In recent months, small and mid-size U.S. companies have increasingly fallen prey to organized Eastern European cyber-criminals, according to a recent report in the Washington Post; due to the extent this multimillion dollar crime spree has taken on, the largest U.S. financial institution have started to get worried.
The Financial Services Information Sharing and Analysis Center, an industry task force focused on sharing data regarding critical threats affecting the financial sector, last Friday provided a confidential alert to its members, notifying them that “in the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses.”
While these smaller targets typically garner less attention than the higher profile, large scale breaches at government agencies and huge retailers, some firms still end up with sizable losses in the hundreds of thousands or even millions of dollars, according to the industry group.
According to the advisory, the infiltration method employed by the scammers is quite similar in a lot of cases: A targeted email containing a malicious attachment or a link is sent to the controller or treasurer of the company which upon opening install malware designed to steal passwords. Once said credentials have been obtained, funds are withdrawn with the help of “money mules” and sent to Eastern Europe via a series of wire transfers, typically each below the $10,000 threshold that would trigger banks’ statutory anti-money-laundering reporting.
The Treasury Department’s FinCEN (Financial Crimes Enforcement Network) division indicated a 58 percent rise in suspected wire transfer fraud incidences reported by banks, but experts believe the actual figures to be considerably higher given that a lot of incidents go unreported.
Business owners and operators should bear in mind that they are not subject to the same online banking legal protections as consumers. Where consumers tend to have a 60 day period from the receipt of a monthly statement during which they can dispute unauthorized charges, companies banking online are subject to the Uniform Commercial Code which provides approx. for a mere two business days to identify and dispute unauthorized activities.
As a result, few commercial banks have invested in back-end technologies for detecting fraudulent or unusual transaction patterns for businesses, according to Avivah Litan, a Gartner Inc. fraud analyst, who points out that “banks don’t spend the same resources on the corporate accounts because they don’t have to refund the corporate losses.”
While the FBI is investigating some of these cases and working to stem the problem in general, you should make sure that you have applied due diligence in protecting your computers, networks and other assets, e.g. through a defense-in-depth approach including up-to-date firewall, anti-virus, anti-spyware and anti-phishing as well as by assuring that both your operating system and all the applications are up-to-date with respect to available bug fixes and security patches.
As Digital Forensic Examiner of the Year Award holder Rob Lee pointed out in a SANS NewsBites guest editor comment:
We are seeing a lot of these. There are three contributing reasons they are growing so fast:
- Low threat of arrest in these “safe havens,”
- High payout for the crime, and
- Victim sharing data on these attacks has been minimal.
The attacks are amazingly simple and the amount of money taken is large. The firms do not know how to protect themselves. In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards. Small businesses are being affected greatly by poor security practices. It isn’t a risk issue. It is a survival one.
If you would like our help in protecting your systems and assets, or to deal with an incident, contact us today.
