RSS Alerts

Share

More services

Related Links

Related Stories

  • FBI director almost fell for phishing attack
    The director of the FBI and the man charged with protecting the US from cyberthreats, Rober Mueller, has given up online banking after a phishing scare.
  • Spear-phishing Attacks Attain Record Levels
    Targeted social engineering attacks, also referred to as spear phishing, are on the rise.
  • Zeus is king of bank fraud trojan viruses
    Just like the Greek god that is its namesake, Zeus is the king of bank fraud trojan viruses, having been used by thousands of criminals to scam perhaps hundreds of millions of dollars from banking customers around the world for years. The recent busts of Zeus fraudsters in the US and the UK are just the tip of a vast underground of fraud and deception, according to information security analysts consulted by Infosecurity.
  • Chinese cybercriminals steal $11 million from US firms through wire transfers
    Chinese cybercriminals have bilked US-based small and medium-sized enterprises (SMEs) out of $11 million as a result of fraudulent wire transfers, the Federal Bureau of Investigation (FBI) said.
  • Met admits police e-crime unit is under-resourced
    The police cybercrime unit can tackle only 11% of the 6000 known organised criminal gangs that regularly use computers for illegal purposes, the head of the Metropolitan Police admitted at the weekend.

Top 5 Stories

News

Spearphishing emails target customers of ill-equipped banks.

06 November 2009

The FBI has slammed poor security in financial institutions, after identifying a drastic rise in money being stolen from small to medium-sized businesses via spearphishing emails, it said in an intelligence note early this week.

US$100 million in attempted losses were identified as of last month, according to the Internet Crime Complaint Center (IC3), which is the computer crime arm of the FBI. It said that the spearphishing emails directly targeted employees responsible for making funds transfers within small companies and other organizations.

Many of the companies targeted by the spearphishing emails had organizational charts posted on their websites, it was found, making it easier to craft emails targeting specific individuals.

Malware was installed either from within the spearphishing email, or from a website to which they were directed. The malware stole passwords to automated clearing house accounts using a keylogger. The credentials were then used either to set up new accounts, or access existing ones.

The FBI criticized smaller financial institutions for a lack of security. Victims' bank accounts were often held at smaller banks, and the fraudulent transactions enabled by the spearphishing emails were often kept to less than $10 000 to avoid currency transaction reporting. Some of the smaller banks didn't even have proper firewalls or anti-virus software.

Significantly, the FBI also said that signature-based anti-virus and intrusion prevention systems are becoming less effective as custom-designed malicious code increases. It recommended user privilege reduction, application white listing, and heuristics.

Money was directed to accounts operated by mules, recruited from work-at-home advertisements or contacted after placing their resumes on employment websites. The mules would then transfer a portion of the funds via wire transfer services, typically to Eastern Europe.

Some of the spearphishing email attacks were particularly sophisticated. "In one case, the subjects used a distributed denial of service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out", the intelligence note said.

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012