This news comes from an advisory issued by the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center and the Internet Crime Complaint Center about the unauthorized wire transfers being routed to China. Most of the small-business victims hold accounts with community banks and credit unions, some of which use third-party service providers for online banking services.
So far, the 20 incidents tracked by the FBI total $20 million in fraudulent transfer attempts. Actual losses associated with fraudulent transactions, however, total $11 million. Phishing appears to be the point of entry for most of the attacks.
George Tubin, a fraud analyst at TowerGroup, says these incidents prove additional online authentication guidance from the Federal Financial Institutions Examination Council is needed now more than ever. [See FFIEC: Where is Authentication Guidance?]
"The proposed FFIEC supplement is required to keep small businesses and small institutions safe from advanced cyberfraud techniques," Tubin says. "These new techniques circumvent standard multifactor authentication technologies used by the majority of U.S. banks. The biggest tragedy with small-business cyberfraud is that the business entity is most often held liable for the losses, which can be debilitating for these small businesses." [See ACH Fraud Fight: Beyond Technology]
ACH Fraud: Not Going AwayThe ACH and wire fraud battle between small businesses and cybercriminals has been bloody. Often unprotected from and unaware of online security vulnerabilities, small-to-midsized businesses have in recent years been hit hard by online security breaches that lead to ACH and wire fraud, also known as corporate account takeover.
Fraud incidents have fueled a heated debate over liability between commercial customers and their banks, and was a catalyst for the FFIEC's review of an update to its 2005 online authentication guidance. [See Fraud Victim Favors Draft Guidance]
Michigan-based Experi-Metal Inc., which is awaiting a verdict in its suit against Comerica Bank for fraudulent transfers the bank approved, lost more than $25,000 to ACH fraud. The EMI case is the first major corporate account takeover incident to actually go to trial.
Other corporate account takeover victims include:
- Village View Escrow of Redondo Beach, Calif., which in March 2010 lost $465,000 to an online hack;
- Choice Escrow, which in November 2010 sued its bank, BankcorpSouth, alleging inadequate security measures;
- Hillary Machinery, which in January 2010 was sued by its bank, PlainsCapital Bank, after a legal battle over ACH fraud liability. The suit was later settled for undisclosed terms;
- The Catholic Diocese of Des Moines, Iowa, which in August 2010 lost $600,000 in fraudulent ACH transactions.
What Stands Out About the China TransfersIn this most recent wave of attacks being tracked by the FBI, the majority of attempted wire transfers have exceeded $900,000, though most have not been completed. The most successful wire transfers have fallen below $500,000. ACH transfers also have been initiated, typically ranging from $222,500 to $1.28 million.
The FBI also notes that ACH and wire transfers have been sent within the U.S. to money mules within minutes of conducting the overseas transfers. Domestic transfers to money mules have ranged from $200 to $200,000. The mules appear to be individuals who previously worked for the victimized companies.
"In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing e-mail or by visiting a malicious website," a joint statement issued by the FBI, FS-ISAC and IC3 states. "The malware harvests the user's corporate online banking credentials."
Zeus, Backdoor.bot, and SpyEye have been identified as being the malicious software behind some of the cases. One business hit by the attack reported the computer's hard drive was infected and erased remotely before the IT department could investigate.
Zeus is capable of stealing multifactor authentication tokens, allowing cyberthieves to log in to bank accounts with user names, passwords and token IDs. Backdoor.bot has worm, downloader, keylogger and spy ability. It allows fraudsters to remotely access an infected computer, deepening the infection by downloading additional malware from a remote server. And SpyEye, a backdoor Trojan, runs as a service process in the background, allowing unauthorized remote access to the compromised computer.
Avivah Litan, distinguished analyst at Gartner Research, says these types of attacks will keep coming, because financial institutions have failed to build adequate defenses. "These attacks are using the same techniques that have been used for a couple of years against business bank accounts and, more recently, against enterprise systems and security companies," Litan says. [See RSA Breach: A CISO's Action Items]
"It's unfortunate that the FFIEC still hasn't updated their guidance, because many banks are lagging in their efforts to institute layered security controls and fraud prevention methods that can stop much of the damage and most of the attacks," she adds.
Precautions and RecommendationsLitan recommends banks and credit unions implement secure browsing and out-of-band-transaction verification. "Banks need to act with a sense of urgency to get these in place," she says. "These can help stave off immediate threats and should be instituted within an overall fraud management framework that relies on basic fraud prevention principles, such as user and account profiling, that have generally stood the test of time."
The FBI says multiple companies, which usually include the name of a Chinese port city, have been used for the unauthorized transfers. These cities banking institutions should be on the lookout for include: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The official company names also include the words "economic and trade," "trade" and "LTD."
The fraudulent companies also appear to hold bank accounts with the Agricultural Bank of China, the Industrial and Commercial Bank of China and the Bank of China.
Wire transfers destined for any of those cities should be heavily scrutinized, especially when no prior transaction history to those cities exists for a particular business or public entity.
Suspicious incidents should be reported. Victims can contact the FBI directly or file a complaint online at www.IC3.gov.
The FBI's investigation is ongoing. The entity behind these unauthorized transfers has not been identified.