New data suggests that cyber attacks aimed at small businesses have doubled over the past six months, a finding that dovetails with my own reporting on companies that are suffering six-figure losses from sophisticated cyber heists.
According to Symantec, attacks against small businesses rose markedly in the first six months of 2012 compared to the latter half of 2011. In its June intelligence report, the security firm found that 36 percent of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. That figure was 18 percent at the end of Dec. 2011.
“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said Paul Wood, a security intelligence manager at Symantec. “It almost seems attackers are diverting their resources directly from the one group to the other.”
I’m seeing the same uptick, and have been hearing from more small business victims than at any time before — often several times per week.
In the second week of July, for example, I spoke with three different small companies that had just been hit by cyberheists (one of the victims asked not to be named, and the other didn’t want their case publicized). On July 10, crooks who’d broken into the computers of a fuel supplier in southern Georgia attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed.
The bank, First National Bank of Coffee County, managed to claw back an unusually large amount — approximately $260,000. The fuel company hired an outside forensics firm to investigate, and found that the trouble started on July 9, when the firm’s controller clicked a link embedded in an image in an email designed to look as though it was sent by the U.S. Postal Service and alerting the recipient about a wayward parcel. The link in the image loaded content from a site hosting the BlackHole exploit kit, which downloaded the ZeuS Trojan to the controller’s PC.
Interestingly, the fuel company and its bank said one of the money mules that the attackers recruited to help launder the stolen funds turned out to be an employee of Wells Fargo from Alabama. Many money mules are simply not the brightest bulbs, and it is usually difficult to prove that they weren’t scammed as well (because more often than not, the mules end up losing money). But one would think people who work for banks should be at least be aware of these schemes, and held to a higher standard. What’s more, if this mule wasn’t complicit then he probably suspected something wasn’t right, because he had the funds sent to an account he controlled at a local credit union in Birmingham — rather than an account at Wells Fargo.
By the way, this is the second time I’ve encountered a money mule working at a major bank. Last year, I tracked down a woman at PNC Bank in Maryland who was hired by a mule recruitment gang and later helped move nearly $4,500 from a victim business in North Carolina to cybercriminals in Ukraine. She claimed she did not understand what she had done until I contacted her.
Another small business hit during the week of July 9 was Hastings, Neb. based Consolidated Concrete, which lost more than $100,000 in a similar cyber robbery. The company learned it was being robbed when one of the money mules contacted them after receiving a large transfer from Consolidated’s accounts.
“We got a heads up from a guy saying that we’d put money into his account,” said Don Phillips, the controller for the concrete company. “He said he knew something was wrong, Googled us and gave us a call.”
The experience of both the fuel company and Consolidated Concrete is a fairly typical, unfortunately. Both companies managed their money online at small, local banks whose principal method for securing commercial accounts is to require a username and password. This is in direct violation of the guidelines issued by regulators at the Federal Financial Institutions Examination Council (FFIEC) last year.
That guidance, issued a year ago and effective as of January 2012, calls for “layered security programs, including methods for detecting transaction anomalies, dual transaction authorization through different access devices, and the use of out-of-band verification for transactions.
What sort of dual transaction authorization was First National Bank of Coffee County using? Would you believe just a username and password? How about Consolidated’s banks? According to Phillips: A cookie placed on the customer’s computer, and a fax or phone call. The cookie protection fails when — as in the case with Consolidated and every other cyber robbery I’ve written about — the attackers have remote control over the victim’s PC; the bad guys can simply tunnel their connection through the victim’s PC.
“The machine itself has to have a cookie on it to be able to proceed, and usually we get a verification — we usually will ask for some sort of verification, either by fax or phone — of any large transfers,” Phillips said. “We usually set up any [payroll batches] on a PC, print it out, and then fax them a sheet that they verify and fax back to us. But I guess that didn’t happen here.”
The message I have been trying to drive home for small business owners is twofold: By all means, shop around if you can and find a bank that offers and advocates additional layers of security. But the best way to avoid a cyberheist is to not have your computer systems infected in the first place. The trouble is, it’s becoming increasingly difficult to tell when a system is or is not infected. That’s why I advocate the use of a Live CD approach for online banking: That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like ZeuS, your online banking session is protected.