An organisation representing more than 15,000 financial institutions has issued a warning about a growing wave of attacks against small banks and businesses by cyber criminals using stolen banking credentials to plunder corporate accounts.
In an alert to its members earlier this month, NACHA, the Electronics Payments Association said that attackers are increasingly stealing onine banking credentials, such as user names and paswords, from small businesses by using keystroke logging tools and other malware. The cyber criminals are using the stolen credentials to 'raid' and 'take over' corporate accounts and initiate the unauthorised transfer of funds over electronic payment networks.
NACHA oversees the Automated Clearing House (ACH) electronic payments network. A similar alert that was sent out confidentially last Friday to members of the Financial Services Information Sharing and Analysis Center, according to a story published in the Washington Post yesterday. According to the Post, the alert identified organised cyber groups in Eastern Europe as being predominantly responsible for illegally siphoning millions of dollars from corporate accounts and sent overseas via popular money and wire transfer services.
The Financial Services Information Sharing and Analysis Center was formed by major financial services firms to share information about potential physical and cyber threats to their companies.
NACHA's alert said that the cyber crooks are apparently targeting small businesses because of their relative lack of strong authentication procedures, transaction controls and "red flag" reporting capabilities.
In some cases, the alert said, attackers are tricking small business workers into visiting phishing sites with the same look and feel as their company's financial institution, where they would log on using their credentials.
In other instances, keystroke loggers and data stealing malware programs are downloaded onto corporate systems via e-mail attachments, and then used to capture bank account credentials as they are entered into a financial institution's Web site.
Some of the malware tools are capable of alerting the perpetrators when a victim has logged into the Web site of a financial institution. The tools fool the user into thinking the system is not responding while the perpetrator quietly conducts transactions in the user's name, the alert noted.
In a "worst-case scenario" such compromises could lead to a complete takeover of a business account, NACHA said. "To the financial institution, the credentials look just like the legitimate user," the NACHA alert said. Thus the attackers can gain access to all account details and activity. The crooks use the confidential credentials to quietly transfer funds to accounts set up by accomplices and unwitting "mules." Ultimately the stolen funds are often sent to accounts overseas.
Because of a relative lack of account monitoring at many small businesses, the unauthorised transfers often go unnoticed until it is too late to stop them, NACHA said.
NACHA did not respond to requests for comment on its alert. Nick Holland, an analyst with Boston-based Aite Group LLC, which focuses on the financial services industry, said the theft of banking credentials from small businesses have been an ongoing issue for some time.
But the use of the ACH network to illegally transfer substantial amounts of money out of corporate accounts in particular is a growing issue, he said. A survey of banks by Aite last year found potential ACH to be a primary security concern, Holland said. Criminals are targeting electronic payment networks because many businesses, especially smaller ones have relatively few controls for preventing misuse of ACH facilities to transfer funds out of an account, he added.
While financial services companies have put considerable emphasis on fighting credit and debit card fraud, there has been somewhat less of a focus on implementing the same kind of controls on electronic payment channels, he said. For instance, while an unusually large credit card transaction might trigger a fraud alert, a crook could initiate a similar ACH transaction without anyone "batting an eyelid" in many cases, he said. Once an attacker gains access to a company's banking credentials, transferring money out its corporate account using ACH transfers is not overly difficult, said BC Krishna, CEO of Memento Inc. a Concord, Mass.-based company that provides fraud detection services to financial firms. In fact, a harder task for those behind such thefts often is finding accomplices and 'mules' willing to receive the stolen funds, he said. Many of the firms targeted in such attacks do not know how to defend themselves and have few mechanisms for detecting the theft when it occurs, he added.
Some of the malware tools used in such thefts have become increasingly increasingly sophisticated, allowing users to remain undetected while stealing the credentials, said Joe Stewart, director of malware research at SecureWorks Inc.
He cited tools like the especially virulent Clampi Trojan, which is believed to have infected tens of thousands of systems worldwide. The Clamp Trojan is designed to infect a machine and then push itself out to every other machine on a domain via a legitimate Windows administrative tool, he said.
Some tools are capable of using the victims' own browser to carry out a transaction, making the bank systems think they are dealing with a legitimate user, he said. Victims can get infected by such Trojans simply by visiting Web sites where the malware has been planted, or via e-mail attachments and even instant messaging systems, he added.
Companies that want to mitigate the risk of such theft need to ensure that ACH and wire transfer payments are always initiated under dual controls, NACHA said in its alert.
The organisation also recommended the use of strong two-factor authentication to make it harder for someone to gain unauthorised access to an account. Alerts on unusual activity--such as the sudden transfer of money to newly created accounts, or a sudden increase in the number of transactions in an account -- can also help flag such fraud early, Krishna said.