Network News

X My Profile
View More Activity

Business e-banking and the 6-figure password

On Monday, Security Fix featured the story of Ronnie Cutshall, a Tennessee man who was caught up in an international money laundering scam after being recruited through a work-at-home job offer. That story mentioned that Cutshall received a $9,600 transfer from a company called American Realty, but that I didn't have any luck in tracking down the victim company.

Today the American Realty company affected by that scam contacted me after reading my story (turns out they're located in Shalimar, Fla., not Georgia, as I had previously thought). A few weeks ago, an American Realty employee clicked a link in an e-mail scam that spoofed an IRS alert about unreported income. The Web site linked to in that message quietly installed a password-stealing Trojan horse program named Zeus. From there, the perpetrators were able to swipe the company's online banking credentials, and initiate unauthorized payroll payments to Cutshall and about 20 other individuals.

In all, the hackers transferred $195,000 out of American Realty's bank account. So far, the company has retrieved just $45,000 of the stolen money.

Denny Naugle, operations director at American Realty, said the company is drafting papers to sue their bank.

"The bank said it detected that this was likely fraud, but they let the transfers go through anyway," Naugle said. "They're saying it's our fault because we gave our password information away."

Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses.

I think the following anecdotes explain the difference nicely. When a consumer wants to do online banking, the bank says, "Thanks for banking with us. And don't worry: We will put your money back in our super-secure vault. Even if somebody should break in and rob the place, your money will still be safe because it's protected by armed guards, and six inches of steel. But even if they get past all of those protections and steal cash from the vault, we'll replace any money that was yours."

In contrast, when businesses bank online, the unspoken message from many financial institutions is: "Thanks for banking with us. And don't worry: We'll keep your money here in our super-secure vault. Oh, and by the way, here's a key to that vault. Just make sure you don't lose it."

It's probably worth noting that the FBI published an alert Wednesday warning businesses about a significant increase in this type of fraud. The alert references an intelligence note published by the FBI's Internet Crime Complaint Center (IC3), which states that as of October 2009, there has been approximately $100 million in attempted losses. This is a bit higher than previous estimates: Last month, the FBI told Security Fix it was aware of just $85 million in attempted fraud, and $40 million in actual losses.

Have a question about these scams or anything else security- or tech-related? Join me at 11 a.m. Friday for another Security Fix Live online chat. Can't make it then, or can't wait to submit your question? No problem: Drop it in the queue right now.

Update, 4:23 p.m. ET: Added a mention of and link to the IC3's fraud loss estimates.

By Brian Krebs  |  November 4, 2009; 2:40 PM ET
Categories:  Fraud , From the Bunker , Small Business Victims , Web Fraud 2.0  | Tags: ach fraud, money mules, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Spike in Social Media Malware, Phishing Attacks
Next: SnapNames: Former exec. bid up domain prices


I keep my banking password long and complicated. I change it every time I reformat & reinstall Windows on my laptop... which is three or four times per year.

As for Trojans, I kill them for a living, and I look for them constantly on my own machines. The almost-quarterly reformatting is just an additional precaution.

Posted by: williehorton | November 4, 2009 3:24 PM | Report abuse

Nice. Brian posts an update to a story involving money mules. And then this ad appears at the bottom...

$87/Hr Job - 132 Openings
No Scam. Realistic $87 Per Hour. No Schedule. Nice Pay.

I wonder if it's a job as a money mule? Definitely sounds too good to be true. (No way am I gonna click to find out.)

Posted by: dactyl | November 4, 2009 4:46 PM | Report abuse

Nice Article BK. It be nice to see an article more about the FBI division that conducts these investigations; How and what they do, etc.

Posted by: dward__ | November 5, 2009 11:47 AM | Report abuse

It would be a better story if it included an explanation for the headline. What does 6-figure password have to do with it?

Posted by: dmk45044 | November 7, 2009 3:17 AM | Report abuse

Brian, I fight this kind of stuff for clients in my job at GuideMark Security

If you run into any stories in New England I would love to hear about them.

Posted by: fchaffin | November 10, 2009 8:02 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company