Charles Copland, Quality Assurance Analyst
This virus, active since around 2005, was designed specifically to steal financial institution account information from infected machines. The virus had multiple avenues for infection, but was most commonly spread through a PDF email attachment. Additional personal information could then be gleaned from unsuspecting online banking customers through social engineering techniques built into the virus. While the infection numbers were not astronomical compared to other viruses that have targeted financial information, an estimated 1 million computers worldwide (40,000 in the U.S.) were victimized. Of particular note, around 160 of those computers belonged to NASA. All told, thieves managed to make off with millions of dollars.
But stories of financial data-stealing viruses are nothing new in modern finance. Perhaps more sinister is the highly organized methods through which the virus was distributed and the criminal underworld it illuminates. The three men charged in connection with Gozi are a multinational group and despite their physical separation, all three of these men contributed unique talents to the scheme. One man masterminded the group and commissioned the virus code itself, another provided web hosting services to mask hacker identities, and the third developed web inject code to silently infect machines visiting corrupted websites. Use of the virus and/or the established deployment infrastructure was then rented and eventually sold to other hackers for a steep fee. This service even allowed for hackers to request customizations to the virus in order to steal specific types of information. This wasn’t just a virus, it was a business. Unfortunately, this coordinated, business-like approach to data-stealing malware is not uncommon and is often just one endeavor in a larger criminal conglomerate’s portfolio of illicit activities.
While the Gozi operation may have been shut down, similar threats are ever-present for Internet-connected devices. So how can you protect yourself, your financial institution and your online banking customers?
Here are five steps to better virus protection:
1: Maintain file system antivirus software
File system antivirus (AV) is one of the fundamental and most crucial security controls on a computer. Ensuring that the most recent virus definitions/signatures are downloaded daily helps protect your machine from an exhaustive list of known threats. File system AV alone is not a silver bullet, as Gozi illustrated – it remained undetected for years before AV makers caught on. Newly-crafted threats may go undetected until a corresponding virus signature can be distilled to inoculate the machine; thus, file system AV should be but one layer of an overall computer/network security strategy.
2: Adopt robust email filtration
Email is still a primary avenue of infection for most networks. Ensure that email flowing into your financial institution is, at minimum, scanned by an email-specific antivirus solution. Local email AV solutions can range in form and complexity from software installed locally on the mail server to an email-specific security appliance. Cloudbased third party email filtration is another option growing in popularity, as this solution outsources scanning overhead and administrative upkeep by scanning email before it is delivered to the network.
3: Never open questionable attachments
Malware distributors are financially incentivized to constantly improve their craft, so some fake email messages can look and feel quite convincing. As a general rule, most reputable senders will not send an email with an attachment unsolicited, so be wary of any unexpected emails bearing attachments. If you have any sliver of doubt about an email or its attachment, do not open or preview the attachment before confirming its validity
4: Disseminate your work email address sparingly
Avoid signing up for services, making online purchases, or otherwise giving out your work email address unless it is work-related. Some websites earn their profits largely through selling batches of known-valid email addresses. Once these lists are sold, they can be re-sold multiple times; eventually, these lists can make their way to the hands of individuals with nefarious intent.
5: Enforce IT policies prohibiting the installation of unauthorized software
Malware can be easily “bundled in” with free software downloads available on the Internet. These infected downloads can include collections of emoticons, wallpapers, games, or even productivity applications. The key here is preventing your users from downloading these items in the first place. While most written IT usage policies explicitly forbid users from downloading and installing applications, these rules are often inconsistently enforced or ignored entirely. Actively seeking out unauthorized applications through regular software audits is a reactive method of curtailing this threat, but can instill a culture where users respect a policy.