05:55 PM
Risk Data as a Strategy
Apr 06, 2016
There is a renewed focus on risk data aggregation and reporting (RDAR) solutions, as financial ins ...Read More>>

Pharming Attack Slams 65 Financial Targets

The attack, which lasted two and a half days before it was shut down, was described as a sophisticated, multi-pronged operation.

An Internet-based attack aimed at about 65 financial targets in the United States, Europe and Australia was shut down after a two-and-a-half day run.

Hackers launched the "pharming" attack on Monday, Feb. 19 and authorities shut it down on Wednesday, according to Dan Hubbard, vice president of security research at Websense, which was tracking the attack. He described it as a sophisticated and multi-pronged attack that involved multiple IP addresses, server sites in four different countries and a deluge of fraudulent spam.

The term pharming is used to describe a hacker redirecting a user from a legitimate site to a fraudulent and malicious site where their machines are infected with malware.

Hubbard says he's not sure how many computers were infected during the two-and-a-half-day attack, but he says more than 1,000 machines were compromised in just one day.

"It was a professional team. It was very well planned," says Hubbard. "It was quite successful and very resilient. It wasn't just one IP address hosted in one country where you could shut it down and take care of it. This one has multiple IP addresses in multiple countries. It makes it more difficult to stop what is happening."

On Monday, the first e-mail lure was spammed out. It contained the bogus news that Australian Prime Minister John Howard was struggling for his life after suffering a heart attack. The e-mails are set up to appear to be a link to a news story from The Australian, a daily newspaper. The second e-mail lure offered up news of a cricket match in Australia. Hubbard notes he was surprised how many Americans were conned into clicking on a link for more information about Australian cricket.

The e-mail lures directed users to connect to a Web site for more information. When they clicked on the link, they were redirected to one of five different malicious Web sites, where their machines were infected with malware.

When anyone with a corrupted machine connected to a Web site for one of 65 banks or financial institutions, any information they entered there would be sent to both the real destination, as well as back to the hackers. The stolen information, along with more malicious code, was stored on a master server.

The fraudulent and malicious Web sites that users were directed to were hosted on servers based in the U.K., Germany, Estonia and the U.S., according to Hubbard.

He adds that the master server has been shut down and the exploit servers were either shut down or have been moved.

The pharming attack targeted companies such as Barclays Bank, the Bank of Scotland, PayPal, eBay, Discover Card and American Express.

Hubbard notes that most of the victims were Australians and Americans. According to Websense stats, 35% of the infections occurred in Australia; 32% happened in the U.S.; 11.5% took place in the U.K. and .2% transpired in Russia.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Register for InformationWeek Newsletters
White Papers
Current Issue
4 Trends Shaping Digital Transformation in Insurance
Insurers no longer have a choice about digital adoption if they want to remain relevant. A comprehensive enterprise-wide digital strategy is fundamental to doing business today.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of April 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.