Corporate bank accounts targeted in online fraud
by Elinor Mills
Criminals have tried to steal an estimated $100 million
from corporate bank accounts using targeted malware
and money mules, the FBI said on Tuesday.
"Within the last several months, the FBI has seen a
significant increase in fraud involving the exploitation
of valid online banking credentials belonging to small
and medium businesses, municipal governments, and
school districts," the agency said in a statement.
The FBI is seeing, on average, several new victim complaints and cases every week, according to a
report prepared by the Internet Crime Complaint Center and linked to in the FBI release.
Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses
from online fraud involving malware and money mules at around $40 million. Krebs is keeping a
running list of businesses who have been victims of online theft and detailing the attacks.
Here is how the typical scam works. The criminals may find contact information and an
organizational chart of a business online, as well as information about who handles the financial
transactions for the company or agency. So-called "spear phishing" e-mails are sent to the
employees who can initiate funds transfers, either wire transfers or transfers through the Automated
Clearing House (ACH) system.
The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or
link is opened, the malware containing a key logger is installed on the recipients' computer. The key
logger harvests the user's corporate online banking user name and password and creates another
account using that information or initiates a fund transfer masquerading as the authorized user.
The money is typically transferred into accounts opened by willing or unwitting people, known as
"money mules," who then forward the deposits overseas. Usually, increments of less than $10,000
are transferred to avoid currency transaction reporting. The money mules are recruited through
"work from home" ads or contacted after placing resumes on employment Web sites.
In several cases, banks did not have proper firewalls or antivirus software to protect against such
attacks, the FBI said.
Current signature-based anti-virus programs are increasingly ineffective and companies should also
consider using heuristic detection, application white listing that allows only known software and
libraries to execute on a system, and reducing user privileges, the report advised.
Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial
institutions about the increased use of money mules in unauthorized electronic funds transfers.
03 NOVEMBER 2009 Page 1
"Money mule activity is essentially electronic money laundering...," the FDIC statement said.
Criminals are shifting their focus to stealing online bank credentials from businesses instead of
consumers because there is more money in the corporate bank accounts to plunder, according to
Amit Klein, chief technical officer of browser security vendor Trusteer.
"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and
being detected by a bank's anti-fraud systems which look for anomalous or unusually large
withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do
not have any better browser security mechanisms than consumers to protect their banking
credentials from being stolen.”
03 NOVEMBER 2009 Page 2