Scammers have fled the US and are attacking Australia following America's crackdown on fraudsters, according to National Australia Bank head of cyber security Nick Scott.
The recent attempts to defraud Aussie bank customers spiked after US federal law enforcement were given presidential orders to hunt down fraudsters, he said.
"[Barack] Obama said to go out and grab these criminals however they can, but unfortunately this had the effect of making us the un-burnt forest of fraud.
"You [Obama] just created a fire in our own backyard," Scott said.
The dominance of the Big Four banks meant the land Down Under was a good place to attack, he said. Some 80 percent of Australians are signed up with the four major banks meaning phishing and malware attacks against those institutions have a good chance of stealing funds.
"You might pick up 20 percent of the population with your trojan," Scott said. "That's a pretty good return on your investment."
Know your enemy
Understanding the end-to-end process by which online fraud is conducted was key to maintaining both vigilance and protecting customers, Scott said.
In a presentation at RSA Asia Pacific in Singapore today, Scott detailed the production and circulation process of banking malware.
About 80 percent of the trojan code base and phishing mechanisms remained constant across different attack campaigns. The remaining 20 percent would be customised to suit the particular e-commerce organisation under attack.
Elements like scripting would be tailored to target a bank's online sign up form, for example.
These attacks often contained give-aways that would reveal a compromised account or pending attack campaign, Scott said.
An examination of log data, for example, could show a script which filled out step 10 in a form before step one. This ran contrary to the sequential manner in which legitimate customers would fill out a form.
"Don't throw away your errors," Scott said. "If you expect five fields and six come back, you'll want to freeze that customer's account because they have been owned."
Spam was also a "gold mine" of intelligence, he said. It was so valuable in fact that Scott ran 15 fake online businesses as honeypots to collect attack data.
The 'proprietors' of these businesses, one of which was a mechanic in the US, operated "quite ordinary security controls," Scott said.
He told security practitioners to keep copies of Spam emails because they indicated attack campaign trends and could help organisations to tweak their security systems in advance of attacks.
Other tips to stay ahead of emerging attacks included maintaining an RSS feed of security news reports. He said every major news story in at least the last five years had been incorporated into fraud campaigns.
"If there's an earthquake in Indonesia, change your monitoring rules to look for 'earthquake Indonesia'".
Scott also detailed the common processes core to malware attack campaigns (see slideshow) which included man-in-the-middle attacks and capturing of two-factor authentication tokens.