US$100 million in attempted losses were identified as of last month, according to the Internet Crime Complaint Center (IC3), which is the computer crime arm of the FBI. It said that the spearphishing emails directly targeted employees responsible for making funds transfers within small companies and other organizations.
Many of the companies targeted by the spearphishing emails had organizational charts posted on their websites, it was found, making it easier to craft emails targeting specific individuals.
Malware was installed either from within the spearphishing email, or from a website to which they were directed. The malware stole passwords to automated clearing house accounts using a keylogger. The credentials were then used either to set up new accounts, or access existing ones.
The FBI criticized smaller financial institutions for a lack of security. Victims' bank accounts were often held at smaller banks, and the fraudulent transactions enabled by the spearphishing emails were often kept to less than $10 000 to avoid currency transaction reporting. Some of the smaller banks didn't even have proper firewalls or anti-virus software.
Significantly, the FBI also said that signature-based anti-virus and intrusion prevention systems are becoming less effective as custom-designed malicious code increases. It recommended user privilege reduction, application white listing, and heuristics.
Money was directed to accounts operated by mules, recruited from work-at-home advertisements or contacted after placing their resumes on employment websites. The mules would then transfer a portion of the funds via wire transfer services, typically to Eastern Europe.
Some of the spearphishing email attacks were particularly sophisticated. "In one case, the subjects used a distributed denial of service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out", the intelligence note said.