Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: fs-isac

    Other51 Comments
    27
    Apr 11

    FBI: $20M in Fraudulent Wire Transfers to China

    The Federal Bureau of Investigation warned this week that cyber thieves have stolen approximately $20 million  over the past year from small to mid-sized U.S. businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies located near the country’s border with Russia.

    The FBI said that between March 2010 and April 2011, it identified twenty incidents in which small to mid-sized organizations had fraudulent wire transfers to China after their online banking credentials were stolen by malicious software. The alert was sent out Tuesday in cooperation with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium. The alert notes that actual victim losses are $11 million, suggesting that victim banks were able to claw back some of the fraudulent transfers.

    The FBI says it doesn’t know who is behind these fraudulent transfers, but that the intended recipients are companies based in the Heilongjiang province of the People’s Republic of China, and that these firms are registered in port cities that are located near the Russia-China border. The agency says the companies all use the name of a Chinese port city in their names, such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Donging, and that the official name of the companies also include the words “economic and trade,” “trade,” and “LTD”. The recipient entities usually hold accounts with a the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

    From the advisory (PDF):

    “In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing email or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating that the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.”

    Continue reading →

    Target: Small Businesses28 Comments
    2
    Nov 10

    Your Money or Your Business

    New fees levied by financial institutions are likely to push many small businesses into banking online, whether or not they are aware of and prepared for the types of sophisticated cyber attacks that have cost organizations tens of millions of dollars in recent months.

    On the way home from the store last week I caught a Public Radio/Marketplace story in which the radio show interviewed a small business owner who was nudged into banking online after discovering a $9.99 fee had been added to her business banking account for the privilege of continuing to receive paper statements each month.

    The angle of the story was the unfairness of the new fees, considering the estimated 12 million people in the United States who have no or only slow access to the Internet. In the following snippet from that program, Marketplace’s David Brancaccio interviewed a woman from Northern New Hampshire:

    “The bank with her personal account still sends monthly statements printed on paper, through the mail, for free. Old school. But this year, one of her business accounts started charging money for paper statements.

    Johnson: That’s right.

    Brancaccio: How much?

    Johnson: $9.99 a month.

    Brancaccio: Really?

    Johnson: Yes.

    Brancaccio: When did you actually notice?

    Johnson: My bank statement, my paper bank statement! is how I found it!

    “It’s a growing trend in banking. For instance, Bank of America has something called the E-banking account where paper statements and routine visits to a human teller cost money. It’s now in more than three dozen states. B of A says techno-savvy customers seem fine with online-only in exchange for no minimum cash balances in the account.”

    Johnson didn’t say which bank her commercial account was at.  And for its part, BofA’s eBanking plan only applies to consumer accounts, not businesses. But if this type of trend becomes more mainstream among commercial banking customers, more and more small businesses will be pushed into banking online without knowing how to protect themselves from organized cyber thieves that have stolen at least $70 million from small to mid-sized organizations over the last few years.

    Continue reading →

    Target: Small Businesses23 Comments
    4
    Jan 10

    Buried Warning Signs

    In a year marked by record bank failures and Wall Street swindlers walking away with tens of billions of investor dollars, it’s perhaps not surprising that the activities of organized cyber gangs looting at least $100 million dollars from small to mid-sized businesses went largely unheralded.

    The mainstream media could be forgiven for focusing on bigger fish. For one thing, this particular strain of fraud has many moving parts and is challenging to explain to broad audiences. Also, raising awareness about fraud is always tough because the issue almost invariably involves U.S. banks and federal law enforcement, two entities that by their very genetic makeup resist discussing anything that is not tightly scripted and on-message: The FBI is hyper-reluctant to discuss or even acknowledge ongoing investigations (particularly those in which the main actors are overseas), and the banks simply don’t want to spook customers in any way.

    But law enforcement and the banking industry appear to have been at odds over how and how much to communicate with the public about the seriousness and impact of these crimes. The following anecdotes offer a peek into some of the struggles I experienced last year trying to extract useful and truthful information from both parties.

    Friday, Aug. 21, 3:00 p.m. ET: I was wrapping up a story for The Washington Post about a confidential alert drafted by the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry group representing some of the nation’s largest banks. The document I’d gotten hold of seemed to validate the focus of my reporting for the previous 10 weeks: It said the FBI was tracking a major upswing in incidents involving organized computer thieves who were using malicious software to steal tens and hundreds of thousands of dollars from countless small- to mid-sized businesses throughout the United States.

    I had finagled a draft version of the alert, and understood that the final version would be sent sometime later that day, although the distribution list was reportedly limited to a few hundred people — mostly law enforcement and bankers. Problem was, I couldn’t confirm whether the alert had in fact been sent as planned, or whether the final version was changed much from the version I’d obtained.

    What’s more, after two days of waiting, I still had no meaningful response from the FBI to my query, which sought to verify the alert’s statement that the FBI believes organized cyber thieves involved in this type of crime were stealing at least a million dollars a week from victims, and that several new victim firms were coming forward each week.

    My editor was restless: Without an answer to these questions, the story would hold until next week. The answers didn’t come, and the story held.

    When I finally got confirmation the following Monday that the alert had gone out, I also learned that the final version had been significantly watered down. Gone were the monetary damage estimates, including this stark assessment: ‘Total economic impact of these activities, if they continue unabated, is likely to be in the hundreds of millions of dollars.’

    Gone was any mention of specific countries to which the stolen tens of millions were flowing (Russia, Ukraine and Moldova). Removed was the part about the quasi-financial institutions responsible for the cross-border flow of stolen cash (Moneygram and Western Union).

    Mind you, this was an alert that was not intended for public distribution, but merely to be sent to a small group of banks and law enforcement folks.

    Continue reading →