Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.
According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries like Moldova, Russia and Ukraine.
Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, said criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and medium-sized businesses, and have successfully made off with about $40 million of that money.
Normally, the FBI isn't eager to discuss losses, or even acknowledge the existence of specific cases. What's more, the agency is keen to avoid making any statements that might spook consumers or businesses away from online banking. But Chabinsky said the FBI is taking the unusual step of floating financial loss figures in order to grab the attention of those most at risk so they can adopt safeguards.
"We don't believe there's cause for a crisis of confidence in online banking, but we want to make sure we message this early before this becomes a much larger problem," Chabinsky told Security Fix in an interview Wednesday. "Our concern is that these numbers will grow if we don't educate people now to take precautions, and if we could nip some of this in the bud, not only will it lessen the problem, but it will serve as a deterrent to the extent the bad guys see this as an easy way to make money."
The FBI said the $40 million loss figure stems from some 205 cases that date back to 2004, though it declined to offer a year-by-year breakdown of those cases. Several bank fraud experts interviewed for this story said they were aware of very few reports of this type of cyber crime before the latter half of 2008.
"There may have been a handful of cases of this specific type of crime before 2009, but attacks like this and in this volume really only picked up toward the end of last year," said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses.
Chabinsky said businesses can insulate themselves from this type of fraud by doing their online banking from a dedicated, locked-down computer that is not used for everyday Web browsing or e-mail. That's because the malicious software that thieves use to steal online banking user names and passwords typically is installed when the recipient of a spam e-mail opens a poisoned attachment or clicks a link that leads to a booby-trapped Web site.
"What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer," Chabinsky said.
While the biggest source of the vulnerability may reside on the customer's end, some fraud experts believe the perpetrators of this type of cyber crime are merely gravitating toward less obvious weaknesses in the commercial online banking system.
Avivah Litan, a financial fraud analyst with Gartner Inc., said many of the largest banks have taken a page from the credit card companies, investing heavily in anti-fraud solutions that look for transaction anomalies and other activity that may indicate a customer's account has been compromised.
But Litan said many companies being victimized by this type of crime bank at small and regional financial institutions that do not have fraud pattern detection technologies in place. Rather, she said, these institutions are relying on additional layers of customer protections, such as security tokens - approaches that can easily be subverted when the customer's computer is under control of the thieves.
"Many [commercial] institutions aren't even looking at new anti-fraud technologies because they don't take the direct loss when their business customers get hit," Litan said. "Banks may be worried about the reputation loss from these kinds of incidents, but so far these attacks aren't widespread knowledge."
Last week, I wrote about Genlabs Corp. a Chino, Calif. chemical manufacturing firm that lost $437,000 last month after thieves broke into the company's bank account and sent transfers to roughly 50 different money mules. The attackers succeeded despite the fact that the company's bank -- California Bank & Trust -- requires the user to enter their password in addition to the output from a key fob that generates a new six-digit number every 60 seconds.
Genlabs was just one of 48 victims I have heard from or reached out to over the past five months. While not everyone was willing to tell me the name of their bank, those that did almost universally named local and regional institutions.
If you review the chart below -- which details how much the thieves tried to steal from each victim and how much they made off with -- you'll notice that several of the figures in the "amount unrecovered" column total $0. In nearly all of those cases, the victim banked at a very small institution, the kind where employees apparently still know their customers by name and by sight.
Take the case of Holdiman Motor, a car dealership in Cedar Falls, Iowa. Earlier this year, hackers tried to initiate a series of bogus payroll transfers totaling $60,000 to several individuals the company has never done business with before. Owner Tom Holdiman said the perpetrators failed because the company's bank -- Lincoln Savings Bank -- noticed that the timing of the transactions was unusual and alerted Holdiman's controller.
"With the other banks you're just a number," Holdiman said. "That's why we're with them."
In the 48 attacks I've confirmed since May, thieves attempted to steal more than $7.3 million from these organizations. In many cases, I was unable to learn how much victims had actually lost. A number of companies told me they did not want to be identified by name, and have not responded to requests for follow-up interviews. Some victim companies that spotted the fraud early enough were able to work with their bank to retrieve some or all of the stolen funds. Other victims recovered nothing, and are in various stages of suing their banks to recover some of the losses.
Nevertheless, it is clear that the stories published here have encouraged more and more victims to come forward. In the month of September alone, I learned of at least 20 previously unpublicized cases in which hackers tried to take a total of more than $3.3 million from small- to mid-sized organizations across the country.
Below is a chart showing the victim entities that I have confirmed over the past five months. That same chart -- including monthly and cumulative dollar loss totals -- is available in Excel and HTML format. Some victims are identified only by their industry or specialty to preserve their anonymity. If a victim's name is hyperlinked, readers can click the link to read a prior Security Fix blog post that includes mention of their specific incident.
By Brian Krebs