Criminals have recently hijacked the wire payment switch at several US banks to steal millions from accounts, a security analyst says.
Gartner vice president Avivah Litan said at least three banks were struck in the past few months using "low-powered" distributed denial-of-service (DDoS) attacks meant to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring.
The loses “added up to millions [lost] across the three banks", she said.
"It was a stealth, low-powered DDoS attack, meaning it wasn't something that knocked their website down for hours."
The attack against the wire payment switch -- a system that manages and executes wire transfers at banks -- could have resulted in even far greater loses, Litan said.
It differed from traditional attacks which typically took aim at customer computers to steal banking credentials such as login information and card numbers.
While it was unclear how the attackers gained access to the wire payment switch, fraudsters could have targeted bank staff with phishing emails to plant malware on bank computers.
RSA researcher Limor Kessem said she had not seen the wire payment switch attacks in the wild, but the company had received reports of the attacks from customers.
"The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first," she said.
"That's when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place."
Litan declined to name the victim banks but said that the attacks did not appear linked to recent hacktivist-launched DDoS attacks against US banks since they were entirely financially driven.
Researchers at Dell SecureWorks in April detailed how DDoS attacks were used as a cover for fraudulent attacks against banks.
The researchers said fraudsters were using Dirt Jumper, a $200 crimeware kit that launches DDoS attacks, to draw bank employees' attention away from fraudulent wire and ACH transactions ranging from $180,000 to $2.1 million in attempted transfers.
Last September, the FBI, Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center, issued a joint alert about the Dirt Jumper crimeware kit being used to prevent bank staff from identifying fraudulent transactions.
In the alert, the organisations said criminals used phishing emails to lure bank employees' into installing remote access trojans and keystroke loggers that stole their credentials.
In some incidents, attackers who gained the credentials of multiple employees were able to obtain privileged access rights and “handle all aspects of a wire transaction, including the approval,” the alert said – a feat that sounds daringly similar to recent attacks on the wire hub at banks.
“In at least one instance, actors browsed through multiple accounts, apparently selecting the accounts with the largest balance."
Litan suggested that financial institutions "slow down" their money transfer system when experiencing DDoS attacks in order to minimise the impact of such threats.