Finding more resistance than ever from large businesses, hackers are customizing their malware ploys for SMBs, reports Dan Kaplan.
Two years ago, the vice president of human relations at Texas Trust Credit Union (TTCU), a 60,000-member business in the Dallas area, received an unexpected email from a law firm. Attached was a complaint letter.
Sensing something may have been amiss and having been trained to be on the lookout for questionable messages, the employee right-clicked on the attachment, where he was able to determine that the document was no complaint letter at all – it actually was a malware-laden ZIP file disguised to look like a PDF.
“What the scary part of it was, our anti-virus software didn’t detect anything malicious about the threat,” says David Naylor, 29, TTCU’s IT security coordinator. “And our email filter at the time didn’t have any concept of how to handle it.”
Nobody else at the company received the phishing email, prompting Naylor to determine that the HR director was singled out because of his role in dealing with confidential data.
“That could have been very nasty,” he says. “We would’ve had a piece of software logging keystrokes. You can imagine all of the sensitive information a person in that position might type in on a daily basis, and who knows where that could’ve been sent to.”
Little did Naylor realize at the time, but the near-breach was just a precursor to the full-on assault of sophisticated and often undetectable attacks now threatening – seemingly at random – some of the 25 million small and mid-sized businesses (SMBs) nationwide. More than two years removed from the incident at TTCU, the SMB space has become a bonafide gold mine for the web’s most unsavory inhabitants.
Monster breaches, such as at Heartland Payment Systems, may have dominated the headlines over the last 12 months, but if 2009 is to be remembered for anything, perhaps it should be recalled as the year when skilled cybercriminals began pillaging the little guy of tens of thousands of dollars at a time. The most alarming part? Most of the victims do not even realize they have been hit until it is too late.
Wire fraud tops $100 million
The FBI currently is investigating more than 215 cases of what is known as Automated Clearing House (ACH) Network fraud, by which hackers infect SMBs, local government agencies and school districts with data-stealing malware, typically the Zeus or Clampi trojan botnet, says Melissa Horvath, supervisory special agent, FBI. Nearly all of the cases happened this year, and many more likely have gone unreported.
The crooks target only those employees responsible for online banking duties by delivering to them a socially engineered email that contains malware designed to hijack banking login details, Horvath says. (Cybervillains fancy school systems as targets because the contact information for their financial officers is easily found on district websites.)
The culprits then use the stolen credentials to immediately sign in to the victim’s bank account – the trojan allows the vandals to look as if they are coming from the organization’s legitimate IP address – with the goal of wire transferring out large sums of cash, Horvath says. The funds are deposited into the accounts of money mules, individuals typically recruited through work-at-home scams, but who actually serve as launderers. The mules keep a small percentage of the funds as a commission and forward the rest to the scam’s orchestrators.
The attempted losses to SMBs have amounted to a staggering $100 million, Horvath says, and the number is steadily growing by the day. Many organizations fail to uncover the theft for many days due to poor anti-virus detection rates, their limited staff and because they see no need to constantly monitor their ACH accounts, which usually only are used for payroll direct deposits.
But experts say online banking fraud is the greatest cyber-risk facing many of today’s businesses. And, arguably, it could not have come at a worse time for SMBs. With the nation buried beneath the worst economic recession since the Great Depression, many are finding themselves in a taxing position, where even the slightest additional cost could mean significant harm to their bottom line. The enforcement of at least two security regulations – the Massachusetts data security law, which has an encryption provision, and the Federal Trade Commission’s Red Flags Rule – have been put on hold to assuage small business owners concerned the requirements are too burdensome and pricey.
Few, though, can deny that the cyberthreat facing America’s SMBs is real.
“As larger enterprises have become better defended, cybercriminals are moving down the business food chain,” says Michael Kaiser, executive director of the nonprofit National Cyber Security Alliance (NCSA). “Criminals are looking for what’s the easiest door they can break down to get the stuff they want.”
This, however, does not seem to be translating into executive awareness and resource allocation. A recent NCSA study of 1,500 small business owners found that slightly more than half check their computers on a weekly basis to determine whether their security solutions and operating platforms are up to date. Meanwhile, only 35 percent provide cybersecurity training to employees, 28 percent have an internet security policy in place and six percent fear the loss of customer information.
“[SMBs] are becoming increasingly dependent on the internet,” Kaiser says. “Yet they haven’t integrated security into the culture of their business, and that’s going to make them vulnerable.”
No immunity from attacks
Texas Trust Credit Union has 180 employees and $500 million in assets, but the company does not consider itself immune from the same risks facing its larger financial brethren.
Naylor says the main defenses the institution deploys to combat modern-day digital perils are web filtering and employee training. In addition, TTCU has dedicated IT personnel and expertise to throw at the threats, something organizations of similar sizes cannot always do.
“I get feedback from some credit unions and I know a number of them don’t have the staff we have,” Naylor says. “I’ve met some people who represent credit unions and they have one part-time staffer. Give me a break. What’s their security policy going to look like?”
Naylor is well aware that criminals commonly craft their “blended” attacks – emails that contain a link to a malicious website – around hot news and other popular trends. Since the attempted intrusion on the HR director two years ago, TTCU has significantly tightened its rules around emails. Consequently, roughly half of all messages sent to employees now get quarantined. Members of the IT department take turns on “spam filter duty,” in which they manually review – and possibly release – the emails that find their way into the trapped folder.
In the 30 days spanning the last week of October to the last week of November, TTCU received 51,045 messages that avoided the quarantine. But 48,796 were isolated and analyzed, with roughly five percent actually turning out to be malicious. Employees do not complain much, Naylor says, but if they are waiting on an urgent email, they are encouraged to notify the IT department beforehand, so it never spends any time in quarantine.
“These days, all criminals do is send you a link and they say to click here and you go to a website and it can infect your computer,” Naylor says. “It’s very hard to defend against that. Manual review is definitely a tool in our arsenal that we wouldn’t be able to give up easily. I will see something that is clearly malicious that anti-virus didn’t pick up on.”
Gerhard Eschelbeck (left), CTO of Webroot Software, provider of web and email security for TTCU, says that between September and October, the amount of emails containing a malicious attachment doubled for its customers.
Phishers often use U.S. government agencies as the faux sender to heighten the legitimacy of their chicanery. Cleverness is the name of the game. In one recent campaign, the malware authors actually crafted their emails to appear as if the targeted individual had already fallen for the ACH scam and thus needed to download a bank transaction report for additional details. The report was actually the Zeus trojan.
“The number one concern for companies in the SMB space is the malware vector,” Eschelbeck says, “and therefore protection really is crucial here. A lot of the larger organizations have obviously implemented some form of security layers. The SMBs are really where it’s just about to start. They are significantly more exposed than bigger companies.”
TTCU also relies on regular employee training and the message of security appears to be getting across to end-users, as evidenced by the HR director’s wherewithal not to install the malicious executable.
“If end-users don’t protect themselves, and they don’t know what they’re doing, it doesn’t matter what technology you have in place,” Naylor says. “With a single click, they can undo all of the technology.”
Kaiser of NCSA says SMBs do not need a great deal of investment to get secure, pointing out that integrated product suites and updated browsers and operating systems should provide core protection.
Meanwhile, some SMBs are opting for cloud or managed security service provider (MSSP) models, in which organizations don’t need to maintain technology on their own servers and can outsource the responsibility.
Steve Harris, vice president of managed services at network security firm StillSecure, says many SMBs believe they can implement security more cheaply on their own or are unaware of third-party options.
“All of that weight comes down on the internal people, and they just don’t have that expertise,” Harris says. “You can’t be a slave to too many masters. When it comes down to it, security is so specific and ever-evolving every day. That extra level of comprehension into what it takes to secure themselves is not available.”
TTCU uses Webroot, which is an on-demand offering. Security is considered integral to the credit union’s operations, though the size of the organization and the current state of the economy limits expenditures. “We can’t always buy the shiny new product,” Naylor says. As a result, the company also leverages a number of free, open source offerings, such as the Snort intrusion prevention system.
TTCU’s security posture seems to be paying off. In his five years as IT security coordinator, Naylor says there has never been a successful hack.
“It doesn’t matter if we’re small,” he says. “It doesn’t make us less of a target. If someone is trying to spread a botnet, they don’t care if you’re small or not, they just want to get in.”
Can SMBs shift the blame?
Not all small businesses have been so fortunate. Last May, Sanford, Maine-based Patco Construction, a 20-employee general contracting firm, got a dose of reality: Hackers do not discriminate based on size.
Each night over the course of a week, remote intruders illegally accessed Patco’s corporate bank account to pull out $100,000. Mark Patterson, the co-owner, did not learn of the theft until he got a paper notice delivered to his home that stated one of the accounts into which the hackers tried to transfer the money was bogus. When the dust cleared, the cybervandals had made $588,000 in illegitimate ACH transfers. Patco’s depository, Ocean Bank, which is owned by People’s United Bank, reversed $243,000 of the stolen cash. Patco is suing the bank for the rest. A People’s spokesman declined comment citing the pending litigation.
Banks are not liable to reimburse business customers for fraud losses as they are for consumers. Experts say there is no real reason why the same protections do not exist for businesses. It just seems that organizations did not start becoming common bank fraud victims until this year – and regulations are lagging.
“From an economic perspective, there is no doubt this money loss hurts a small business,” Patterson says. “We’re just trying to dig ourselves out of the economy. With this added on, it’s a tremendous burden.”
A forensic investigation did not reveal a cause of the Patco breach, but Patterson says he was told by Secret Service officials and bank investigators that a keylogger trojan is likely to blame.
“We weren’t really aware of this type of thing occurring,” Patterson says. “As soon as we found out, the bank was as blown away as we were.”
Now, Patco has stopped using the ACH network.
“The only thing we were using it for was payroll because so many of our employees asked for automatic deposit on their paycheck,” he says. “Now we’ve totally suspended any ACH activity, so everybody is getting a check. We’re offline. We aren’t doing anything.”
Paul Henninger, director of fraud solutions at Actimize, an enterprise solutions company for anti-money laundering, says more than half of the nation’s top 20 banks have contacted his company over the past several months to learn about solutions to detect fraudulent transactions. He says criminals now realize they can get away with heists worth tens of thousands of dollars, or more, by going after organizations as opposed to individuals.
Banks, as a result, must respond by implementing strong behavioral detection controls, Henninger says.
“It’s not reasonable to expect that every single small business customer is going to remember every time to do the right thing,” he says. “All it takes is one time for a small business to get some type of malware or trojan affecting their network and leading to a fraud attack.”
Avivah Litan (left), a Gartner analyst, says in a recent research note that financial services firms should implement strong user authentication, fraud detection and “out-of-band” transaction verification, such as calling a user on the phone to confirm an action. In addition, banks should consider providing customers with tools that allow their banking sessions to be locked down in virtualized environments.
Thankfully, at TTCU, where most of its members are individual users, the company has not had to deal with any falling victim to unauthorized wire transactions. But just a few months ago, some of its customers received cell phone text messages claiming to be from a bank with a similar sounding name, asking recipients to call a phone number and enter debit card information. Some fell for the scam, known as vishing.
TTCU makes it a point to inform its customers, through website and newsletter alerts and on lobby TV monitors, about the latest threats, Naylor says. Education, just as it is for employees, is paramount.
“If the members don’t fall for it, the attacks don’t work,” Naylor says.
INDICATORS: Signs of a malicious message
Here are four tip-offs that the email in your inbox may actually be a source of malware infection.
Highly personalized: The email targets a specific person and appears professional in design.
Sender appears trusted: The phisher spoofs the email to make it appear as if it coming from a legitimate sender.
Subject line is timely: The messages appear topical, referencing business-related actions, pop culture or other trends.
Call to action: The emails are creative and contain an attachment or a link to a website.
Source: Gerhard Eschelbeck, CTO, Webroot
Tips for SMBs: Avoid data-stealing malware
- Create an internet use policy
- Train employees
- Implement a web content filter
- Keep anti-virus solutions updated
- Reduce privileges
- Deploy application whitelisting and heuristic detection
- Consider dedicating a PC only for online bankin, not for surfing or email