Weaknesses in Fraud Prevention Controls Exposed

Jay Decenella, IT audit expert
January 19, 2012 /

The Federal Bureau of Investigation has warned that high detection accuracy of fraudulent transactions alone does not help in preventing cybercrime, following the discovery of Zeus variant, Gameover.

According to security firm Trusteer, this attack can circumvent post transaction fraud prevention measures, citing the FBI’s findings saying that this campaign purports “to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed.”

Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms o

“After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found),” the FBI said.

This form of attack is under a set of attacks performed after the transaction is submitted, referred to by Trusteer as Post-Transaction Attacks.

“Some Post-Transaction Attacks are not targeted at the bank but rather at the user. One example uses SpyEye to execute man in the browser (MitB) attacks that hide confirmation emails in web email services or fraudulent transactions on the online banking site,” Trusteer said.

 

Share your opinion