March 13, 2012

Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.

Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.

The attackers then crafted the following email, sending it to personnel at each victim’s respective local WNB bank branch.

Good Morning,

Can you please update me with the the available balance in my account and also the information needed to  complete an outgoing wire transfer for me today,i am on my way to my nephew funeral service but i will check my mail often for your response.

Thanks.

Wade Kuehler, an executive vice president at WNB, said bank personnel followed up on two of the requests, ignoring the request not to contact the customer via phone. In both cases, the customers were grateful for the contact, saying they had not sent such a request.

But the thieves struck paydirt with the third attempt, when a sympathetic associate at the bank responded to the message with the requested balance information. The follow-up email from the thieves included instructions to wire money to an account at another bank, and the assistant helpfully processed the transfer.

Kuehler said WNB assumed responsibility for the loss, which he would describe only as “small,” and that the employee had been disciplined. “This particular customer did have [an email history] with an account officer who was doing what she believed is her job: Taking care of customer.”

Kuehler added that he’s heard from other banks — particularly other small and regional institutions — that have also been the subject of such attacks recently.

“The common thread is these are legitimate e-mail accounts that have been hacked,” he said. “The hacker then e-mails anyone in the address book that appears to be associated with a bank.”

JB Snyder, principal and CEO at Bancsec, a company that specializes in network security and penetration testing for banks, said these attacks — even ones as sloppily executed as the email above — work because they target the world’s oldest and most reliable security vulnerability: exploiting trust relationships, a.k.a. “social engineering.”

“The wild thing is that even this hokey scheme works enough to be profitable,” Snyder said. “We’ve proven this with similar vectors.  The bottom line is that a giant percentage of today’s business is conducted via email alone without further verification, so the possibilities are endless.”

Email accounts typically are hijacked in one of three ways: through phishing, malware or via brute-force password guessing/reset attacks. To sidestep phishing attacks, avoid clicking links in email (booby-trapped links also frequently lead to malware), and only log in to accounts after loading the login page from a local browser bookmark. Krebs’s 3 Basic Rules for Online Safety keep most users out of trouble with malware. For some tips on picking strong passwords, check out this primer.


8 thoughts on “Hacked Inboxes Lead to Bank Fraud

  1. guerilla7

    Funny, this is how exactly I got inside a “highly-secured” network of a multi-national corporate network. “Abusing existing trust relationships” is the key phrase here, the tools and technology are already out there, all that is needed is a clever “low-tech” approach on how to get inside the target organization.

      1. Rob

        It works against all companies all the time. You can scream about it or hate it all you want, but always someone somewhere will click the damn link in the email, or respond in some way. Any defense that assumes otherwise isn’t a defense at all.

        Even in a small company, if they can make sure 99.9% of their employees are immune, that’s several a day who will fall for it, dozens or hundreds in a large company. With intense education of a specific target audience you might theatrically achieve 100% awareness, but with typical IT setups those people are still wide open to being hacked via the other employees who clicked.

  2. Fraud Red Team

    This is a highly appropriate and relevant observation for today’s operating environment. This concept carries over into internal fraud as well, where lower-level associates (administrative assistants, tech support, etc) have (or can gain) free and open access to Executive Level email, giving them the ability to execute subtle attacks over extended periods of time without detection.

  3. Jerry

    Brian,

    Do you by any chance know if these were free webbased e-mail accounts, like hotmail or so?

    We at our company strongly urge staff and others not to use these type of free webbased e-mail accounts for confidential data.

    1. BrianKrebs Post author

      Jerry,

      As far as I know, all of the accounts in the attack referenced in this story were Yahoo! accounts.

      1. Jerry

        Thanks Brian,

        As always, I enjoy the content of this secinfo website.

        Regards,
        Jerry

Comments are closed.