Bank firewalls cracked by cyberhackers
By Joseph Menn in San Francisco
Published: December 11 2009 19:47 Last updated: December 11 2009 19:47
For more than a decade the common currency among cybercriminals has been pilfered credit card numbers, but some underground hackers have learned how to drain money directly from corporate bank accounts.
There has been a big rise in such frauds, raising the stakes in the war between financial institutions and criminals and costing some bank clients half a million dollars – or more.
The cyberhackers “are clearly ahead of the defence in terms of antivirus solutions, firewall solutions, etc,” Jeffrey Troy, chief of the FBI’s cybercrime section, told the Financial Times. Online bank thefts in 2009 had seen “a very dramatic increase from past years”.
Law enforcement warnings, recent reports from private security experts and lawsuits are focusing attention on the issue. Some professionals, citing the ongoing boom in virus infections through such social networks as Facebook and Twitter, fear the trends could combine in 2010.
Mr Troy estimated that criminals took about $40m from bank accounts this year, primarily targeting the small and mid-sized businesses that are themselves customers of small and mid-sized banks.
Such banks and their clients were less likely than their biggest competitors to have the highest-grade security procedures.
Targets have fallen victim to “spear phishing” and other tricks. In spear phishing, a misleading e-mail, instant message or social networking communication is aimed at one company or even a single person within that company, frequently a top executive. The message can be tailored convincingly with details of interest to that individual.
As with many generic phishing attacks that go to millions of users, the point is often to get the recipient to click on a link that installs software for surreptitiously logging keystrokes, so that passwords and account numbers can be recorded and transmitted over the internet to the hacker.
Aiming at small groups means that security programs that look for copies of previously reported attacks are less likely to recognise the software.
One of the most prevalent programs for stealing banking passwords, Zeus, can be bought and modified by anyone for about $700, Cisco Systems said in annual security study released this week.
Through both phishing and silent installs via compromised websites, Zeus has landed on some 3.6m machines. Another virus, URLZone, can rewrite online banking statements so that pilfered money does not appear to be missing.
Some businesses have lost hundreds of thousands of dollars to thieves employing such tools. While banks typically indemnify consumers for online fraud losses that are spotted quickly, they can take a harder line against corporate clients. Such disputes are coming into the open with the first lawsuits over banking breaches.
This month a Baton Rouge equipment seller called JM Test Systems sued US bank Capital One. The suit says JM Test noticed an unauthorised $45,640 wire transfer to a Moscow bank a day after it went through.
Although the company complained immediately and Capital One pledged to investigate, it allegedly failed to freeze the account and a second fraudulent withdrawal of $51,556 went through six days later. The bank has refunded less than $8,000 of the losses, according to the suit, which accuses Capital One of having unreasonably lax procedures. The bank declined to comment, citing the litigation.
Banks were modifying their systems, said Mr Troy, but they had problems with authenticating account holders.
The same problem exists on the internet – and has been exacerbated with the trend toward shortened web links that deliberately compress – and disguise – the address of websites as they are passed along in e-mails or other messages.
Many social media users placed such trust in material posted by friends and colleagues “that they don’t stop to consider the dangers of clicking on an unidentifiable link”, Cisco found.
Copyright The Financial Times Limited 2009. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.