Testimony of Bill Conner, President and CEO of Entrust

Before the Subcommittee on Communications and Technology
of the Energy and Commerce Committee
U.S. House of Representatives

Part 6

Diagramming Advanced Malware

With that in mind, here is one example of a real-world threat that we have encountered that has not received as much attention as data breaches. It is, however, one of the biggest cybercrimes and threats today. The threat is called ZeuS or SpyEye, which is a “man-in-the-browser” malware that targets mid- to small-sized companies. This is a threat you and your constituents need to be aware of and concerned about.

The problem arises when someone within an organization is surfing the Web and accidentally installs software that opens a door for criminals. The software may install when an employee has visited a legitimate website, but one that has unknowingly become infected, or they may have simply clicked the red “x” to close a pop-up ad or notification thinking that all they were doing was shutting down the ad.

In reality, that click prompts the malware to install on their system and then promptly hides itself. In fact, once the malware is installed it is extremely difficult to detect. The malware is crafted to avoid detection by antivirus tools that you all know and probably use.

This malware sits dormant, waiting for someone on the system to log in to a corporate bank account online. When it sees that bank URL pass by, it wakes up and begins to intervene transparently in whatever transaction is being conducted.

Let me explain how it works.

  •     A consumer, or more likely an accountant, in a small business initiates an online payment to their local utility for $1,000.
  •     The malware on a PC, laptop or tablet sees the bank URL and online payment. It then “wakes up” and translates that payment into, let’s say, six different transactions totaling $100,000 going to six individual accounts.
  •     The bank then receives the request for these six transactions totaling $100,000 and asks the accountant to confirm the transactions by entering a one-time passcode (OTP) to authenticate the transactions.
  •     The malware intercepts this request and re-translates the six transactions back to the original single transaction for $1,000.
  •     The accountant, therefore, sees the original request for the utility to be paid $1,000 and is asked by the bank to enter their specific one-time passcode.
  •     The controller then enters a one-time passcode to authenticate the transaction and sends it back to the bank.
  •     Unfortunately, the malware accepts the one-time passcode and again re-translates the single $1,000 transaction to the six transactions totaling $100,000.
  •     The bank then believes it is a set of authorized corporate transactions based on the passcode the client provided and executes those transactions for $100,000.
  •     Now both the small business and the bank are missing $100,000.

This is the kind of threat that can and does happen in every state, every day. And not just at multinational companies. It can and does happen to smaller enterprises that aren’t as sophisticated in how to protect themselves nor consider themselves to be a target of multinational crime schemes. But they are wrong. This has and does happen to businesses that populate Main Street in every state.