Citing research from Commtouch, the Krebs on Security newswire researcher says that these fake lures were mailed out during the week of September 19, even though the sent date on the message says August 3.
Symantec, meanwhile, he adds, reports that it detected an unprecedented jump in spam blasts containing polymorphic malware - malicious software that constantly changes its appearance to evade security software.
“One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services”, says Krebs in his latest security posting.
Using NACHA’s name as bait, says the former Washington Post security report, doubly insulting because victims soon find new employees - money mules - added to their payroll. After adding the mules, he notes that the thieves then use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds – less a commission – overseas.
Krebs says that, on September 13, cybercriminals stole around $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama.
John Ziak, director of information technology at the center, told the researcher that he suspects the organization’s accounting firm was the apparent source of the compromise. This suggests, he notes, that other clients may also have fallen victim.
According to Ziak, the bank was able to block some of the fraudulent transfers, but that it was too soon to say how much the thieves got away with.
“We still don’t know how much is going to be coming back”, Ziak told Krebs, adding that he can chalk it up to lessons learned, but the firm is going to be making some changes with the bank, including forcing them to implement a higher level of security for the company's account.
“As I’ve noted in past stories, all of the victims I’ve interviewed were running anti-virus software: Very few of them had protection against the malware used in the attack until after their money was stolen”, says Krebs, adding that most commercial banks have significant room for improvement in securing the transaction and authentication space for their customers.
But, he notes, businesses that rely on their financial institutions to detect fraudulent activity are setting themselves up for an expensive lesson.
Bottom line? Krebs concludes that no single approach or technology will stop all of these account takeovers, but preventing the theft of your online banking credentials is a critical first step.
“That’s why I continue to advise that small- to mid-sized organizations use a dedicated computer for online banking”, he said, adding that using a non-Windows computer is the safest approach, but not necessarily the most practical or affordable.
“An alternate approach is to access bank accounts from an isolated PC that is locked-down, regularly updated, and used for no other purpose than online banking” he concludes.