Brian Krebs has a story in Tuesday’s Washington Post about a new trend in the ongoing saga of Internet-based fraud. Apparently, criminal groups, many based in Eastern Europe, are focusing their attention on small- and medium-sized businesses in the US, and stealing electronic banking credentials in order to carry out fraudulent wire transfers.
In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses.
The attack typically begins with an E-mail message sent to the corporate treasurer, controller, or other financial officer. The E-mail will typically be tailored to the recipient, and contain links to apparently legitimate Web sites. If the recipient clicks on the link, he is taken to a site that downloads and installs malware, typically a keystroke logger or other trojan designed to steal passwords and other credentials. With these in hand, the crooks initiate wire transfers from the target company’s account, often using intermediaries (sometimes unwitting ones) to disguise the ultimate destination of the funds.
The businesses involved often are embarrassed to report the fraud to authorities. Because they are businesses, they also lack some of the statutory protection that consumers have for electronic transfers.
This trend reinforces some security lessons that are by no means new.
- A sensitive function like money transfer should never be done from a general-purpose PC that may be used for E-mail, browsing, Facebook, online shopping, and goodness knows what else. It should be done using a workstation dedicated to that function, and that workstation should be carefully configured so that only software that is required for that function is installed; and its security configuration should be carefully monitored. (In his blog, “Security Fix”, Brian Krebs has some useful suggestions for this.)
- It should go without saying that anyone, whatever his or her position, who has access to money transfer facilities needs to be thoroughly trained in their secure operation.
- The systems used for these functions should be configured so that it is not possible for the user to install software.
It’s also important, if you work in a financial function, to make sure that you read and understand what the rules are that apply to your online banking activities. It should come as no surprise to anyone that banks have made some significant investment in fraud-prevention for their consumer banking operations, since the applicable law and regulations make them responsible for losses in some cases. In the case of business accounts, the losses are usually borne by the account holder, and this externality means that the bank doesn’t care all that much.