Network News

X My Profile
View More Activity

Businesses Reluctant to Report Online Banking Fraud

A confidential alert sent on Friday by a banking industry association to its members warns that Eastern European cyber gangs are stealing millions of dollars from small to mid-sizes businesses through online banking fraud. Unfortunately, many victimized companies are reluctant to come forward out of fear of retribution by their bank.

fsisac2.JPG

According to the alert, sent by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the victims of this type of fraud tell different stories, but the basic elements are the same: Malicious software planted on a company's Microsoft Windows PC allows the crooks to gain access to the victim's corporate bank account online. The attackers wire chunks of money to unwitting and in some cases knowing accomplices in the United States who then wire the money to the fraudsters overseas.

As grave as that sounds, the actual losses from this increasingly common type of online crime almost certainly are far higher. Those estimates were based on figures reported by the banks to federal regulators and law enforcement. But part of the problem, as Security Fix has found firsthand, is that many businesses are extremely wary about acknowledging that they've been victimized at all, even to federal investigators.

slackautoimg.JPG

In July, Security Fix highlighted the plight of Gainesville, Ga.-based Slack Auto Parts, which lost nearly $75,000 when fraudsters used malware to steal the company's online banking credentials and distribute the funds to six money mules around the country. When the company's story was retold in a USA Today feature, Slack Auto co-owner Tennent Lee Slack told me she began hearing from other businesses that had lost tens of thousands of dollars in eerily similar attacks, including another small company based in Gainesville that lost $63,000.

Slack said few victims that contacted her are willing to come forward to tell their stories.

"All of the people who have called us are very angry with their respective banks," Slack said. "Most have retained attorneys and I think they are afraid of publicity."

I spoke with one victim in California whose company had lost more than $50,000 after finding malware on the firm's systems, but the man ultimately decided he didn't want his company or bank to be named. Another gentleman, the owner of appliance sales and servicing company in Maine, also declined to tell his story for the record or contact law enforcement.

jmtest.JPG

JM Test Systems, an electronics calibration company in Baton Rouge, La., lost almost $100,000, after thieves used malicious software to send a series of sub-$10,000 payments to at least five co-conspirators around the country, who then wired the money on to fraudsters in Russia. Happy McKnight, the company's controller, agreed to talk to Security Fix on the condition that we not publish the name of her employer's bank. JM Test is still considering whether to try to settle the matter in court.

Avivah Litan, a fraud analyst with Gartner, said many victims don't want to talk because they fear it will endanger their ability to recoup the losses from their bank.

"Nobody wants to talk about it. The banks certainly aren't going to talk about it," Litan said. "It's like a rape victim. The victims are scared of retribution by their bank, scared that they're not going to get their money back. But in most cases they're not going to get it back anyway."

If your company has been a victim of this type of fraud, consider telling us your story. I can be reached at this address.

By Brian Krebs  |  August 25, 2009; 5:00 AM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips , Small Business Victims  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Tighter Security Urged for Businesses Banking Online
Next: Microsoft Expands Office Anti-Piracy Program

Comments

Brian, thanks for your heads up on this activity. I have converted an old PC at home to Ubuntu and only for banking business.

At work, I used wubi to install Ubuntu and it was very easy and I just restart the computer and select Ubuntu to do banking business or process credit cards. No partitioning of the hard drive, dead simple. And since I use Firefox under Windows and Linux, it works the same either way.

I used to think it would be too much work to do this, but it has gotten much simpler. The only fly in the ointment is likely to be the wireless network card. It bears some looking into before doing this if it's not directly connected to the cable or DSL modem. I have another computer I use for my ham radio that has a wireless card that is extremely hard to get working under Linux.

I don't pick up email except to get a passcode from the bank to shut off that avenue of infection. I know I can not stop everything, but this was too easy not to do.

Posted by: eteonline | August 25, 2009 7:40 AM | Report abuse

Scared of their banks? Hmm… my financial institution just gave me a brand new debit card. They did this because of “suspicious” activity associated with the card. I also have two credit cards with the same institution. When I received the new card, the only difference I noted was that the three-digit number on the back was different from the old card. So I called them and they said, “Yes, I can use the card immediately.”

Too bad the institution would not tell me which retailer they suspected of being compromised. Its representative seemed really reluctant to talk about any transaction made them suspicious; they just wanted to end the call quickly. (Yeah, I already knew U.S. financial institutions never pass on this type of information.) And since few retailers ask for the three digits on the back of my card, I really wondered about my protection. Or was it the company that processed the transaction? (I got another new card.) So, businesses like JM Test Systems are scared of the banks, while the banks are too reluctant to adequately inform their customers about any threats. Yet, when I walk into its offices, I have to remove my sunglasses and hat. Someone needs to break the circle.

Posted by: ummhuh1 | August 25, 2009 12:44 PM | Report abuse

@eteonline

I installed ubuntu (side-by-side) "knowing" full well that my wireless broadband connection would be toast. Verizon's software ran on Windows - it reminded me of AOL's "gateway" and should have been my first clue. To make a long story short - one click short - ubuntu had no problem and no configuration. It's still easier to log into Windows to pay the Verizon bill. This mission critical function should not be left to freetards like ubuntu anyway.

Posted by: gannon_dick | August 25, 2009 1:43 PM | Report abuse

Interesting article. I'm particularly intrigued to read of counter-intuitive realities. I'm fascinated that businesses are more afraid of reprisals from their banks than the banks are from their business customers. I posted something a while back on why I believe businesses are reluctant to publicly disclose malware breaches of desktop/laptop computers.

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/pc-malware-costly-security-breach-disclosures

In short, just one compromised desktop/laptop can result in data leaks from almost literally anywhere else in the enterprise because of how extensively any one endpoint interacts with others.

For those not open to the Linux option reasonably suggested by another poster, there are two practical preventative measures you can take, as well as something you should pursue from your current or future bank.

The first measure requires no new software. Simply use two or more different web browsers. This has the subtle but powerful effect of compartmentalizing your sensitive financial web transactions from others. There's another post on that if one wishes more details.

The second measure is to install a new class of security software. My company offers something called AppGuard, which we position as stopping what your existing security software misses. There are other products out there. The key point is that they are all available for download at reputable portals. Choose the one that is easiest to use and least disruptive to what you do on your PCs.

The third measure involves two factor PKI authentication, NOT one-time pass code products, which are vulnerable to man-in-the-middle attacks. This is NOT a perfect solution but it makes matters far more difficult for the cyber criminals because their only remaining opening is to hijack the session cookie from your secure web browser connection and/or conduct fraudulent transactions while you're connected. In other words, their window of opportunity exists between the time you've authenticated.

Combine all three, or at least the first two, and you've mitigated the risks considerably. Oh, along the lines of our Linux friend, one further reduce risks by using a dedicated Windows computer for sensitive online transactions that does NOTHING else. This machine should be fully patched and employ the second measure too.

Posted by: eiverson1 | August 25, 2009 1:48 PM | Report abuse

Rob, thanks for the sharing of this scam. THIS is great reporting and a help to all!!

I am warning all of our management and IT guys!

Posted by: EZReader1 | August 25, 2009 6:38 PM | Report abuse

Heh, EZ, you might have me confused with Rob Pegoraro, my colleague who also writes about technology. But thanks for the kind words just the same ;)

Posted by: BTKrebs | August 25, 2009 6:57 PM | Report abuse

This is like saying "I think were losing in Iraq". This is not news.

But really switching to and between Linux and Windows helps, patch both constantly and keep a eye on your accounts.

Business does not want to admit they been hacked cause that would let there customers know there security is broke.

Posted by: dhengste | August 26, 2009 3:25 AM | Report abuse

Brian

After downloading Microsoft's updates this morning, I noticed that both my Google & Firefox browsers had expired certificates for g-mail.

Not to also mention that my Earthlink voice connection had been out for only 8 hours now to boot.

Turns out that SOMETHING had reset my computer clock back to 2002 -- so the expired certificates.

Nevertheless, when I click on your site, it is still loading all the way to the right of my screen -- until I hit reload.

So even if Avast didn't find the malware on the businesses computer for over a year,

would Malwarebytes Antimalware have found it --- or no ???

Posted by: brucerealtor@gmail.com | August 26, 2009 4:10 AM | Report abuse

//continued//

I had just removed and reinstalled Firefox and to stop the shifting to the right I had to clear the browser.

But you were the first item up on the new install -- ugh.

Posted by: brucerealtor@gmail.com | August 26, 2009 4:15 AM | Report abuse

MS has what's called "patch Tuesday" (2nd Tuesday of each month) that was 2 weeks ago..on occasion they even release out of band patches for serious vulnerabilities for what's called zero day issues, meaning hackers reverse engineer the last patch to find new ones before they can correct it again. It's never ending - security is a process.

Posted by: dhengste | August 26, 2009 4:40 AM | Report abuse

Yes yes yes yes and yes. Great work, Bk!

Posted by: Rixstep | August 26, 2009 10:11 AM | Report abuse

@Bruce -- I'll have a blog post up about this in a few minutes, but essentially MS shipped a couple of out of band, non-security related updates, one of which monkeys with the table of daylight savings times for various locations. It is possible that the patch somehow affected your Windows clock/system time wrongly. A system calendar/clock that is years off base would definitely interfere with your ability to use SSL, which gets really confused when the dates are off by that much.

Posted by: BTKrebs | August 26, 2009 10:40 AM | Report abuse

The big problem is most of those small-to-medium businesses have really poor patching policies.

They might configure windows update to automatically patch the OS... However, I bet most businesses do not regularly patch installed applications (e.g. Adobe Flash or JAVA); which happen to be the vulnerability d'jour exploited by the thieves.

Posted by: siris | August 26, 2009 12:00 PM | Report abuse

Thanks, Brian. I would be interested to know more about these two MS updates before I download them. I googled their KB numbers and found some complaints out there.

Posted by: Bartolo1 | August 26, 2009 12:04 PM | Report abuse

I don't get why (apparently) US banks don't do what we do in the Netherlands - when I bank online, I need a physical device (my mobile phone for one bank, an e-dentifier for the other) to be able to do anything.

Whenever I need to make a transfer, I either need to put in the code I receive on my phone, or the code that the e-dentifier gives me after physically sticking my bank card into it and entering my pin plus the code the website gives me.

Even if someone knows my login details, my bank account number, and the card number, they're still not being able to touch my accounts.

Posted by: lmels | August 27, 2009 3:51 AM | Report abuse

I agree with Imels that two factor authentication, whatever its form, makes it considerably more difficult for the Cyber gangs to conduct these transfers.

However, they can still do so via a man-in-the-browser attack. This requires them to execute these transfers after a login by the respective end-user/victim. I cannot comment on how pervasive this approach is, though.

Already, the gangs are conducting their transfers from the victim's own computer to reduce the risk of discovery by the bank when an unusual IP address conducts the transfer.

Eirik Iverson
Blue Ridge Networks
Product Management: AppGuard; AppGuard Enterprise; EdgeGuard; Managed EdgeGuard

Posted by: eiverson1 | August 28, 2009 10:45 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company