bigger investigations and arrests to come.
Zeus: Financial Institutions and Law Enforcement PartnerKITTEN: The fight against Zeus is an international one. What role does the financial industry play in helping to bring some of these criminals to justice?
OSTERTAG: Well, it's important for the financial industry to report these cases, to work with law enforcement, to give them the fraud losses and any information that the financial institutions have on Zeus-related crimes. And the more information you have, the more complete your investigation is; you know where to look, you know where the players are, and those pieces of information could be the piece that might be a missing piece of information in an ongoing investigation; those kinds of pieces of information could fill in the blanks and give law enforcement the ability to bring the people responsible for a malware crime to justice to face charges.
The Zeus BattleKITTEN: What final thoughts can you share about how the industry should brace itself going forward? Can we win this battle against malware?
OSTERTAG: I don't think that we'll ever have a win in the war. I don't think that there will ever be an end to it, like you would have in a war between countries, where one country gives up and you don't have the problem anymore. I think the battle of malware is just that, it's a series of battles; we will have some wins, we will have some losses and we will have some push-backs. And it is just going to be a constant battle, and as long as there is data that has value, there are going to be criminals going after that data. I think that some of the efforts that I have seen, as far as exchanging of information and consortiums and sharing information, it's something that has been a long time coming, and I think you are going to see some developments in that area that will put the good guys ahead of the bad guys. The bad guys exchange information and we have been really bad about sharing information within the financial industry, with the investigative firms, and with law enforcement. But we are seeing that information needs to be shared, and communication between the good guys is also going to get up to the level of communication with the bad guys, and we will start winning more of the battles. And Zeus, in particular, won't be as big a problem in, hopefully, the short-term future.