Corporate bank accounts targeted in online fraud

(Credit: FBI)

Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday.

"Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement.

The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.

Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks.

Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.

The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.

The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites.

In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said.

Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised.

Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers.

"Money mule activity is essentially electronic money laundering...," the FDIC statement said.

Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer.

"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."

[tektaktyks]

Dear robbers,please leave small and medium businesses alone,go after the big corporations,they deserve it.keep up the good work.cheers.

[Magallanes]

Brain: I shall be Robin Brain, a noble outlaw who steals from the rich, and gives to himself.
Pinky: But doesn't Robin Hood give to the poor?
Brain: Yes, but we don't want to be sued for trademark infringement.

[skswave]

As almost all small medium business computers have a Trusted Platform Module in their PCs, The TPM can easily be used as a multifactor authentication token for the banks without having to send out Tokens or smartcards. Every bank doing Ebusiness with corporate accounts should adopt the use of this IEEE standard strong authentication device yesterday. There is no longer a reason why this type of fraud takes place. Ask your bank when they will support TPM for strong access control to your business accounts.

Steven Sprague
Wave Systems Corp.

[mbenedict]

Not really. I understand your company sells authentication products but authentication isn't the main issue here.

Indeed the bigger issue is integrity of running processes, since targeted malware can "piggyback" valid (authenticated) sessions. Using multifactor authentication doesn't protect against this attack vector, whether using tokens or TPM or biometrics. Malware can wait until the user is properly authenticated then simply hijacks the session.

The problem with integrity is while TPM is protected from the system software, system software isn't in turn protected by the TPM. To manage integrity you'd need extensions built into the kernel (see for example IBM's IMA for Linux), but if the kernel itself is compromised -- typical for malware -- then the game is over. At the least you need another layer like a hypervisor but most systems wont have that.

Today (in practice) it's not possible to guarantee end-to-end integrity using general purpose hardware & operating systems. So the most fruitful controls are likely detective (like behavioral heuristic anti-malware mentioned in the article) or corrective (reconciliation processes and so on).

[solitare_pax]

Face it, you can have the best darned TPM, Firewall or whatever on your PC, and some scam will still get through. Why? Because at the end of the day, the weakest link in computer security remains the poor guy sitting at the keyboard trying to do their job and getting a bogus message that they fall for.

[gggg sssss]

Just saw a fake McAfee and a fake windows update balloon

[ecotopian--2008]

It's good news when spammers start attacking bigger targets. Maybe we will see a more aggressive and internationally coordinated anti-spam effort as a result.

[solitare_pax]

And this is why I don't do online banking.

Besides - I keep the tellers behind the counter employed.

[mmichaels]

Thank you for the jobs you have "created or saved"!

[tektaktyks]

well,if they lost their jobs they can always start a news site..like this one..

[bmedicky]

Dude, do you think that just because YOU aren't using your computer that everything's OK? The banks use computers nonstop, whether you yourself use one for online banking or not. You haven't eliminated the risk at all: you've maybe reduced it by some infinitesimal fraction of a percent.

[bmedicky]

Dude, do you think that just because YOU aren't using your computer that everything's OK? The banks use computers nonstop, whether you yourself use one for online banking or not. You haven't eliminated the risk at all: you've maybe reduced it by some infinitesimal fraction of a percent.

?Closing the loop? is one of the best why to reduce the risk of this.

E.g two members of the cooperation?s staff should be emailed a list of all transactions each day, so they can check the transactions are valid.

Another solution is to use more then 1 channel,

E.g input all transactions on the web, but then have to confirm the transactions with phone banking before they are asked on. In a cooperation case, the phone banking could check the caller id.

[networksniff]

this step may fear online transactions further, which is a core thing in present day.Need to investment more for security enhancements where the banks keep deaf ear to that.But i see many banks implementing security code alert on mobile if any transaction are initiated on online accounts.It's a gr8 think but only thank god that ur mobile is not one of the cloned victim .

[CNET editors' note: URL removed]

[weegg]

Banks are idiots. Use RSA secureID for online bank transactions. At my work we use them and have had no issues. Gee, even Blizzard for WoW uses them.

Until Banks start using them I will never to online banking.

Maybe bank management should forego their ungodly bonuses and put SecureID system into place instead.

[raydickenson]

These crimes are committed by online criminals who are very effectively navigating through several layers of weak defense. And they are doing so from remote locations, usually across jurisdictional boundaries that have not been clearly defined and understood by governments and their law enforcement organizations. The FBI report is an example of progress in the latter regard, but law enforcement agencies around the world need to continue developing the organizational "DNA" that makes them inherently capable of understanding and responding quickly to online crime.

But we can't focus just on law enforcement. If citizens walked around city streets leaving their wallets and purses laying open and unwatched, we could not blame the cops for high rates of theft.

As long as a thief can reach halfway around the world and into our PCs to take money directly out of a commercial bank account, these crimes will continue to grow.

The functionality in a standard Internet-connected Windows PC is oriented towards openness, connectivity, sharing and one-click ease of use. These are terrible features in a commercial banking terminal. I feel bad for the finance and accounting clerks who are told that the crime occurred on their computer because they clicked on the wrong thing.

Ray Dickenson
blog.safecentral.com