Commercial E-Banking Fraud: No Withdrawal

Banks and other financial institutions have long lived at the center of electronic attackers’ crosshairs, but campaigns specifically aimed at ripping off commercial banking institutions and their customers are causing serious problems of late, according to security researchers.

In looking more closely at several highly publicized incidents and assessing trends in recently observed cybercrime activity, experts with fraud prevention software specialists Guardian Analytics maintain that there is growing evidence that attackers are targeting commercial banks and their customers on an increased basis and with a proven level of success.

Sophisticated social engineering and malware attacks, and calculated gaming of the electronic transaction processes used by banks and their business customers are combining to fatten attackers’ pockets and leave both the financial institutions and clients holding the proverbial bag, researchers said.

“[We’ve] been tracking an alarming sophistication in the schemes and methods employed by fraudsters to extract both data and dollars from online business accounts. Business banking is being targeted more frequently because criminals know that these transactions typically involve larger dollar transfers from larger balances than from individual accounts,” the company said in an advisory.

And even though the ultimate target is larger transactions, many of the criminals are smart enough to steal in increments small enough (under $10,000) to avoid setting off automatic alarms that demand closer inspection of transactions before they can be processed, according to the vendor.

Small business banking is becoming a significant focus in particular based on the fact that those organizations typically have fewer defenses and dedicated security staffers when compared to their larger brethren. And attackers have become so adept at pulling off the schemes that they’re also frequently capable of using compromised endpoints with legitimate access to internal transaction systems to carry out their capers, Guardian Analytics contends.

Incorporating the help of less sophisticated criminals or unsuspecting third parties is helping the attackers to cover their tracks.

“The malware is sometimes so well written that the connection comes from an authorized and authenticated computer – a legitimate computer and session that has been hijacked, circumventing even token-based authentication. The fraudsters understand the intricacies of the online business banking platforms and the money is then transferred to money mules recruited over Internet job boards who unwittingly think they work for a legitimate company,” the report claims.

In terms of proving its assertions, Guardian points to activity including the publication of warnings around such threats in late 2009 by entities including the FDIC, NACHA, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and IT advisory firm Gartner. The Senate Committee on Homeland Security and Governmental Affairs has also held special hearings to discuss the targeting of small- and medium- sized businesses by cyber-criminals.

And in addition to the prospect of covering customers’ losses, banks who are victimized face the potential of costly lawsuits brought by angry clients. For instance, as highlighted in the report, The Washington Post has written stories about a Maine construction firm that is suing its local bank after cyber thieves stole over $500,000 from its coffers in an online heist. The case contends that the bank should have been able to identify and stop the thefts before they occurred.

“Aggressive and adaptable cyber criminals have elevated online fraud to be a significant risk to business customers from revenue, legal and public relations perspectives,” the experts said. “For your institution, the threat of lost customers or worse – business victims that have filed suit against their banks – should give pause to reexamine your fraud prevention strategy.”

I’d bank on this type of data opening some people’s eyes.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.