An analysis of Microsoft's takedown of a cyber fraud ring that stole hundreds of millions of dollars from bank accounts brings to light the growing sophistication of malware and keylogger makers, who mostly manage to stay a step ahead of antivirus software designers and corporate security officers.
The dismantling, which the software giant announced last month, took out roughly 1,000 of about 1,460 connected computers that were allegedly used to drain more than $500 million from accounts at financial institutions over the past 18 months, according to the company.
"What's interesting about the botnet is that companies can really be at the top of their game in maintaining security throughout their networks and the data they hold, and consumers can be diligent about changing their passwords frequently, but if there's a keylogger on your machine, none of that matters," says Mark Szpak, a partner with the law firm of Ropes & Gray who specializes in data breaches and privacy. "It's a great illustration of the threat that financial institutions and anyone who handles consumer information of any sort are up against."
Because the malware can record keystrokes and disable anti-virus software, it effectively circumvents financial institutions' warnings to customers to be sure they've installed the latest malware protections. "It defeats a lot of the advice consumers are getting," Szpak notes.
Distribution of the malware also amplifies the harm it can do. At least 82 people worldwide have purchased the Citadel botnet used in the attacks from the malware's creator, who is believed to operate from Eastern Europe, according to Microsoft.
The perpetrators remain at large, although the FBI reportedly is working with law enforcement officials abroad to apprehend suspects in what is said to be a probe in its advanced stages. Last month, Microsoft and the FBI seized computers from locations in Pennsylvania and New Jersey, the company said.
"We don't know where everyone is right now but the assumption is there are a lot of people in many countries involved, including the U.S.," says Greg Garcia, a former assistant secretary for cybersecurity at the U.S. Department of Homeland Security, who is advising the Financial Services-Information Sharing and Analysis Center and other industry groups in connection with the investigation.
The thieves allegedly used pirated copies of Microsoft's Windows operating system to deploy malicious software known as Citadel that lashed together as many as five million computers worldwide.
Microsoft, which worked in tandem with the FBI, the Financial Services-Information Sharing and Analysis Center and other industry groups to engineer the operation, charged in papers filed with the U.S. District Court in Charlotte that Citadel, a variant of Zeus, has the ability to block software that aims to safeguard computers from viruses.
The commandeered machines enabled thieves to monitor and record keystrokes, which the ring used to drain funds from victims' accounts at JPMorgan Chase, Bank of America, Citigroup, Wells Fargo, Credit Suisse, American Express and PayPal.
The Microsoft/FBI crackdown comes amid a series of efforts by the government to go after cyber thieves. In January, officials in Malaysia arrested an Algerian hacker they accused of using Zeus to engineer more than $100 million in heists from banks in the U.S. and elsewhere. The FBI in December arrested 10 hackers accused of stealing $850 million using a botnet called Butterfly to swipe bank account information and credit card details from 11 million computers.
Digital security experts laud the cooperation between the industry and law enforcement that led to the recent crackdown but add that the threat remains. Overall there were 1,611 breaches last year, a 48% increase over 2011, according to a recent study from Javelin Strategy and Research.
The hazard points to a need for better ways to authenticate the identities of account holders, experts say. "The fact they can invade antivirus goes to show you the industry needs to take other steps to be sure the person on the other side of the transaction is legitimate," says Al Pascual, a senior analyst at Javelin.
That includes the use of biometric information, such as voice, face and fingerprint recognition, according to Pascual. It also includes browsers that can catch the type of activity that would tell financial institutions a customer's system has been infected. Because the malware is difficult for anti-virus software to detect, "that makes client-side browser protection another opportunity," Pascual notes.
The move against Citadel shows the way malware evolves over time and the challenges that financial institutions face. "You're dealing with groups of people who are commenting on each other's work and who have well-established inducements among themselves to refine and improve these kinds of malware," Szpak says. "It's a great illustration of how sophisticated the hacker world is and how true it is when you hear people say that hackers will always be one step ahead of you."