Threat Management, Malware, Network Security

Banking trojan theft: stopping the bleeding of American business accounts

If you haven't had a chance to truly become frightened by a massive malware threat to businesses, please consider the fact that business accounts are not regulated in the same manner as consumer accounts and this leaves businesses, not banking, holding the bag when fraudulent Automated Clearing House (ACH) transfers are initiated through malware, such as the Zeus banking trojan.

Yes, that's right: CIOs and IT managers nationwide are realizing that their company's payroll could be pilfered by a malware-controlling criminal loafing at a cybercafe somewhere in the Ukraine, Romainia or even enjoying free stateside Starbucks Wi-Fi. And the bank won't even reimburse it.

A few months ago, the FDIC released plans to hold a symposium on combating cybercrime targeting small and midsize business. According to the FDIC there has been an observable increase in this type of crime resulting in millions of dollars of losses.  

“FDIC Division of Supervision and Consumer Protection (DSC) Director Sandra Thompson said, "This program is intended to raise awareness to the potential threats to commercial payments and explore best practices and technologies available to mitigate this risk. Our analysis of Financial Crimes Enforcement Network's (FinCEN) Suspicious Activity Reports indicates that bank losses related to computer intrusion or wire transfer have increased as of last fall. We must do everything we can to keep electronic payments of all types safe."

These schemes—also known as "corporate account takeovers"—typically involve compromised access credentials to online business banking software that are used to make fraudulent electronic funds transfers (EFTs) through the automated clearinghouse (ACH) and wire payment systems. The illicit proceeds from these activities are often funneled through some type of fraudulent work-at-home scheme involving individuals who knowingly, or unknowingly, serve as "money mules" by forwarding funds to criminals outside the United States.”

One attendee was Avivah Litan, Gartner vice president and distinguished analyst with 12 years at Gartner and 30 years in the IT industry. Litan's take was simple and direct:

“Depending on who you talk with, there is anywhere from one to several (probably less then 10) Eastern European gangs conducting these heists, which the FBI (perhaps inadvertently) said yesterday is costing banks and businesses hundreds of millions of dollars, while they investigate about 250 cases.”

Litan and others have been actively documenting the risks of business-account takeovers, which most business banking customers are simply not aware of. She hinted at an upcoming Gartner piece which will cover the threat analysis more thoroughly. 

Litan's viewpoint is very consistent with both Brian Krebs' groundbreaking research, as well as my own Banking trojan research. She summarized the impact to business quite bluntly:

“So in the end, probably some 20 Eastern European hacker types have the U.S. banking industry up in arms while hundreds of small businesses, country governments, school districts and churches take a direct hit on their livelihoods when their bank accounts are raided. Many banks won't reimburse them because, until now, by law they are not obligated to.”

Cybercrime banking hard data: Hard to come by

My future analysis will include a deeper dive into the FINCEN SAR statistics. I'm currently investigating a spike that was reported back in 2003-2004 in California for both computer intrusions and wire fraud, as well as the massive over-use of the ‘other' category, which skews any honest reporting of this banking issue. Feel free to supply your own hypothesis in the comments below.

Solutions: Banks, figure this out quick

There is a Gartner study which speaks about potential solutions within the banking industry's reach, including case studies on blunting the Zeus banking trojan with preventive server-side software solutions. Supporting this viewpoint, in the past year I've attended several webcasts conducted by APWG member Dr. Laura Mather's Silvertail Systems. Some of her recent guests included a research team tracking the JabberZeus cybercrime ring, as well as a friendly and technically savvy lawyer who weighed in on the ramifications of recent malware-driven banking thefts.

Scary stat of the week: The JabberZeus cybercrime ring is responsible for the same amount of money lost as all stateside bank robberies within the same 18 month period of time. 

Five Solutions CIOs want to know: Harden the (accounting) target

These steps are targeted at the typical business:

According to the FBI and FDIC, locking down one system or using a dedicated system for your online account access improves your odds against malware driven cybercrime. Harden the target.

  1. Ensure that the system account used for access does not have system administrative rights enabled which could allow behind the scenes malware installation or ‘click psychology' social engineering to compromise the user into installing malware.
  2. Try using multiple browsers, with one browser for rich internet experience and another configured only as ‘bare bones' with completely locked down security. This should include no plug-ins enabled. See US-CERT for steps
  3. Ensure your AV protection is maximized and runs the deepest scan level possible. Also ensure that updates are regularly scheduled and more frequently scheduled – for consumers this would be every fifteen minutes.
  4. Restrict physical access. Avoid using a system to conduct banking which your teenagers or other staff at your company can surf social networks with. Believe it or not, most of my “Digital Native” and malware-savvy friends who become infected simply have the common denominator of teenage kids who click links like small children use sugar on cereal – at any time possible.
  5. Bank with a company who enables notification through multiple out-of-band methods such as email and SMS Text. According to recent research most consumers are savvy about notification working to their advantage about fraud, and businesses should follow suit: getting that SMS text detailing a fraudulent paycheck issued to Romania should ring some danger bells in time to prevent a massive onslaught of false paychecks raining down on global money mules.

Doing something is better than doing nothing. Let me know your thoughts on best practices – we're all in this together.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.