Light Dark
January 17, 2012 By Amit Klein 3 min read
Fraud Protection

A recent FBI warning on the Zeus variant called Gameover reveals that high detection accuracy of fraudulent transactions is not enough to prevent cyber crime. This new attack is specifically designed to circumvent post-transaction fraud prevention measures. Here’s an excerpt from the FBI statement:

“The campaign involves a variant of the ‘Zeus’ malware called ‘Gameover.’ The spam campaign is pretending to be legitimate emails from the National Automated Clearing House Association (NACHA) advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link, they are infected with the Zeus or Gameover malware, which is able to keylog as well as steal their online banking credentials, defeating several forms of two-factor authentication. After the accounts are compromised, the perpetrators conduct a distributed denial-of-service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found).”

Gameover

Gameover belongs to a set of attacks performed after the transaction is submitted. We refer to these attacks as post-transaction attacks. Some post-transaction attacks are not targeted at the bank, but rather at the user. One example uses SpyEye to execute man-in-the-browser (MitB) attacks that hide confirmation emails in Web email services or fraudulent transactions on the online banking site. Last year, the FBI publicized another attack during which fraudsters inundated victims with automated calls to tie up their phone line, preventing the bank from contacting them to validate suspicious transactions.

When banks and security experts evaluate the effectiveness of cyber crime detection solutions, they typically focus on the following two metrics:

  1. Detection Rate: How much fraud is detected versus how much evades detection?
  2. False-Positive Rate: How many genuine transactions will be flagged as fraud and blocked?

Ideally, banks look for malware prevention solutions that provide high detection and low false-positive rates.

Post-Transaction Attacks and Fraud Prevention

So how does the introduction of post-transaction attacks affect existing malware detection approaches? Let’s examine the three primary malware detection approaches: deterministic detection, statistical in-transaction detection and statistical post-transaction detection.

  • Deterministic detection searches for specific malware crime logic footprints before transactions are submitted and allows the online banking application to stop fraud by changing business flows (blocking money transfers, declining add payee requests, limiting amounts, etc.).
  • Statistical in-transactio detection identifies suspicious out-of-profile behaviors and determines the probability that they are malware-generated fraud. In cases where there is a high probability of malware fraud, the transaction is blocked immediately. Meanwhile, other risky transactions are sent to be reviewed manually, typically by a bank’s fraud team. Reviewers first look for obvious signs of fraud, such as a known mule account, and if they cannot determine its authenticity, they flag the transaction for validation by the customer.
  • Statistical post-transaction detectio extracts submitted transaction information (typically from logs), identifies suspicious out-of-profile behaviors and determines the probability of malware fraud. As with statistical in-transaction detection, transactions with high risk scores or that exhibit obvious signs of fraud are stopped (reversed), while the remaining risky transactions require customer validation.

Post-transaction attacks that hide fraudulent activity from the end user and block email and phone communication from the bank to the end user are aimed at defeating statistical post-transaction detection approaches. Other post-transaction attacks flood the bank’s fraud team and their support systems with both DDoS attacks and fraudulent transactions. These attacks can bring the entire fraud assessment process to a grinding halt.

Deterministic detection is not vulnerable to post-transaction attacks since all processing and subsequent blocking is done prior to the transaction being submitted to the banking system.

Fraudsters will continue to introduce new threats at all stages of the transaction life cycle (pre, post and during), requiring banks to continually reassess the effectiveness of their fraud prevention controls.

 |  |  |  |  | 
Amit Klein
CTO, Trusteer, an IBM company

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature