A $1.5 million bank/wire fraud case made big news this summer, but experts say that malware and other online threats to banks' business clients have been spiking for at least a year.
The Associated Press reported in July that the bank account of a California escrow firm, Efficient Services Escrow Group, was hacked in December 2012 and January 2013, with three payments totaling $1.5 million wired to accounts in China and Russia. Only $432,215 was recovered, and the company was shut down.
During the last 15 months, "we're hearing that the fraud has evolved, there are new types of malware being deployed and, particularly in those banks that have yet to put in robust solutions, we're seeing that fraud spike again," says Shirley Inscoe, senior analyst with Aite Group.
In late 2008 and 2009, several targeted ACH and wire fraud attacks on banks' business clients prompted an FBI-published alert and lawsuits against banks, Inscoe says. Then banks started implementing ACH and wire fraud solutions that would alert them to suspicious activity in their business client accounts, so they could identify potential fraud before money left an account.
The major difference between the current spike and the 2008-to-2009 attacks is that the earlier attacks were fairly simple to commit. Typically the fraudsters gained the customer's credentials through keylogging software or other techniques, then went online and made the fraudulent transaction, Inscoe says.
"Now, they're more sophisticated, and having to work a lot harder to impersonate the customer," she says.
One banker told her he had no ACH or wire fraud losses in his corporate client accounts for 12 months, then three large incidents within the past year.
Banks need to focus their security measures particularly on internal employee accounts and privileged accounts, said Avivah Litan, Gartner vice president.
One of the most recent online crimes has been payment switch takeovers, in which a privileged user account is taken over by a fraudster to access the bank's wire application, Litan said.
In September 2012, the FBI issued a fraud alert reporting a new trend of cyber criminals using phishing e-mails, keystroke loggers and remote access Trojans, including variations of the Zeus malware, to infiltrate banking networks and to steal credentials, which were used to authorize overseas wire transfers.
Litan said the online criminal rings "are starting to break some of the techniques that banks are using to protect themselves, so it continues to be a cat and mouse game. The banks put a lot of protections in place, but the bad guys are still getting around some of them."
The current wave of attacks use a lot of man-in-the-browser techniques, intercepting the activity between the client and bank after a hard-token number is keyed by the client, Inscoe says. With a man-in-the-browser scam, the real client starts a banking session and the fraudster, through the use of malware, injects himself into the transaction. In some cases the victim will see a screen indicating that there is a problem with the bank's website, and wait patiently while the fraudulent transactions are completed.
The malware is sometimes loaded through a website that is visited by a bank client employee. But with business bank clients, more often the entry results from spear phishing of key employees, such as controllers, accountants or bookkeepers.
Another popular technique is email account takeover, where a customer has been corresponding via email with a banker and the fraudster takes over and instructs the banker to send a wire, Inscoe says.
"Now, that may be against bank policy, but the banker has interacted via email with his client several times before, and there have been no issues. So in the name of customer service, he might send that wire, per the instructions in the email, which was in reality from a fraudster and not a true client," she says.
In another trend, cyber criminals are increasingly attacking specific bank applications, because software developers for a business-to-business application may not proactively build in necessary security measures, says Rohit Sethi, vice president of Security Compass.
"With a lot of these basic web application attacks, we find that banking clients still tend to be vulnerable and often the business banking applications don't tend to have the same level of protection as the retail applications," Sethi says.
Another common type of attack involves cross-site scripting, Sethi says. With cross-site scripting, a bank customer frequents a non-bank website forum and is already logged in with the bank, which has a specific but common vulnerability. Meanwhile, a hacker has posted a message on the non-bank website that includes invisible characters that, when viewed by the bank customer, will be executed automatically as a fraudulent payment request to the bank.
Don Jackson, the senior security researcher with Dell SecureWorks credited with discovering the infamous Zeus banking Trojan in 2007, says one reason Zeus variations continue to be so effective is the considerable financing for its developers. Zeus's developer is a software engineer, apparently located in Russia, who follows a disciplined software development cycle with his team, with customers who spend hundreds of thousands of dollars every year developing new modules for testing and deployment, Jackson says.
One of the most effective methods for preventing online fraud with business accounts has been recommended since 2005 but still is not widely utilized, Jackson says. With an "air-gap" technique, or out-of-band authentication, a unique verification code is generated by the bank and transmitted via digital token, or text message, or other device not connected to the online account device, so the client can read and then key in the code as a signature for each transaction over a certain amount.
"It really comes down to signing that transaction. The bad guy cannot change that transaction without messing up the codes" and cancelling the transaction, Jackson said.
"There's no way for an attacker trying to subvert that transaction to actually see the code on that device. It's not connected to the infected machine at all, so it doesn't really matter if the machine has 18 different Trojans on it."
In some cases, banks have been resisting air-gap authentication methods out of concern that the methods are inconvenient to customers and because of the cost, even though the cost can be justified by the savings of avoiding fraud, Jackson says.
Dell SecureWorks also recommends that banks suggest their business customers with large accounts use a separate computer dedicated to online banking activity, with no emailing or web browsing from that computer, to reduce or eliminate the risk of infection.
Banks should also maintain access threat intelligence on current Trojans to help their fraud prevention teams, looking for particular business account web browser traffic patterns, for example, or specific cookies or IP addresses that indicate potential fraud activity, Jackson says.
One of the cheapest and easiest investments banks can make is sending their clients anti-malware tools to give to their clients to clean up their desktop PCs, said David Aitel, chief executive of Immunity Inc. Cutting out even one incidence of fraud makes the investment worth it.
One top-20 bank recently began requiring its corporate customers to download its software to use for security protection, Inscoe says.
In addition to products that can detect man-in-the-middle and man-in-the-browser attacks, banks should invest in behavioral analytics, she says. Behavioral analytics offer extremely broad coverage for banks. They monitor a client's activity across all channels online, branch, ATM, card, mobileand detect anomalous behavior for bank staff to check on, she said.
Banks need to educate their business clients about the time required to check on potential fraud, and the delays that may cause, Inscoe says.
"That's something operationally the banks have to figure out how to contend with, to allow the time," she says.
"They have to let their wire fraud solution run and have time to work suspicious activity, there's got to be a compromise there between the client and the bank to allow adequate time to detect fraud and stop it," Inscoe says.
Banks realize there's a huge client communication and education element to fraud prevention, and many banks are now turning it into a marketing opportunity, advertising to business clients that they have better ACH and wire fraud prevention than their competitors, Inscoe says.
From the customer's point of view, it shouldn't be too much to ask to have the bank devote personal attention to the account, Aitel says.
"When we say small business, we're talking about businesses with millions of dollars in your bank, so you're already in the premiere account category," Aitel says. "And the bank already has a dedicated individual who will try to upsell that customer as well as try to protect them. So it is not unreasonable for that person to be making the phone call, if they get an alert, to say that something is going on with that account."