In this latest incident, a Kansas car dealership lost $63,000 to the Zeus trojan, which apparently compromised the financial controller's Windows PC and created a fake payroll batch, siphoning funds from the dealership's account.
According to security researcher Brian Krebs, the thieves logged into the account within a matter of hours of a legitimate login, and "cased the joint a bit – checking the transaction history, account summary and balance – and then logged out."
They then waited until the next day to begin creating their own $63,000 payroll batch, by adding nine new 'employees' to the company's books.
"The employees added were in fact money mules, willing or unwitting individuals recruited through work-at-home job scams to help crooks launder stolen funds" says Krebs in his latest security blog, adding that the financial controller never received the confirmation email from the bank about the new batch, as the cybercriminals also had control over the controller's mailbox.
Krebs went on to say that, if a bank's system of authenticating a transaction depends solely on the customer's PC being infection-free, then that system is trivially vulnerable to compromise in the face of today's more stealthy banking trojans.
The former Washington Post security researcher goes on to say that this latest attack gets to the heart of why these e-banking thefts continue unabated at banks on a regular basis.
"An attacker who has compromised an account holder's PC can control every aspect of what the victim sees or does not see, because that bad guy can then intercept, delete, modify or re-route all communications to and from the infected PC", he says.
"If a bank's system of authenticating a transaction depends solely on the customer's PC being infection-free, then that system is trivially vulnerable to compromise in the face of today's more stealthy banking trojans", he adds.
Krebs concludes that banks often complain that commercial account takeover victims might have spotted thefts had the customer merely reconciled its accounts at day's end.
But, he says, several new malware strains allow attackers to manipulate the balance displayed when the victim logs in to his or her account.
The good news is that the bank moved swiftly to trace and recall the stolen funds and managed to haul back all but $22,000 of the car dealership's money.
In addition, the bank has now changed its security procedures, with emails to multiple accounts, and setting the bank transfer limits to the account to zero except on paydays, when the controller has to authorise the transaction from his home PC.
Krebs is critical of the enhanced security: "From where I sit, that's a ridiculous number of hoops to have to jump through to make a payroll every other week. Also, those changes don't address the root of the problem: They still succeed or fail based on an insecure mode of communication (email) that can be hijacked on the customer's end."
"What's more, these changes continue to push all of the security and authentication of the transaction out to the customer, which is always the weakest link", he noted.