More importantly, the announcement reports several key findings that are quite worth noting. [In fact, this article touches on so many fundamental security concepts, a number of which will get their own dedicated blog article eventually.] Here are some highlights from the FBI’s warning:
- Rather than randomly targeting a general population of computer users, these attacks utilize “spear phishing” e-mail methods to very specifically target certain small and medium businesses, municipal governments, courts, and school districts.
- Still further, the emails are being targeted to specific individuals within the organizations, generally a person within a company who can initiate funds transfers on behalf of the business, or a credential account holder.
- Often, the targeted entities have their contact information, such as email address, or an org chart posted on their web site. This may provide the perpetrators with information on who handles the financial transactions for that business or agency, allowing them to be targeted specifically.
- The e-mail either has an infected attachment or redirects to a toxic website. In either case, FBI analysis has identified more than two dozen different pieces of malware on the compromised account holders’ computers, all of which contain key loggers to capture the account information.
- FBI analysis has found that in most cases, the victims’ accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions.
- FBI interviews confirm that the threat stems not only from the malware itself, but also from the lack of controls at the bank or ACH provider level. In several cases, banks did not have proper firewalls or anti-virus software, neither on their server nor desktop computers! According to the Internet Crime Complaint Center's analysis, “The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system.”
- In one case, the perps used a “Distributed Denial of Service (DDoS) attack” against a compromised third-party ACH provider to prevent the ACH provider and the bank from recalling the fraudulent transfers before they could cash them out. The ACH transfers ranged from thousands to millions of dollars.
- The criminals recruit willing or unwitting people in the U.S., via “work from home” ads or by contacting those who post their resumes on sites like Monster.com. These “money mules”, as they are called, are used to launder the money by opening new bank accounts to receive the fraudulent transfers, then immediately forwarding a portion of the money to the criminals (typically in Eastern Europe) via transfer services like Western Union.
- Possibly the most important alarm bell raised by this release is that existing signature-based anti-virus and intrusion prevention systems are losing their effectiveness in the face of a rapidly evolving malicious code environment.
The United States Computer Emergency Readiness Team (US-CERT) has posted information on banking securely online on their website.
Protecting your computer against malicious software is an ongoing activity and, at minimum, all computer systems need to be regularly patched, have up-to-date anti-virus software, and have a personal firewall installed. Further information is available at: http://www.us-cert.gov/nav/nt01/.
If you have experienced unauthorized funds transfers from your bank accounts, or if you have been recruited via a work-at-home opportunity to receive transfers and forward money overseas, please notify the Internet Crime Complaint Center by filing a complaint at: http://www.ic3.gov/.
No comments:
Post a Comment