Account Takeover Scheme Targeting Bank-Related Search Results

Posted May 31, 2018

Account Takeover Scheme Targeting Bank-Related Search Results

You’re going to want to Google this preposterous new account takeover scheme. Then again, maybe you’d better not.

Over the past six months, reports have been surfacing about how cybercriminals have found an unexpected mechanism for delivering banking malware to help them steal banking logins, credit card information and more: Your search engine.

It’s actually a new twist on what’s called “Black Hat SEO” or “Search Poisoning” that typically involves thieves creating fake sites, and using phishing attacks and typo-squatting to lure victims. Instead, this new approach involves compromising well-trafficked business websites with plenty of five-star ratings and positive reviews, and then leveraging enviable SEO expertise to boost the sites’ search rankings using financial-related search phrases.

Someone doing a quick search for say, “axis bank mobile banking download” or “how to cancel a check commonwealth bank,” for instance, sees the innocuous-looking, five-star search result and clicks. A Word document containing malware is automatically downloaded, and the user is tricked into enabling macros that enable a variant of the Zeus Panda bank credential-stealing Trojan to be installed on their computer.

In short, this attack modality isn’t just inventive. It targets active users of online and mobile banking. And stopping this kind of attack is proving harder than anyone may have expected.

Sophisticated—And Successful

This may seem like a lot of trouble to steal someone’s logins—especially when whoever’s pulling it off could clearly make a fortune in legitimate search engine marketing.

But it’s apparently well worth it. In a new study, Ponemon Institute finds successful cyberattacks against the financial services industry have tripled over the past five years. On average, the cost to financial institutions hit by these attacks has climbed to $18.28 million last year, compared to $11.7 million per firm across all industries.

According to SC Magazine, these attacks typically involved either criminals wielding stolen login credentials or a long list of financial malware—Gozi, Dridex, Zeus Panda, TrickBot and others—used to steal them.

A couple of interesting data points emerge from these reports. The first is that these SEO poisoning attacks are probably not the work of lone wolves or youthful miscreants with too much time on their hands. Instead, they’re likely run by highly organized criminal networks possessing the wherewithal to produce sophisticated source code aimed at snaring high-value targets.

More Russia, Less Roulette

The second interesting note here: The Zeus Panda Trojan used in the search poisoning ploy conducts keyboard mapping on the victims’ computer. If the language is Russian, Belarusian, Kazak or Ukraine, the malware doesn’t fully activate. Perhaps it’s coincidence, but the fact that the malware leaves out these languages could be a significant tell.

As it happens, cybercriminals in Russia and former communist bloc countries are known to favor launching account takeover attacks outside their own region—in this case, India and the Middle East. Why? In part because Russian authorities are known to turn a blind eye to such activities—so long as those attacks target victims in other countries.

That would jive with our own data. According to the Q1 2018 Cybercrime Report from ThreatMetrix, 65 percent of all financial industry account takeover attacks come from central and eastern EMEA, including the Russian Federation. Indeed, last quarter, Russia ranked (along with Vietnam) as the No. 1 source country for cyberattacks.

The Search for Answers

To a certain extent, Google has slowed down SEO poisoning attacks through the use of “https,” which basically means cyberthieves have to factor encryption into their efforts to rankly highly in search results. And Google and other search engines clearly have an incentive to reduce the ability for organized crime rings to conduct these kinds of operations.

But banks and other financial institutions looking to protect themselves and their customers from SEO poisoning and other attacks will want to have more robust protections in place.

Our own digital identity-based assessment solutions, for instance, combine advanced behavioral analytics and machine learning to accurately authenticate customers logging in to online and mobile banking accounts and detect nascent threats, such as Trojans and malware.

Beyond malicious software and compromised devices, the ThreatMetrix solution also recognizes and blocks cybercriminals leveraging login credentials obtained through other tricks, whether it’s phishing email, shared passwords or by way of the dark web—even if it’s a thief’s first account takeover attempt. Plus, it all happens in real time, without causing friction for legitimate users.

Of course, until our financial institutions put either this or other solutions in place, we may all find ourselves looking twice before clicking on bank-related search results.

See how Lloyds Banking Group uses digital identity-based assessment solutions to dramatically reduce fraud loss from account takeover attacks in an exclusive case study.

Alisdair Faulkner

Alisdair Faulkner

Chief Identity Officer, Business Services, LexisNexis Risk Solutions

close btn