Banks across the Middle East – and elsewhere – are now in the crosshairs of the region's murky cyberwar.
In early August, security researchers at Kaspersky Labs reported on a new piece of malware called Gauss, characterized as a "banking Trojan." Since its apparent first appearance in late May, say the researchers, they have logged 2500 infections. In all, "tens of thousands" of victims may have been targeted by Gauss.
The largest number of infections have been in Lebanon, followed by Israel and Palestine. Infections have also been logged in Egypt, Gulf Arab countries, and also in Germany and the US. Lebanon has long been the financial center of the Middle East, which may account for the high infection rate there.
Unlike most banking malware, which targets hundreds of financial institutions more or less indiscriminately, Gauss seems to be highly selective. But in addition to hitting major Lebanese banks, it has also targeted users of Citibank, based in New York, along with the popular online payment service PayPal.
In addition to stealing banking credentials and account information, Gauss can steal logins for social networks, IM, and email, and also infect USB sticks with a data theft tool.
But perhaps the most striking thing about Gauss is not its impressive capabilities, but its apparent origin. The Kaspersky Labs researchers note that it bears a strong technical resemblence to the Stuxnet, Duqu, and Flame cyberweapons, and was probably developed in the same software "factory."
Stuxnet and its stablemates are generally believed to be "state-sponsored." More specifically, they are widely suspected of having been developed and deployed by the intelligence agencies of the United States, Israel, or both of them working together.
As with these other cyberweapons, the ultimate target of Gauss is probably Iran, in this case its financial activities abroad in support of its nuclear program, oil sales, or both.
And the lesson for all the rest of us is that the Middle East's covert cyber-warriors are concerned about their own security, but not about ours. When it comes to online security, we are on our own.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."
