I've been hacked - Give me back my money

I recently read a story where a business bank customer had $800K stolen from her business account, and although the bank has been able to recover $600K, there is still the outstanding $200K. The customer is claiming that the bank lacked good security, and the bank is claiming that it had good security, and is suing the customer for false claims about its security. There is plenty of information on the internet about bank account controls – minimum value transfers; transfers to accounts in foreign countries; movement of overall percentage of deposits in short periods of time, etc.; account holders to use internet banking from PCs that have AV and other security protection;  I won't comment on what has been reported so far.

The claims between the parties could continue for some time, those are not what I wanted to talk about. I came across this story through the SANS Institute’s NewsBite service, where one of the editorial team commented that its "just a matter of time until someone fakes the cyber theft, sprinkles some malware, pays his own mules to receive the money, and then blames the bank".

Most of us will agree that it is indeed a matter of time before the above is a reality, but I think that in the meantime we are going to see a series of bungled attempts at being a victim of cyber theft. Off-the-record I have heard of some of the many attempts of fraud around ATM cards, where the cardholder arranges with a friend to "lose" their wallet, and then the friend will empty out the account, just before the card is reported stolen / lost. It’s amazing that something so simple is so easy to mess up, and that is my point! The complex scenario of having money mules to receive the money will happen (sooner or later) and they will be carried out by the "more organised" criminals.

We will see plenty of bungled attempts like the bungled terrorist attempts and the ill thought actions of those people submitted for the Darwin Awards, there has not been as many well publicised cases of complete idiots attempting to commit fraud (to my knowledge). I say that because, although there is no expertise required in not using AV or AM, which makes sprinkling malware relatively easy, but to move money from a legitimate account (the target of the fraud) to a supposed criminals account in such a way that you can prove that it wasn't anything to do with you, is slightly harder. Arranging trustworthy money mules is slightly harder still.

If amateur fraudsters were able to get the right malware which only seems like it has stolen credentials, but doesn't actually do anything until the bank account has first been emptied out by the fraudsters themselves, they will need some technical skills to pull off the fraud without leaving signs of what has actually happened. In any case money will not move from one account to another unless the credentials registered with the bank are used, so the evidence left on the computer will need to show that the malware was on the machine during the time the theft took place.

I believe, that unless fraudsters have a step by step instruction guide it is unlikely that they would be able to pull off a fraud like this, and even so it would be easier still if they had a readymade "kit" to do this for them. This sort of product is something that would not take much for existing crimeware producers to put together. The problem with using such a product is that it can only be used once or twice by a fraudster, which means anyone using this would need to make the best use of it for amounts that make it worth their while.

However, there is obviously always the opportunity for existing money mules to target desperate businesses in need of money to go along with such "schemes", only to be left with nothing at all at the end of it. And I think we are more likely to see many more scenarios of this happening, in the same way that desperate elderly people with some money are targets of so many of the current scams. I believe that mid-sized business in this economic climate are more likely to fall for such scams than other businesses, as I believe they are more likely to be targeted with phony ways of how it is not really fraud, or that there is little chance of them getting caught.

I think we are in for a rough ride from both the organised criminals as well as those who are desperate enough to have to collude with helpful criminals and end up worse off. These things will happen well before we see clean frauds as anticipated in the SANS Institute observation above, as there is more money in it for the criminals, and less chance of being accused or put in the spotlight.

What are your thoughts? 

What’s Hot on Infosecurity Magazine?