Security Watch

Open Window

Since most password-stealing malware targets users of Microsoft Corp.'s Windows operating system, one business owner's security strategy revolved around using an Apple Inc. Mac computer. But one day he did not use his Mac and accessed his online banking service with a Windows machine — and lost nearly $100,000.

David Green, who runs the Oklahoma City party supply company DKG Enterprises, decided one day to check DKG's bank account from the Windows computer his wife and kids use. The machine had been compromised by a password-stealing Trojan horse, and a few days after he logged on, thieves began making fraudulent withdrawals totaling $98,000, Brian Krebs reported June 2 on his "Krebs on Security" blog. About $22,000 has been recovered, and DKG is arguing with its bank over how to get back the rest, it told Krebs.

"I've frequently advised small-business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows," Krebs wrote.

As a result of the incident, DKG no longer allows any machine other than Green's Mac laptop to connect to its bank account.

And security at the Green household also has been improved overall: "The owner's wife now has a new Mac," Joe Dunn, DKG's controller, told Krebs.

Mac Attack

Mac computers may not be as safe as people think.

A new malicious program piggybacks on screen saver software for Apple Inc.'s Macs, which are typically considered less of a target for viruses.

The new attack is based on software developed two years ago to target Windows users, the tech news site Ars Technica reported June 1. In the Mac version, it is typically distributed as part of a screen saver package, though it has also been spotted hiding in a program that lets people record audio tracks from online videos.

The malicious program, called OSXOpinionSpy or PremierOpinion, sends data and Internet traffic records from the infected computer to a server controlled by the attacker, the article said.

Intego, the security firm that discovered the bug, said that although the program does not appear to specifically target bank accounts, the scope of the data it observes is vast enough to include sensitive information such as passwords and credit card numbers.

And this bug is not easy to remove: the spyware remains even if the program it came with is deleted, the article said, so users who suspect they have been infected should run an antivirus scan.

Imperfect Pitch

Under a settlement with the Federal Trade Commission, the spyware vendor CyberSpy Software can continue selling its keylogging product, but must soften its pitch to downplay its illegal uses.

The Orlando company's software, called RemoteSpy, can be used to log typed information on a computer, and was advertised as a way to spy on others, PC World reported June 2. The FTC objected to this, and sued CyberSpy two years ago.

The FTC and CyberSpy announced a settlement last week.

CyberSpy has agreed to change its marketing to eliminate the message that its software can be used for spying on others. "Today, it's billed as a tool that lets users spy on their own PCs — in order to keep tabs on children or employees," the article said.

Before the settlement, CyberSpy provided instructions on how to sneak its program onto other people's computers as an e-mail attachment, but it no longer has explicit instructions, the article said. Instead, it mentions the possibility of disguising its software within another attachment as a way to get through e-mail filters, but does not explain how to do this.

The idea that CyberSpy's software can lead users to face criminal charges is not just hypothetical, PC World said. In March, a man was sentenced to three years of probation and instructed to pay $33,000 in restitution for infecting a hospital computer after attaching the program to an e-mail sent to the private e-mail address of one of the hospital's employees, the article said.

Corralling Mules

In what might be a first in the U.S., prosecutors are going after "money mules," people who are tricked into helping the real masterminds of fraud incidents move money out of the country.

Five people have been indicted for allegedly helping scammers attempt to move nearly $450,000 out of the U.S. after it was transferred to their personal bank accounts from a compromised, government-owned account in California, Wired.com's "Threat Level" blog reported May 27.

"It's not always clear if the mules know that they're helping to facilitate a crime," the article said.

Citing interviews by the security writer Brian Krebs, Wired.com said many mules are either kept completely in the dark or simply did not ask questions because they were too desperate for work. The money in this case was taken from the city of Carson in May 2007 by someone who had stolen the login credentials of a government employee. About $304,000 has been recovered, and the city's insurance provider paid it $100,000, which left the city $44,000 poorer as a result of the theft.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.