Network News

X My Profile
View More Activity

The Growing Threat to Business Banking Online

Federal investigators are fielding a large number of complaints from organizations that are being fleeced by a potent combination of organized cyber crooks abroad, sophisticated malicious software and not-so-sophisticated accomplices here in the United States, Security Fix has learned. The attacks also are exposing a poorly-kept secret in the commercial banking business: That companies big and small enjoy few of the protections afforded to consumers when faced with cyber fraud.

Earlier this month, I wrote about Bullitt County, Kentucky, which lost $415,000 after criminals planted malicious software on the county treasurer's PC. That rogue program allowed the crooks to initiate wire transfers to more than two dozen so-called "money mules," people duped into laundering the money and wiring it to the perpetrators in Ukraine.

bullittcar.JPG

A few days after that story ran, I heard from a source in federal law enforcement who said the attack against Bullitt County was only the very tip of the iceberg, and that there were many other businesses also losing money in similar cyber attacks. The source, who is familiar with several of these investigations, asked to remain anonymous because he is not authorized to speak with the media.

That same day, news broke that a public school district outside of Pittsburgh, Pa., filed a lawsuit against ESB Bank, a subsidiary of Ellwood City, Pa., based ESB Financial Corp. The Western Beaver School District charges that crooks used malicious software to siphon more than $700,000 from the school's account at ESB. According to the lawsuit, the funds were transferred in 74 separate transactions over a two-day period, to 42 different individuals who had no prior business with the school.

Since then, I heard from the owners of Slack Auto Parts in Gainesville, Ga., which recently was robbed of nearly $75,000. Slack Auto Parts co-owner Henry Slack said that between July 3 and July 7, cyber intruders used malware planted on the controller's Windows PC. From there, they were able to break into the company's bank accounts, create new user accounts at the bank, and then wire nine payments to at least six different money mules around the country.

The thieves also tried to transfer an additional $69,000 from Slack Auto's account to another eight mules across the United States, but the company's bank was able to block those transfers. Slack said the bank had reversed $14,000 worth of the fraudulent wire transfers, and that he is still working with the bank to try to recover the rest of the bogus transfers.

After the fraudulent transfers, a scan by the company's anti-virus software and a hired cyber security expert turned up no evidence of malware. A second opinion by another cyber fraud investigator found that the company controller's PC had been infected with an extremely stealthy Trojan horse program called "Clampi" (a.k.a. "Ligats" and "Rscan"). The expert determined that the keystroke logging Trojan had resided on the company's systems for more than a year before being used by the attackers.

Mules and Mule Recruiters

Slack said one of the money mules -- a woman from Winston-Salem, N.C. -- actually contacted him when the bank reversed the transfer and pulled slightly less than $10,000 out of her account before she could wire it to fraudsters in Eastern Europe, as she'd been instructed.

"She wanted to know why the money she was expecting had been held up by her bank, and I told her 'Ma'am, that's our money, and it was sent to you without our permission,'" Slack recounted. "She was very helpful after that, giving us all of her information, and an explanation of how she got involved."

The mule told Slack she was recruited via e-mail by a company called The Junior Group. The company's Web site, www.junior-group.cn, states the Junior Group consists of 3,000 employees with headquarters in more than 100 countries of the world.

Junior-Group did not respond to multiple requests for comment sent via e-mail.

juniorgroup.jpg

Maintaining headquarters in more than 100 countries might seem like a misstatement, but fraud experts say it's typical of money mule recruitment sites, which try their best to look official but often include numerous telltale giveaways - such as false contact information, poor grammar, and statements that don't quite add up or appear poorly translated.

Bob Harrison, who maintains Bobbear.co.uk, one of the largest Internet resources dedicated to tracking money mule recruitment sites, says Junior-Group.cn is just the latest of the numerous, highly generic Russian scam Web site set up as a front for money laundering.

"It's a bit slicker than most, but at the end of the day its function is to con you into believing that they are a legitimate company," Harrison wrote.

hackerad.jpg

Interestingly, the banner at the top of the Junior Group's Web site (see above image) includes three catch phrases: "Professional Researches;" "Precise and Impartial Approach;" "Individual Customer Support." These three phrases stuck in my head until I remembered where I'd seen them grouped together before: In a Flash advertisement from 2005, advertising credit card fraud services available at now-defunct Carderplanet.com, which was at one time among the largest Russian online forums for the buying and selling of stolen identities and banking data.

Businesses Lack Protection

Fraud experts say these types of attacks illustrate the stark differences in the legal and financial liability that consumers and businesses assume in the face of cyber crime. Consumers who bank online in the United States are protected by Regulation E, which generally holds that consumers are not liable for unauthorized transactions against their bank accounts (provided they don't go more than 60 days without reporting suspicious or unauthorized charges or debits).

However, this provision does not apply to business account holders. If a company gets hacked and someone manages to clean out that firm's bank account, the company's bank is under no obligation to make that customer whole, said Avivah Litan, a banking fraud analyst with research firm Gartner Inc.

Litan said many commercial banks have very little -- if any -- fraud detection mechanisms in place on their automated clearinghouse (ACH) systems, those used to transfer money in and out of customer accounts. Rather, she said, most commercial banks have chosen to place anti-fraud technologies on the front end, such as one-time token requests and other Web-site based security measures.

"ACH is one of the most vulnerable spots in the system, and very few banks have ACH fraud detection, if any," Litan said. "It's a really big deal because the rights of businesses to get their money back [after an incidence of ACH fraud] are weak. If I was a small business banking online right now, I'd switch my company's account from a business account to a personal account. There are fewer features available, but it's a lot safer."

For its part, Slack Auto won't be banking online anymore, at least not in any way that could enable the transfer of money.

"We've established a new bank account with a bank that has branches in all of our markets, and it's view-only, it can't be used to do any transactions," Slack said. "We just can't afford to let this happen again."

By Brian Krebs  |  July 20, 2009; 5:26 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Small Business Victims , Web Fraud 2.0  | Tags: ach fraud, bullitt county, slack auto parts  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Firefox Update Plugs Critical Security Hole
Next: Update for Norton Internet Security & Firefox 3.5

Comments

"Pittsburg, Pa"

Like a cockney 'arry Potter, you've dropped an 'H'....

Posted by: JkR- | July 20, 2009 7:41 PM | Report abuse

@JkR -- fixed, thanks!

Posted by: BTKrebs | July 20, 2009 8:14 PM | Report abuse

Legislation delaying ALL overseas money transfers without ADDITIONAL means of VERBAL IN PERSON authorization at the TRANSFERRING source it seems would CATCH the CLEAR MAJORITY of these cyber offenses.

AND A 30 DAY DELAY IS BETTER THAN A TOTAL LOSS. PERHAPS BUSINESS JUST NEEDS TO COUNT ON A 30 DAY DELAY AS THE COSTS TO BATTLE THIS PLAGUE.

And this Joint House & Senate Bill will take how long to introduce and approve ????

Posted by: brucerealtor@gmail.com | July 21, 2009 2:47 AM | Report abuse

Actually, it appears that since the mules are stateside, it would appear that the legislation would have to cap stateside business transfers above a certain amount also -- allowing for a new industry similar to 'factoring' to be used to 'guarantee' any funds available within 30 days.

ALTERNATELY, PRIVATEERS could be used with a 'dead or alive' bounty. The later might be seen as a 'small' violation of the law, but cruse missiles seem excessive and 'an act of state.'

Perhaps simply seizing national assets within the US of any countries that KNOWINGLY harbor such financial terrorists, would send a wake up call that their internal lawlessness and enforcement efforts, if any, should not be our problem, but theirs.

Posted by: brucerealtor@gmail.com | July 21, 2009 3:07 AM | Report abuse

@ JkR- and Brian: Even Harry (non-cockney that he is) knows the letter dropped is an "aitch."

@ Bruce: Your reactions to this sort and many other sorts of cyber-crime chronicled by BK are echoed by many others. The frustration at witnessing our government not being able to do anything about simply exacerbates our feelings of helplessness.

When will our law enforcement community step up to the 21st Century Plate?

Posted by: peterpallesen | July 21, 2009 10:18 AM | Report abuse

Frankly I hope you continue to mention the fact that Microsoft Windows computers were involved in this fraud. While Microsoft, of course, does not actually participate in this thievery, they certainly enable it with their software. I now know, personally, several people who have been victimized via their Windows systems. People need to learn this and switch away from Microsoft, which is also the only way to get Microsoft's attention, that being an "attack" on their bottom line.

Posted by: JeffBbiz | July 21, 2009 10:52 AM | Report abuse

"After the fraudulent transfers, a scan by the company's anti-virus software and a hired cyber security expert turned up no evidence of malware."

Don't the major PC security programs--Norton, McAfee, BitDefender, Sophos, etc--focus on such malware? If not, do ANY of them?

Posted by: Garak | July 21, 2009 12:55 PM | Report abuse

@garak -- getting into a conversation about which AV products detect and which don't is kind of fruitless. this malware is more or less unique on each host, and so AV detection across the board is going to be crappy. unfortunately, when there is such a time gap between infection and discovery, finding out HOW they got infected is well nigh impossible, but the thinking so far is that these guys are targeting their malware in custom e-mails

Posted by: BTKrebs | July 21, 2009 1:29 PM | Report abuse

Roughly 90% of malware infestations are due to programming mistakes in the software applications, leaving 10% for the operating system. We're actually seeing cross-platform vulnerabilities in cross-platform applications. However, to date, I know of no exploits in the Wild for these cross-platform applications that targeted non-Windows machines. So, given that businesses will not migrate away from Windows over night, we need to place the application software used in Windows under 'guard' as well as further reduce drive-by download attack risks by snuffing-out unknown software launches from user-space:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/computer-software-hijacked-malware-attack-steal

Posted by: eiverson1 | July 21, 2009 2:47 PM | Report abuse

After watching a customer's treasury management account online banking credentials flowing from a compromised computer in their network to a botmaster in Russia, the exposure of a bot-related security breach became alarmingly apparent. The fact that there are NO safeguards for business bank accounts provides a strong disincentive for anti-fraud measures to be improved by the banks. Hear me now, believe me later: self-regulate now or have congress do it for you in 2012.

Posted by: radix42 | July 21, 2009 4:12 PM | Report abuse

But what type of safe guards?
The United States has no control over other nations, and some nations(Russia) pretty much don't care. So laws???? It would take forever for prosucecution. Hell, look at the hacker that broke into NASA(I think it was) from the UK. An Ally. Look how long it's taken to get him here to the US.

I have done enough reading about the AV software to know that they don't have a good track record for identifying new malware. They work off of signitures.
Previously identified threats. Key loggers... A keylogger can be a physical instrament or software. From a network security position. You can stop outgoing trafic to specific ip's(the botnet master), but how do you know what to block???? Ok, you can get blacklists of ip's and block all of them. But there are always new ip's that they would use.

The business's identified in this article were either small goverment or small buisness's. Their IT budget is most likely small. Hell, I bet they may only have one person who's duty(along with many others) is for security. Shoot, I bet some of this persons ideas for security have been shot down because it was too intrusive.

The financial institutions. I am sure they are extremely concerned about this. But, how much security should they put into place? Actually, the only thing I can think that might actually work on their part would be a physical fob, or electronic device that positively identifies the individual in control of the bank. BUT, how many business's would find that too intrusive and not use it?

There is no magic answer here. Laws will be hard to enforce, hard to train the law enforcement for, and without identification of the crime(reporting of). Useless. AV? That is forever evolving, but it still is behind the curve. It reacts to what it knows, it is not good at identifying new. And how will people react to false identifications???? It will happen, it's something to be considered. Security at the business. Budget's are tight during this recession, IT is one of the first places to be cut. Education of the users? Again, money to train.

I think the answer is all of the above, but it is not cheap. It is not easy. And it will take a long time to happen.

My opinion on what to do? Ok, this is my radical rant. Please excuse if you are offended. Identify the ip's of known bot masters who are performing this and other types of theft. Let the major ISP's, major telco's, major governments unleash their bandwidth and fry them. I know, won't happen. Some would consider it an act of war. But we are only reacting right now. We have not gone to the offensive yet. And some type of offense needs to be launched to stem this crime spree.


Posted by: LiberalBasher | July 21, 2009 9:19 PM | Report abuse

Hey LiberalBasher, nothing wrong with your "rant" to me. I often write about the shortcomings of signature-based anti-malware products. I just wrote a post regarding this article by Brian where I elaborate a bit on how a couple of technologies over-promise and under-deliver.

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/antivirus-failure-costs-businesses-fraudulent-bank-transfers-fdic-regulation-e

Originally, I included some verbiage on how white list security software products are considerably more difficult to deploy and maintain than folk may realize and that there are easier solutions. But, the post was long so I cut it out. BTW, I'm not against white listing. They require some heavy lifting and more realistic expectations.

Posted by: eiverson1 | July 22, 2009 11:57 AM | Report abuse

I REALLY hate to sound as though I'm blaming the victim, but...

If you go back to the previous article link referencing the Bullitt County theft, Brian states, "The attackers somehow got the Zeus Trojan on the county treasurer's PC."

I'm going to suggest three possible somehows:

1. The treasurer opened a phishing email he received at work, not realizing that it could install malicious code;
2. He used his work PC to log into his personal email account, and couldn't resist seeing if there really was a naked picture of (name the celebrity); or
3. He surfed to an unsafe site.

Admittedly, he could have been re-directed to a malicious site, or clicked on a legitimate ad that had been compromised. But I'd be willing to bet on #1, 2 or 3.

Another troubling aspect is that the thieves were able to so easily change the judge's email address of record. When I change contact info using my bank's online portal, an email is sent to the email address of record. So either that didn't happen, or the judge never checked his personal email. (Of course a third possibility is that the bank did send the confirmation -- and the judge would have responded in a timely fashion -- but the bank had no requirement that he confirm the change before enabling it.)

In real estate, they say, "Location location location." I say "Education education education." Until users learn to recognize phishing emails or suspect web pages, and make conscious decisions to err on the side of caution, these things will happen.

In an op-ed piece published a few years ago, I suggested that cruising the Internet should be like cruising a physical highway: until you demonstrate a certain level of competence, and understand how to control your vehicle and steer clear of hazards, you're not allowed to drive. The same requirement should apply to users of the World Wide Web. Harsh? Yes. But we all would be safer online were that the case.

-- Michael Seese, author of "Scrappy Information Security"

Posted by: MichaelSeese | July 23, 2009 6:32 PM | Report abuse

there is no way to eradicate the thieves, they have to change their mind and should not do these kind of things.

Posted by: freeebookmania | July 24, 2009 12:14 PM | Report abuse

The failure of an anti-malware application to detect a particular piece of malware (the "Clampi" Trojan in this case) is not news. Many malicious programs do a great job of hiding themselves. Thus, I suggest scanning a suspect system from outside the suspect operating system. This *insures* that the malicious software does not get a chance to run.

My preferred software to enable scanning from the outside is the free Ultimate Boot CD for Windows. It includes a handful of free anti-malware programs that can run from the CD and even self-update themselves.

In addition UBCD4WIN can also share the infected C disk over a network, allowing it to be safely scanned by your favorite anti-malware program residing on another (presumably clean) computer.

This is a great first crack at detection, but, by itself, is not sufficient. You still need to scan for malware from inside the infected OS afterwards.

Interestingly, both MalwareBytes and SUPERAntiSpyware are working on mounting the infected registry even when they scan a system from the outside. This should be a big step forward in malware detection and removal.

For more, see a series of articles I wrote on this subject for eSecurity Planet. This is not a plug for any particular anti-malware program, just for an approach to removal.

http://www.esecurityplanet.com/features/article.php/3821001/The-Best-Way-to-Remove-Viruses-Spyware-and-other-Malware-Part-1.htm

http://www.esecurityplanet.com/features/article.php/3825291/article.htm

http://www.esecurityplanet.com/features/article.php/3830676

Michael Horowitz
michaelhorowitz.com

Posted by: MichaelsPostingID | July 26, 2009 6:37 PM | Report abuse

Seriously - what was that woman thinking? Was she thinking at all? Why does crime so often depend on people being just totally unbelievably stupid? What did she think she was really doing? Did she really think her 'job' appeared to be a 'legit' operation? Crime so often depends on people being colossally stupid.

Posted by: Rixstep | July 27, 2009 1:28 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company