Crosskey is a Finnish company that develops, delivers and maintains systems and solutions for Nordic banks and capital markets. Customers range from small and regional banks to the third largest bank in Finland. Altogether, Crosskey deals with the management of over 3 million banking customers (half of Finland's population) in the Nordic region. Malware targeting financial institutions, like Crosskey, is not surprising – money is always a prime target for thieves.
Crosskey has had to deal with a constantly changing threat landscape with constantly “improving” and morphing financial malware. The first major malware to strike the financial industry was the Zeus Trojan back in 2007.
Fast-forward to today – GameOver Zeus, which emerged in 2011 is an offshoot of the original Zeus Trojan, but it uses a peer-to-peer architecture and has been able to infect as many as 1 million computers with the goal of stealing banking credentials. At this point, the FBI is offering a *record* $3M reward for info leading to the arrest of Evgeniy Mikhailovich Bogachev, the criminal behind GameOver Zeus.
Even with this evolution, there seem to be a “hall of infamy” of core financial malware that continues to concern banking security professionals: Zeus, Carberp, Citadel, and SpyEye.
- Zeus is the granddaddy of banking Trojans, and arguably the most well-known malware of all time.
- Carberp steals data and relays it to a command and control (C&C), and has sophisticated rootkit functionality to protect itself from detection. It now includes the ability to encrypt the payload when it heads to their C&C server.
- Citadel is a Zeus variant, and it’s famous for its open-source nature. Things are currently quiet on the Citadel front after Microsoft led a coalition which took most of it down.
- SpyEye has faded out recently, following several arrests.
In the case of Crosskey, they’ve recently moved away from outsourcing security and brought it in-house. Part of their business is managing financial systems for customers, meaning there are a vast amount of logs to go through. They recently made the move to bring security in-house and install AlienVault’s Unified Security Management (USM) platform. In this way, Crosskey is improving security, increasing visibility and using a much smaller security team, while maintaining PCI compliance. The solution provides consolidated log management, consolidated security event and incident management, real time threat analysis and real time event and incident analysis, all with configurable alerting. With AlienVault, Crosskey can correlate all logs, not just IDS logs but Unix, Windows, system and firewall logs as well, giving the security team a more complete security view.
They expect that in the future, breaches on payment systems with malware targeted at financial institutions will continue to be a problem, and coping with “finding badness” from environments will become more and more difficult. Therefore, security products that incorporate threat intelligence, like USM, will gain importance. “Intrusions can happen in minutes, but detection can sometimes take months. We can defend our networks one by one or we can collaborate and share information,” according to Kim Halavakoski, head of security at Crosskey. “It’s easy enough to say, harder to implement, but finding a way is the only way to cope with the sheer amount of threats.”