santiago silver - Fotolia

Silence banking Trojan highlights password weakness

The Silence banking Trojan that has hit at least 10 financial institutions has once again highlighted the weakness of using username and password combinations to access accounts

The Silence banking Trojan that has hit at least 10 financial institutions has once again highlighted the weakness of using username and password combinations to access accounts.

The latest banking Trojan to hit financial institutions has perfected the email lure and has extensive monitoring capabilities, but could be defeated using better user authentication, some have suggested.

The Silence Trojan, discovered and named by researchers at security firm Kaspersky Lab, is described as an evolution of the campaign against financial institutions by the Carbanak gang, linked to the theft of $1bn from banks around the world.

Like the Carbanak campaign, Silence spreads by tricking employees at financial institutions to click on a malicious email attachment.

Once launched, the malware monitors employees, abuses legitimate tools for communications, and then ultimately carries out fraudulent transactions.

This time around, however, the attackers – who first targeted banks in Russia and then Malaysia and Armenia, are using hijacked employee email accounts to “contracts” to the bank’s partners.

The next victim receives a phishing message from the address of a real person who works at the bank, which greatly increases the likelihood of a malicious attachment being clicked. The victim, a financial employee, opens the attached “contract”, which is a file with the .chm extension, a Microsoft help file.

Read more about behaviour analysis

The embedded HTML file contains malicious JavaScript code, which loads and activates a dropper that then loads the modules of the Silence Trojan, which operate as Windows services.

Kaspersky Lab researchers have found modules for control and monitoring, screen recording, and communication with control servers, plus a program for remote execution of console commands.

The modules enable the attackers to collect data about the infected network and record images from employees’ screens.

Once the intruders have a thorough understanding of how the victim’s information systems work, they give the order to transfer funds to their own accounts.

“The Silence Trojan is a fresh example of cyber criminals shifting from attacks on users to direct attacks on banks,” said Sergey Lozhkin, security expert at Kaspersky Lab.

“We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed.

“The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture,” he said.

Reminders not sufficient

Kaspersky Lab recognises that reminding employees not to open attachments from external emails is not sufficient, and recommends training sessions and workshops to raise employee awareness.

Such training should not be a series of lectures about threats, but more practical exercises with attack simulations that help to develop employees’ practical skills, the security firm said.

Kaspersky Lab also recommends implementing security controls capable of detecting anomalies in the network at a deep level to detect targeted attacks, configuring strict email processing rules, and enabling security technologies aimed at phishing, malicious attachments and spam.

But according to NuData Security, the key to defending against this kind of cyber attack is improved user authentication to take the onus off of employees and to prevent fraudulent transactions from taking place.

Financial institutions could render employee and customer account credentials useless to attackers by using techniques such as passive biometrics and behavioural analysis, said Ryan Wilk, vice president at NuData Security. “These new technologies are based on observed behaviour over the lifecycle of an employee’s or customer’s interactions, and not simply on a password or a security question,” he said.

Even if attackers are able to steal credentials, said Wilk, they will not be able to use them to finalise a transaction because they will unable to replicate the behavior associated with the account holder.

“This is why validating the user behind the device through a multi-layer authentication strategy is key to devaluing stolen identity data. Rendering personally identifiable information useless will restore the trust on customers and financial institutions,” he said.

Protecting data

Terry Ray, chief technology officer at Imperva, said that because cyber criminals use multi-stage attacks to infiltrate and then move laterally until they get the data they are after, it is essential for all businesses – not just financial institutions – to protect their data.

“At all times, firms need to make sure they understand where their data is located and who is accessing it – it must be monitored. It’s also important to frequently reassess who has access to the data and to determine if that access is appropriate.

“Lastly, make sure your IT operations team is ready to respond to any risky data access immediately to contain threats,” he said.

Read more on Hackers and cybercrime prevention