New York street with TD Bank
Photo by Ed Yourdon via photopin cc

Breach reports on banks usually deal with attempts to gain passwords and drain user accounts. However, attackers can also open or hack an account to use it as a transit point for a criminal transaction.

An American branch of the TD Bank was apparently used that way by an attacker who tried to trick a staffer in the financial office of security vendor Watchguard Technologies into wiring US$20,000 to the account as payment for some of the company’s products.

As outlined last week in CSO Online, the attack started with a classic spear phish email from a person who purported to be the staffer’s manager, using the name in the “From” part of the email header. However, the email’s source address was a seven-digit number at gmail.com. That, along with the fact that the request ignored the official chain of command and finance protocols, made the employee alert the company.

A Watchguard researcher then took over to pretend to be the employee, hoping to track down the attacker. The researcher texted the attacker using a disposable phone number, who told the researcher about the urgent fund transfer to a TD Bank account. To trick the attacker who was expecting a wire transfer confirmation message, WatchGuard masked the IP address of a honeypot server behind a URL-shortener and sent it to the attacker disguised as a confirmation link. The researcher then traced who clicked on that link. It came from Nigeria.

It isn’t known if the bank account was legitimately set up by the attacker, or if it was hacked. WatchGuard notified TD Bank about the matter, so we called them and asked if it had investigated and what it found. A bank spokesperson wouldn’t say much.

“As always, the safety and security of customer information is a top priority for TD,” the spokesperson said in an email Thursday. “We have multiple safeguards in place, but in the event that a transaction is suspected of being unauthorized, we conduct an investigation. There are steps everyone can take to help protect themselves against fraud, including: never sharing or writing down your Personal Identification Number (PIN) used for account access cards or credit cards; regularly changing your passwords and ensuring banking credentials are different than day-to-day passwords (ex. email, online retailers); refraining from opening unexpected links or attachments; never disclosing personal, confidential or financial information via emails; and regularly reviewing your bank account and credit card statements for suspicious transactions.”

The incident is another example of why — despite the frustration of some CISOs on the effectiveness of warnings — thorough security awareness training can be valuable, particularly among staff who handle money. It’s also an example of how a well-trained security team can track down some information about attackers which may help defences.