Cyberthieves loot SMBs, transfer millions to firms in China, FBI warns

Some U.S. companies may unwittingly be funding businesses in China to the tune of millions of dollars.

An alert ( pdf format ) from the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) this week warned U.S. small and medium businesses (SMBs) to be on the lookout for online account takeovers and fraudulent Automated Clearing House (ACH) transactions.

The warning stems from a rash of recent incidents in which online bank accounts belonging to SMBs were hijacked and money from them was stolen and transferred to accounts apparently held by several legitimate businesses in China's Heilongjiang province along the Russian border.

Between March and April, the FBI identified at least 20 incidents in which cybercriminals compromised the SMBs' banking credentials of SMBs, such as usernames, passwords, or authentication tokens, and used them to electronically wire money to accounts held by "Chinese economic and trade companies," the alert said.

The illegal wire transfers have ranged from $50,000 to $985,000, with the majority being involving sums or more than $900,000.

Many of the companies that have received the money are registered in port cities such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The companies appear to be legitimately registered businesses and typically have accounts at the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China, the alert said.

So far, the break-ins have siphoned $11 million out of SMB accounts. In all, the crooks have attempted to steal $20 million in the past month from SMBs, the alert warned.

Such online account takeovers are not new. The FBI, the FS-ISAC, and NACHA, the body that oversees the ACH network, issued a similar warning in the fall of 2009.

At that time, the FBI said several new cases were reported weekly. In most instances, the crooks used sophisticated keystroke logging and Trojan horse programs to steal login credentials from company employees authorized to initiate funds transfers on behalf of the business, the FBI had noted in that alert.

The same warnings were repeated in this week's alert. The alert noted that the malware used in the recent attacks had not been identified in all cases, but at least some instances involved the ZeuS banking Trojan, Backdoor.bot keylogger, and Spybot, an IRC backdoor Trojan.

In addition, one victim reported being hit with a malware program that allowed the hackers to completely erase the hard disk of the infected computer before any investigations could be done, the alert said.

The FBI alerts urged banks to notify customers if they notice any wire transfers destined for Raohe, Fuyuan, Jixi City, Xunke, Tongjiang and Dongning.

Avivah Litan, an analyst with Gartner, said that banks need to do more to mitigate such attacks, especially since they are in a better position to tackle the problem.

"These attacks are using the same techniques that have been used for a couple of years against business bank accounts and more recently against enterprise systems and security companies," Litan said. "The attacks keep coming, because most banks have yet to build up sufficient defenses," she said.

There has been speculation that the Federal Financial Institutions Examination Council (FFIEC), a standards-setting body for financial institutions, could soon require banks to implement stronger forms of user authentication, but no action has been taken.

A Gartner survey conducted in February found that many banks continue to rely on "crude" security measures, such as cookies and secret questions, to protect online accounts, Litan said.

"Nearly two-thirds of the surveyed banks manage their fraud detection and customer authentication projects by committee, which means 'it's always someone else's responsibility.' It should come as no surprise, then, that the attacks are succeeding."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Read more about financial services in Computerworld's Financial Services Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email CIO
• Follow CIO on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark