A recent wave of attacks targeting enterprise banking solutions has been observed in Luxembourg and Europe. The attackers perform illegal money transfers from the enterprise banking solutions by stealing the PIN to unlock the smart card and abusing the application with their malware installed on the victims’ PC. To achieve this, attackers combine several social engineering techniques (e.g. via email, phone, conventional mail) with the installation of remote management software. We strongly recommend any user of such solution to review below recommendations and ensure that the infrastructure used for such services is secure and adequate.
Recommendations to prevent this fraud
In order to maximize resilience against this kind of fraud, CIRCL recommends the implementation of the following points:
- Use a dedicated computer for bank transactions. This means, a computer is used for nothing else than bank transactions.
- When using a card reader: insert your smart card only for the time of your transaction. Remove the card immediately from the reader after and never leave it unattended in the reader.
- Limit the software on this computer to a bare minimum. No web browsing allowed outside the scope of banking transactions; specific attentiveness required when dealing with emails (see paragraph about awareness).
- Remove unused plug-ins and extensions from the browser. If specific plug-ins are required, keep them always up-to-date.
- Automatically update the operating system as soon as new updates are released.
- Control the network: let this dedicated computer only access the Internet on dedicated hosts and ports required by the banking application.
- Prevent lateral movements of attackers: disable all local open network services or use a local firewall to make them inaccessible.
- Raise awareness of the users:
- If you encounter any maintenance message (on the screen, via phone or by conventional mail), contact the service provider and ask for clarification.
- Don’t trust the caller-ID on the telephone. Attackers are using similar looking telephone numbers and spoofed telephone numbers in order to establish a trust relationship.
- Don’t open Emails or their attachments of people you don’t expect to receive emails from.
- Don’t click on or enter URLs you have received via mail or the phone.
- Critical file types not to open or to double check with the IT security department (or CIRCL) from untrusted parties: Word, Excel, Screensaver, Exe-files, Rar, Zip, PDF.
- Don’t become a victim of phishing or targeted spear phishing targeting corporate executives.
- Don’t use the computer for anything else than dedicated financial usage. Consider strict network separation and monitoring. Consider separation in virtual machines.
- Don’t be afraid to ask if something looks unfamiliar.
- Don’t let yourself be put on pressure by co-workers, on-screen messages, callers or conventional mails.
If you are a victim of this fraud
- Contact the bank(s) and the financial application service operator to immediately block the fraudulent transactions and the smart cards.
- Take a forensic memory dump of the system if it is still running.
- Then take a forensic disk image of the disk.
- After verifying the integrity of the forensic disk image and store the disk in a safe place. If possible, take another copy of the disk.
- Contact CIRCL if you want to request technical support for any kind of analysis.
- Contact the police if you intend to prosecute the attackers.
- Install a new system from trusted media: operating system and banking systems.
- Change the PIN of the SmartCard on this new clean system.
Don’t ever expect that an AntiVirus product is able to clean-up properly an infected system. Even if it demonstrates you that it cleaned-up parts of the infection, unknown infections are likely to remain.
Reinstallation of the system is the only trusted way of continuing your work.
Support from CIRCL
CIRCL can support you in various situations, from technical trainings to incident response. The support for the topics covered in this technical document includes:
- Technical training for Local Incident Response Teams.
- Get access to Indicators of Compromise sharing database (MISP) including indicators for similar threats.
- Get access to Dynamic Malware Analysis (DMA) system
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.0 - TLP:WHITE - First version (20150518)
- Version 1.1 - TLP:WHITE - Second version (updated with phone-call techniques) (20170509)