Imagine the scene; you arrive at work on a Monday morning after a wet Bristol bank holiday. You are sifting through your emails when you get a phone call from an indignant solicitor who says the promised transfer has not been completed as promised. Well, it’s not in OUR account you say. And so it begins.
Solicitors have two assets the loss of which can lead to profound financial and reputational damage; their client’s confidential information and their financial assets. With conveyancing in particular the loss of a client’s funds whilst in a company’s account can often lead to a transaction falling through and dream homes being lost along with a liability to repay hundreds of thousands of pounds on your doorstep. In many cases this event is preceded by the unwitting installation of ransomware’s main cybercrime rival; the banking Trojan.
What is a Banking Trojan?
Banking Trojans such as Dridex, Zeus and Trickbot are small programmes that are usually spread through infected emails sent to targets with an infected office file as an attachment. On attempting to open the file, the victim is often prompted to enable macros or click some other box to view the contents. If the victim complies, the macro- a small embedded program- then has permission to download and install the rest of the program, opening the computer up to exploitation.
What can it do?
Like the eponymous horse, once it has been allowed access to your machine, the Trojan covertly heads to your gates- or in this case computer ports- which it opens before calling out to the Greeks or more likely Russians, who are awaiting its call. With a “backdoor” to your computer established, your interlopers can freely wander the streets of your network at their leisure, noting down logins for banking services and monitoring your emails for expected dates and times of transfers of client money. Upcoming conveyancing transactions are an obvious target with a clear trail of email communications and with an estimated date for completion, there is an obvious time to strike. It will also likely add your computer to a “botnet” a network of infected computers used for spreading spam mail, attacking other people’s computers as part of a Distributed Denial of Service (DDOS) attack.
Three steps to avoid Banking Trojans
The only 100% certain way not to become infected with malware coming in through email is to delete it without opening it. If you are not sure about the email from your austere partner titled “check out my holiday pixx LOL” maybe they’ve turned over a new leaf? Or perhaps you should drop them a line to confirm that it is what it says it is!
1 -Protected View-Leave it on!
Protected view is a Microsoft Office feature which opens office documents from the internet in a contained manner.
Keeping a file in Protected View is one of the best ways of limiting the impact of many types of malware IF you have to view it, so don’t automatically dismiss this! Unless you know you need to print it and you are certain it is legitimate, browse the file with protected view in place.
Back in the 1990s macros were the most popular way of getting malware onto computers and like many things from that era they are back in fashion and just as good as they ever were! Most day to day documents shouldn’t need macros to work, so getting one should be a red flag. A common trick to get you to enable this is the message:
“You are using a different version of Word- Enable macros to view” (screenshot here)
Like with any email or attachment you are not sure about clicking, give the sender a quick call –don’t reply to the email- to make sure that’s what they meant to send you. Make sure you find their number from another source. Don’t call the number in the email as it might not be theirs.
2- Windows Update
As we were reminded with Wannacry earlier this year, lots of systems are infected by malware that is known and preventable -If the systems are updated correctly. Remember updates are free and largely unproblematic for modern computers running current software.
Make sure that your Windows operating system is current and updated frequently. While almost all home computers get that annoying “Windows needs to restart to update”, it is not uncommon for company computers to not update automatically. Given the rate at which new malware is invented this can be very dangerous. If you don’t get these update warnings at work this isn’t a sign that your computer is “just better”. Not sure? Type “check for updates” into google and the top Microsoft results will help you check this. Make sure you only get updates from the software vendor.
Criminals are exploiting known vulnerabilities faster and faster. As soon as a software company announces to a fix for a vulnerability, criminals start searching for computers that haven’t applied the fix, exploiting the very vulnerability the fix is designed to remedy. Whilst in the past companies would have a target of updating and patching systems within 6 weeks, many now aim for 2 weeks.
3- Antivirus updates
New strains of malware come out regularly and antivirus companies work quickly to add them to their watchlist. Update your antivirus definitions to ensure that your computer has an up-to-date list. Setting your antivirus to update automatically is the best way to ensure this.
Banking defensively in 4 steps
It is likely that some people reading this article will have Dridex or some other form of Remote Access Trojan (RAT) on their system. What can they do to keep that £1,000,000 worth of conveyancing money out of the clutches of the cyber criminals?
1-Log out and remove cards promptly
Leaving aside the technical details, criminal transfers are normally completed while the victim is online and connected to their banking website, as they don’t possess the card and card reader necessary for transactions. So login, complete your transaction, logout promptly and remove the card from the card reader. This limits the window of opportunity. Don’t, as in one case, leave your computer logged on to the banking website, turn off the screen and pop out for lunch. That lunch cost £300,000 and the individual concerned is “looking for new opportunities”.
2-Look out for website imitations and odd requests
Keep a look out for odd behaviour and changes to banking websites, especially if it requests unusual or unexpected information. Double check by logging in on a different machine or through a mobile device.
3-Bank on a clean machine
Consider using a different computer for your banking transactions, one that doesn’t have email access. A small laptop for less than £200 that does nothing apart from internet banking could be a wise investment. A computer like this with minimal software installed and limited if any exposure to the company network can remain out of sight to those with a backdoor to your system- they might not know it’s even present. If staff can’t access email on this device its much harder to get malware onto.
4- Two eyes on big transactions
Another practical solution to banking fraud, especially those involving an element of social engineering, is to employ the “Two Man Rule” when it comes to banking transactions above a certain amount. Originally designed to “prevent accidental or malicious launch of nuclear weapons by a single individual”, it also fits well for conveyancing and other critical processes! As the name suggests, this involves ensuring two individuals approve large banking transactions. This provides an additional line of defence against the surprisingly effective email from “the boss” late on Friday afternoon asking why you haven’t still transferred that £300k into a Moldovan bank account, because it’s REALLY urgent.
Good Cyber Housekeeping
Back up! Back up! Back up!
Banking Trojans frequently install ransomware on your computer once they have finished stealing information from your machine. It is a nice way for the attacker to squeeze the last bit of cash out of you. No, backing up your data WONT stop a Trojan, but it mitigates the damage from ransomware. Ask yourself- Who is in charge of doing backups in this organisation? If you don’t know, perhaps it’s time to find out. If the last time backups were mentioned was in a meeting two years ago, make a note now to test those backups.
Don’t ignore social engineering
A cybercriminal monitoring your account may use other means to fill in the gaps for a spending spree. Remember the more money they can extract the more effort they will be willing to expend in its pursuit. With so much information about your account available through reconnaissance on your system, it will be easy for them to convince you that they are from your bank when they call up; they can confirm your passcode, your regular transactions and dates of transfers. They may tell you that you have ALREADY been a victim of a Banking Trojan, and that to confirm your identity they need your mother’s maiden name and the 6 digit pin from the card reader. Don’t be rushed into actions you may later regret. If you get a call apparently from the fraud department of your local bank with some CATASTROPHIC news, take their name and tell them politely that you will call them back on a number that you find elsewhere. A genuine caller is not going to mind. If you receive an email asking you to click a link or open an attachment and it has elicited an emotional response from you, stop, get a cup of tea and come back to it. We make bad decisions when we are emotional and attackers are counting on this!
Training your staff in the risks of phishing and Social Engineering is the best way to avoid malware like Banking Trojans. Have a plan for what you would do if your firm were to suffer a cyber-attack. Companies with a plan are far more likely to pick themselves back up than those who don’t. Finally, test your IT security, don’t get your IT team or your outsourced IT provider to do this though. You wouldn’t get a locksmith to install a new front door lock and then test how secure it was or whether he had done a good job, the same applies for IT. Keep the provider of your IT and the testing of its security in separate hands!
Banking Trojans remain one of the most commonly reported cyber-attack in the South West of England, targeting both small and larger firms. By training your staff to be on the alert, keeping systems updated and banking defensively, you can reduce the risk of being a victim of a Banking Trojan.
Lisa Forte is the Cyber Protect Officer for the SW regional crime unit. If you have any questions for her or would like a meeting to discuss your firm’s security email firstname.lastname@example.org
View and print the full word version article here Banking Trojans law soc article 1.2