Close Close

Financial Planning > Behavioral Finance

Beware ZeuS, RATs, Keyloggers and DirtJumpers

Your article was successfully shared with the contacts you provided.

While advisors are mostly—and rightly—concerned primarily with protecting their clients’ funds (and by extension, their own capital) from possible wire transfer fraud, last year the FBI, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (or IC3) jointly warned that some banks and credit unions have become victims of another type of fraud: cyber criminals who target financial institution employees.

According to a Sept. 12, 2012 alert, the groups warned of a new trend among  fraudsters—calledcyber-criminal actors” in the report—who are using spam and phishing emails, keystroke loggers, and Remote Access Trojans (or RATs) to compromise financial institution networks and obtain employee login credentials. Those credentials were then used to initiate unauthorized wire transfers overseas. The fraudulent wire transfers, the alert reported, varied in amounts from $400,000 to $900,000, and mostly involved small- to medium-sized banks or credit unions, though a few large banks were also affected.

The fraudsters used keyloggers, software that covertly records and stores each keystroke made by a user; and RATs, software that allows a remote user to control a computer, often installed on the targeted computer by a “Trojan horse,” another piece of software that appears to be performing a desired task but actually leaves behind a “payload” or “back door” that can damage a computer or ease an outsider’s illegal way into the computer.

That malware installed on the bank employees’ computers provided the fraudsters, the report said, with complete access to internal networks and logins to third-party systems, in some instances using malware software that goes by the name of ZeuS to steal the employee’s credentials.

According to the report, in some instances, the actors stole multiple employee credentials or administrative credentials to third party services and were able to circumvent authentication methods used by the financial institutions to deter fraudulent activity. This allowed the intruders to handle all aspects of a wire transaction, including approval of the transfer.

In some of the reported incidents, the fraud was preceded by a distributed denial of service (DDoS) attack against the bank’s public websites or Internet banking site (a DDoS occurs when multiple, sometimes thousands, of compromised computer systems flood a target site with traffic, slowing the target site and sometimes crashing it). The DDoS attacks, the report said, most likely were made to distract bank personnel from immediately identifying a fraudulent transaction. The cost to the criminal for doing so is quite cheap. The report says that one such piece of distributed malicious software—or a “botnet”—that has been used is called the “Dirtjumper,” which “can be bought and sold on criminal forums for approximately $200.”

The three organizations list a number of ways banks can protect themselves from this type of wire fraud, including new procedures and technical safeguards (the complete report is available on Finally, to catch fraudsters and to keep the industry informed of such attacks, the FBI encourages victims of cyber-crime to contact their local FBI field office and to file complaints online at

Click here to read the main story by Mark Tibergien, “Risky Business.” You can also get more information on preventing wire fraud here.