The Federal Bureau of Investigation warned this week that cyber thieves have stolen approximately $20 million  over the past year from small to mid-sized U.S. businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies located near the country’s border with Russia.

The FBI said that between March 2010 and April 2011, it identified twenty incidents in which small to mid-sized organizations had fraudulent wire transfers to China after their online banking credentials were stolen by malicious software. The alert was sent out Tuesday in cooperation with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium. The alert notes that actual victim losses are $11 million, suggesting that victim banks were able to claw back some of the fraudulent transfers.

The FBI says it doesn’t know who is behind these fraudulent transfers, but that the intended recipients are companies based in the Heilongjiang province of the People’s Republic of China, and that these firms are registered in port cities that are located near the Russia-China border. The agency says the companies all use the name of a Chinese port city in their names, such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Donging, and that the official name of the companies also include the words “economic and trade,” “trade,” and “LTD”. The recipient entities usually hold accounts with a the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

From the advisory (PDF):

“In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing email or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating that the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.”

The alert said the unauthorized wires range in value from $50,000 to $985,000. While most transfers tend to be toward the upper end of that spectrum, “the malicious actors have been more successful in receiving the funds when the unauthorized wire transfers were under $500,000.” In addition, the attackers initiated fraudulent automated clearing house (ACH) transfers to money mules in the United States within minutes of conducting the overseas wire transfers.

According to the alert, the thieves  used a variety of malicious software to steal victim online banking credentials, including the ZeuS Trojan, backdoor.bot and Spybot, all malware families that let the crooks steal passwords and control infected systems remotely.

None of this should be news to anyone who has followed my reporting on this type of crime. I’ve written more than 70 stories over the past two years about these type of attacks. Earlier this year, victims at three Iowa banks lost about $2 million in a series of fraudulent wire transfers to Hong Kong. Last fall, thieves stole close to $1 million in a single fraudulent wire transfer from the University of Virginia to the Agricultural Bank of China.

It is vital for small business owners to understand the risks they face when banking online, and to get a sense of the sophistication of today’s attackers. Unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them. Small business owners wondering what they can do to protect themselves should read the tips at this post. One of the surest ways that business owners can avoid becoming the next victim is for the person handling the company’s books to bank online only from a dedicated machine — preferably one that is not Windows-based (since all of the malware used in the attacks to date won’t run on anything but Windows). Using a Mac or a Live CD approach may seem expensive or impractical, but losing hundreds of thousands of dollars because your PC got a virus infection isn’t so great either.

New fees levied by financial institutions are likely to push many small businesses into banking online, whether or not they are aware of and prepared for the types of sophisticated cyber attacks that have cost organizations tens of millions of dollars in recent months.

On the way home from the store last week I caught a Public Radio/Marketplace story in which the radio show interviewed a small business owner who was nudged into banking online after discovering a $9.99 fee had been added to her business banking account for the privilege of continuing to receive paper statements each month.

The angle of the story was the unfairness of the new fees, considering the estimated 12 million people in the United States who have no or only slow access to the Internet. In the following snippet from that program, Marketplace’s David Brancaccio interviewed a woman from Northern New Hampshire:

“The bank with her personal account still sends monthly statements printed on paper, through the mail, for free. Old school. But this year, one of her business accounts started charging money for paper statements.

Johnson: That’s right.

Brancaccio: How much?

Johnson: $9.99 a month.

Brancaccio: Really?

Johnson: Yes.

Brancaccio: When did you actually notice?

Johnson: My bank statement, my paper bank statement! is how I found it!

“It’s a growing trend in banking. For instance, Bank of America has something called the E-banking account where paper statements and routine visits to a human teller cost money. It’s now in more than three dozen states. B of A says techno-savvy customers seem fine with online-only in exchange for no minimum cash balances in the account.”

Johnson didn’t say which bank her commercial account was at.  And for its part, BofA’s eBanking plan only applies to consumer accounts, not businesses. But if this type of trend becomes more mainstream among commercial banking customers, more and more small businesses will be pushed into banking online without knowing how to protect themselves from organized cyber thieves that have stolen at least $70 million from small to mid-sized organizations over the last few years.

Banks using fees to push customers away from traditional offline banking will at least be a boon to companies offering security services to the banks, said Dave Jevans, chairman of the Anti-Phishing Working Group, an industry consortium.

“You’re going to see a lot more unsophisticated users entering the channel,” Jevans said.

Avivah Litan, a fraud analyst with Gartner Inc., said banks should not be pushing more businesses into online banking without adequately informing them of the risks.

“It’s not a good time to be forcing people online unless you’re protecting their rights, or at least making sure they’re fully aware of the risks,” Litan said. “This is happening at the same time the banking industry groups are urging businesses to bank online only from locked down, dedicated systems. But the individual banks don’t want to talk about this with their customers.”

What does it take to harden your network, computers, and employees against this type of attack? Apparently, that’s a difficult question to answer succinctly. Last week, the FBI, the Secret Service, the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center jointly issued a nine-page fraud advisory (PDF) for businesses that warned of high-dollar losses from commercial account takeovers.

“Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts,” the advisory begins. “Often these funds may not be recovered.”

The section on how to protect, detect and respond to these attacks spans five pages of bullet-pointed dos and don’ts. The entire paper should be required reading for every business owner who banks online, but based on interviews with dozens of victims, I’d say that a majority of these attacks could have been stopped had the victims observed the following precautions:

-Use a dedicated computer for online banking — if possible, one that does not run Microsoft Windows (emphasis on non-Windows usage mine).

-Reconcile your accounts daily.

-Talk to your financial institution about Positive Pay and other “out-of-band” services such as SMS texting, call backs, and batch limits to help protect against altered or counterfeit checks and unauthorized transactions.

The financial and law enforcement group that issued the report also issued a separate alert for consumers (PDF), which warns consumers to stay away from work-at-home job schemes and to avoid phishing scams. The consumer version of the alert is much smaller because business owners do not enjoy the same legal protections as consumers when things go wrong with online banking. As a result, a business that suffers an account hijacking is likely to lose any money from fraudulent transfers that their bank cannot reverse.

In a year marked by record bank failures and Wall Street swindlers walking away with tens of billions of investor dollars, it’s perhaps not surprising that the activities of organized cyber gangs looting at least $100 million dollars from small to mid-sized businesses went largely unheralded.

The mainstream media could be forgiven for focusing on bigger fish. For one thing, this particular strain of fraud has many moving parts and is challenging to explain to broad audiences. Also, raising awareness about fraud is always tough because the issue almost invariably involves U.S. banks and federal law enforcement, two entities that by their very genetic makeup resist discussing anything that is not tightly scripted and on-message: The FBI is hyper-reluctant to discuss or even acknowledge ongoing investigations (particularly those in which the main actors are overseas), and the banks simply don’t want to spook customers in any way.

But law enforcement and the banking industry appear to have been at odds over how and how much to communicate with the public about the seriousness and impact of these crimes. The following anecdotes offer a peek into some of the struggles I experienced last year trying to extract useful and truthful information from both parties.

Friday, Aug. 21, 3:00 p.m. ET: I was wrapping up a story for The Washington Post about a confidential alert drafted by the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry group representing some of the nation’s largest banks. The document I’d gotten hold of seemed to validate the focus of my reporting for the previous 10 weeks: It said the FBI was tracking a major upswing in incidents involving organized computer thieves who were using malicious software to steal tens and hundreds of thousands of dollars from countless small- to mid-sized businesses throughout the United States.

I had finagled a draft version of the alert, and understood that the final version would be sent sometime later that day, although the distribution list was reportedly limited to a few hundred people — mostly law enforcement and bankers. Problem was, I couldn’t confirm whether the alert had in fact been sent as planned, or whether the final version was changed much from the version I’d obtained.

What’s more, after two days of waiting, I still had no meaningful response from the FBI to my query, which sought to verify the alert’s statement that the FBI believes organized cyber thieves involved in this type of crime were stealing at least a million dollars a week from victims, and that several new victim firms were coming forward each week.

My editor was restless: Without an answer to these questions, the story would hold until next week. The answers didn’t come, and the story held.

When I finally got confirmation the following Monday that the alert had gone out, I also learned that the final version had been significantly watered down. Gone were the monetary damage estimates, including this stark assessment: ‘Total economic impact of these activities, if they continue unabated, is likely to be in the hundreds of millions of dollars.’

Gone was any mention of specific countries to which the stolen tens of millions were flowing (Russia, Ukraine and Moldova). Removed was the part about the quasi-financial institutions responsible for the cross-border flow of stolen cash (Moneygram and Western Union).

Mind you, this was an alert that was not intended for public distribution, but merely to be sent to a small group of banks and law enforcement folks.

So why was the alert watered down? One explanation is fear. Avivah Litan, a fraud analyst with Gartner Inc., said the banks are deathly afraid of anything that would cause businesses and/or consumers to lose confidence in online banking.

“The banks realize such huge savings from having people bank online that they just can’t afford to go back” to a world in which more consumers start doing their banking only at the local branch, she said.

Indeed, another tidbit axed from the original FS-ISAC alert stated the real threat plainly:

“The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system. The continued misappropriation of funds by these cyber criminals using this form of social engineering attack model combined with malware has the potential to impact the confidence of businesses to use various forms of electronic payment initiation services offered by their financial institutions. This could impact the continued growth of various corporate-to-corporate, corporate-to-government, and corporate-to-consumer electronic payment applications.”

—

October 23: I’d heard from a source whose boss had recently returned from a banking industry conference at which a high-ranking official from the FBI’s cyber division spoke about a spike in these attacks against small businesses. The source’s boss took copious notes, and cited the FBI agent as saying that cyber gangs had stolen an estimated $40 million from small to mid-sized businesses so far in 2009.

I dialed up FBI headquarters in Washington to verify the figure. As the day wore on, I grew increasingly anxious to verify the numbers, and finally received a call at around 3 p.m. that confirmed the $40 million figure “as of August 2009.” My editor wanted to double check that the $40 million was all from 2009, as my source had stated, so that necessitated another call to the FBI and a waiting period afterward.

During that interval, unbeknown to me at the time, the source who’d originally shared the damage estimates with me tried to help out by sending a message to members of the FS-ISAC (the banking industry group whose confidential alert formed the basis of my August story), asking if anyone could help verify the information. The source told me later that several banking industry executives subsequently contacted the FBI, apparently concerned about my impending story on specific monetary losses due to this type of fraud.

At 6:30 p.m. that day, I heard back from the FBI, which informed me that the $40 million in losses actually involved cases going back as far as 2004. I was flabbergasted and indignant: None of my sources could recall a single case of the kind I was writing about going back further than the latter half of 2008.

With the exception of reports from USA Today‘s Byron Acohido and IDG News’ Robert McMillan, the rest of the media have largely ignored this story. The Wall Street Journal published a report near the end of the year that included the tale of an attempted million-dollar heist against a Citigroup business customer, but that victim’s experience was buried in and conflated with a strongly-refuted claim that the attack was the result of a computer intrusion at Citigroup.

Between June and December 2009, I wrote more than two dozen articles for The Washington Post about this type of fraud, chronicling the damage done to more than 50 companies across the country. Still, dozens of victim companies I spoke with last year later changed their minds about speaking publicly of the incident, and pleaded with me not to publish their names. I honored those requests because I did not think it was fair to play “blame the victim” if the private company in question was unwilling to have their story act as a warning to others. I honored that promise even though some of their losses dwarfed those of the companies I had mentioned in earlier stories.

This type of crime isn’t going away, and in fact I am now hearing from at least one new victim a week. Nearly all lost tens of thousands of dollars, all because of a single virus infection. In response, some banks are making their business customers whole, and some are even making additional efforts to communicate with their customers that severity of the threat. Unfortunately, most continue to disavow any responsibility for the losses.

I will continue to write about this type of crime in 2010, and to dig deeper into the security weaknesses that allow this form of cyber crime to flourish.