Consider first the impact of malware-driven cybercrime in this FBI issued warning to business bank account holders:
Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts." (FBI statement, December 2009)
It is my belief that determining the scope of the threat is critical information for all CIOs and IT managers because any effort at risk mitigation of the banking trojan threat must include the price of failure.
Within the Cybercrime Corner here at SC Magazine, I've opined on the cost of in actual dollars, sweat equity of the victimized business owners, and the community impact.
Rude awakening or grassy knoll gunman / tinfoil hat crusade?
Gartner VP Avivah Litan has also been following this banking trojan trend and recently blogged about attending the FDIC's one-day symposium held earlier this year. Her August 2009 warning included this summary:
Criminals frequently target business bank accounts that cash managers handle on behalf of small businesses, school districts, county governments and other similar organizations.
Criminals raid these accounts for millions of dollars (no estimates are available for the total amount of money stolen, but Gartner believes it could be very large) by planting trojans on user desktops to steal account credentials and transfer money to criminals' accounts.
Especially problematic aspects of these incidents include:
- Lack of disclosure by banks to shareholders and account holders, who must learn about these incidents from media reports
- Criminals' practice of targeting business accounts, which are typically larger but enjoy less protection under the law than consumer accounts."
We'll explore some potential solutions in the next article.
If you can't wait that long, then check out the first article I've written on the topic.
Thanks to the efforts of all banks as well as the transparency of FinCEN, anyone can download the FinCEN Suspicious Activity Reports in Excel format here:
http://www.fincen.gov/news_room/rp/sar_by_number.html (within the PDF click the .xls links)