January 4, 2010

In a year marked by record bank failures and Wall Street swindlers walking away with tens of billions of investor dollars, it’s perhaps not surprising that the activities of organized cyber gangs looting at least $100 million dollars from small to mid-sized businesses went largely unheralded.

The mainstream media could be forgiven for focusing on bigger fish. For one thing, this particular strain of fraud has many moving parts and is challenging to explain to broad audiences. Also, raising awareness about fraud is always tough because the issue almost invariably involves U.S. banks and federal law enforcement, two entities that by their very genetic makeup resist discussing anything that is not tightly scripted and on-message: The FBI is hyper-reluctant to discuss or even acknowledge ongoing investigations (particularly those in which the main actors are overseas), and the banks simply don’t want to spook customers in any way.

But law enforcement and the banking industry appear to have been at odds over how and how much to communicate with the public about the seriousness and impact of these crimes. The following anecdotes offer a peek into some of the struggles I experienced last year trying to extract useful and truthful information from both parties.

Friday, Aug. 21, 3:00 p.m. ET: I was wrapping up a story for The Washington Post about a confidential alert drafted by the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry group representing some of the nation’s largest banks. The document I’d gotten hold of seemed to validate the focus of my reporting for the previous 10 weeks: It said the FBI was tracking a major upswing in incidents involving organized computer thieves who were using malicious software to steal tens and hundreds of thousands of dollars from countless small- to mid-sized businesses throughout the United States.

I had finagled a draft version of the alert, and understood that the final version would be sent sometime later that day, although the distribution list was reportedly limited to a few hundred people — mostly law enforcement and bankers. Problem was, I couldn’t confirm whether the alert had in fact been sent as planned, or whether the final version was changed much from the version I’d obtained.

What’s more, after two days of waiting, I still had no meaningful response from the FBI to my query, which sought to verify the alert’s statement that the FBI believes organized cyber thieves involved in this type of crime were stealing at least a million dollars a week from victims, and that several new victim firms were coming forward each week.

My editor was restless: Without an answer to these questions, the story would hold until next week. The answers didn’t come, and the story held.

When I finally got confirmation the following Monday that the alert had gone out, I also learned that the final version had been significantly watered down. Gone were the monetary damage estimates, including this stark assessment: ‘Total economic impact of these activities, if they continue unabated, is likely to be in the hundreds of millions of dollars.’

Gone was any mention of specific countries to which the stolen tens of millions were flowing (Russia, Ukraine and Moldova). Removed was the part about the quasi-financial institutions responsible for the cross-border flow of stolen cash (Moneygram and Western Union).

Mind you, this was an alert that was not intended for public distribution, but merely to be sent to a small group of banks and law enforcement folks.

So why was the alert watered down? One explanation is fear. Avivah Litan, a fraud analyst with Gartner Inc., said the banks are deathly afraid of anything that would cause businesses and/or consumers to lose confidence in online banking.

“The banks realize such huge savings from having people bank online that they just can’t afford to go back” to a world in which more consumers start doing their banking only at the local branch, she said.

Indeed, another tidbit axed from the original FS-ISAC alert stated the real threat plainly:

“The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system. The continued misappropriation of funds by these cyber criminals using this form of social engineering attack model combined with malware has the potential to impact the confidence of businesses to use various forms of electronic payment initiation services offered by their financial institutions. This could impact the continued growth of various corporate-to-corporate, corporate-to-government, and corporate-to-consumer electronic payment applications.”

October 23: I’d heard from a source whose boss had recently returned from a banking industry conference at which a high-ranking official from the FBI’s cyber division spoke about a spike in these attacks against small businesses. The source’s boss took copious notes, and cited the FBI agent as saying that cyber gangs had stolen an estimated $40 million from small to mid-sized businesses so far in 2009.

I dialed up FBI headquarters in Washington to verify the figure. As the day wore on, I grew increasingly anxious to verify the numbers, and finally received a call at around 3 p.m. that confirmed the $40 million figure “as of August 2009.” My editor wanted to double check that the $40 million was all from 2009, as my source had stated, so that necessitated another call to the FBI and a waiting period afterward.

During that interval, unbeknown to me at the time, the source who’d originally shared the damage estimates with me tried to help out by sending a message to members of the FS-ISAC (the banking industry group whose confidential alert formed the basis of my August story), asking if anyone could help verify the information. The source told me later that several banking industry executives subsequently contacted the FBI, apparently concerned about my impending story on specific monetary losses due to this type of fraud.

At 6:30 p.m. that day, I heard back from the FBI, which informed me that the $40 million in losses actually involved cases going back as far as 2004. I was flabbergasted and indignant: None of my sources could recall a single case of the kind I was writing about going back further than the latter half of 2008.

With the exception of reports from USA Today‘s Byron Acohido and IDG News’ Robert McMillan, the rest of the media have largely ignored this story. The Wall Street Journal published a report near the end of the year that included the tale of an attempted million-dollar heist against a Citigroup business customer, but that victim’s experience was buried in and conflated with a strongly-refuted claim that the attack was the result of a computer intrusion at Citigroup.

Between June and December 2009, I wrote more than two dozen articles for The Washington Post about this type of fraud, chronicling the damage done to more than 50 companies across the country. Still, dozens of victim companies I spoke with last year later changed their minds about speaking publicly of the incident, and pleaded with me not to publish their names. I honored those requests because I did not think it was fair to play “blame the victim” if the private company in question was unwilling to have their story act as a warning to others. I honored that promise even though some of their losses dwarfed those of the companies I had mentioned in earlier stories.

This type of crime isn’t going away, and in fact I am now hearing from at least one new victim a week. Nearly all lost tens of thousands of dollars, all because of a single virus infection. In response, some banks are making their business customers whole, and some are even making additional efforts to communicate with their customers that severity of the threat. Unfortunately, most continue to disavow any responsibility for the losses.

I will continue to write about this type of crime in 2010, and to dig deeper into the security weaknesses that allow this form of cyber crime to flourish.

19 thoughts on “Buried Warning Signs

  1. JackRussell

    All I can say is keep at it. There aren’t any others that I know of that are working on this type of story.

    That being said, I can understand why banks are scared – they have committed to going down this road, and they don’t know a way back. But they need to be proactive in providing information to help protect their customers and not try to hide it all and hope that it goes away.

  2. Dave

    USA today gave the story great play.

    For $100 million, I figure the trend got appropriate mention.

  3. mccxxiii

    This is intereting and more than a bit frightening. Do you think online banking is safe? Do you think it’s safer with a large company (such as Bank of America) than with a small/mid-sized bank that is local or regional?

    1. infosec_pro

      @mccxxiii – I worked for a bank that was then in the top fifty and is now one of the top twenty or so (couple of mergers) – I doubt there is much difference between the big guys and the major regionals, even the big players outsource much of the processing to specialist service providers. They are all probably more secure than you are, which is not saying a great deal with the spate of Adobe zero-days and the state of the art in drive-by exploits and such. Personally, I access my accounts online only from my work desktop in a highly secured (.gov) network for which I am responsible for security – I don’t think it’s safe from attackers, just that the attackers are after bigger things than my penny ante bankroll, and also that attacks will be detected and mitigated very quickly so my exposure will be limited – and I would not access financial accounts from a home PC or any less secure environment.

  4. John Caddell

    Brian, thanks for your reporting on this. Last month, I was discussing with a risk management colleague of mine a recent incident involving cybertheft of over $400K from Cumberland Cty, PA (where I live). He mentioned that very few businesses or small governments are aware of the threat.

    Then I read the Acohido article in USA Today while on vacation. That piqued my curiosity. I did a Google search and quickly found your WPost blog. Good to see that you’ve created a new home for your writing, and I look forward to reading regularly. You’re in my RSS reader.

    regards, John

  5. Reid

    Thanks Brian for staying on top of this issue.

    It’s unfortunate indeed that financial institutions and the FBI are suppressing the facts regarding the impacts of fraud such as this. By doing so, they are to some extent abetting the criminals responsible.

    It certainly irks me that banks and financial institution can act within their own narrow self interests by suppressing knowledge of their security failures. While at the same time passing the associated costs along to their customers. It’s fundamentally just plain wrong and dishonest.

  6. Rob

    I hope you keep on this story Brian. It is when the news gets out, and enough people get talking about it that the banks will have to do something. Even if it means putting it into reverse, and moving away from internet banking.

  7. Tom Seaview

    So… the banks want to hide the risks and the extent of their customers’ losses, and the FBI is complicit in the cover-up.
    This should be a bigger story than the theft itself.

  8. John Moore

    It is ironic that many of the banks who are losing this money lost even more from control fraud/mortgage fraud. By covering the cybertheft problem up, they are doing everyone a disservice and helping the crooks. The obvious choke points are Moneygram and Western Union who are making money aiding and abetting the bad guys. They should be incentivised to not send large cash payments overseas to countries who are havens to these thieves. Such a thing could be done by altering wire transfer laws for instance or proving that they know they are helping criminals but don’t care because they are receiving significant revenues.

    The other ironic part of this story is that computers are actually more secure these days. Windows systems with firewalls are much more secure than they used to be. The weakness there is the browser and browser application client side attacks as well as email based client side attacks. Your article about using a Live CD or Linux/Mac to protect the customers was timely and wise, but depends upon people reading your article and implementing the advice.

    There are probably other ways to minimize the problem, but without acknowledgement that there is a problem and lack of debate due to industry silence and customer ignorance, the problem of small businesses being robbed this way will likely get worse.

  9. TheGeezer

    Thanks for the great article Brian. Glad you’re still online with a great blog!

  10. AlphaCentauri

    Unfortunately, the biggest weakness in the banking system is the customers. Short of making their customers pass a skills test before being given access to online banking, they will always have to deal with people who not only are duped by phishing and give out their banking credentials, but who will actively circumvent any safety features you create to prevent them from doing so.

    1. infosec_pro

      @AlphaCentauri – having worked for a big bank I must disagree. Customers are a big part of the problem but not the biggest, the biggest is that banks pander to them in the interest of profits. Customers want convenience and security, banks sacrifice security for convenience. Customers only circumvent safety features when those features are ill designed and onerous. It is possible to provide both convenience and security, but it comes at a cost and with a lot of effort, and banks will not invest either of those. It’s easier to blame the customers and pass the costs along to them whenever possible.

  11. Matt

    Thank you for going into detail regarding this Brian, more people need to be aware of what is really going on out there. Many thanks!

  12. Rick

    ‘banks are deathly afraid of anything that would cause businesses and/or consumers to lose confidence in online banking’

    LOL Sorry but what confidence is there to lose? That’s funny.

    ‘The banks realize such huge savings from having people bank online that they just can’t afford to go back’

    So they swallow the losses as always. We know this to be true. You can hack a bank and they’ll rarely mention it. A lot of companies work this way with fraud what I can tell – and they’re also afraid other wannabe hackers will understand how easy it is to take money from them. So they just swallow the losses.

    What a weird world.

    ‘Between June and December 2009, I wrote more than two dozen articles for The Washington Post about this type of fraud’

    Yes we know. They were great articles.

    ‘Nearly all lost tens of thousands of dollars, all because of a single virus infection.’

    What a surprise. 😉

    ‘Unfortunately, most continue to disavow any responsibility for the losses.’

    Ditto. 😉

    ‘I will continue to write about this type of crime in 2010, and to dig deeper into the security weaknesses that allow this form of cyber crime to flourish.’

    Yes please do. Bob McMillan’s already been over and praised this site. I think it’s very important as the Internet continues to mature. I really like this site!

    I agree with JR.

    ‘All I can say is keep at it. There aren’t any others that I know of that are working on this type of story.’

  13. bruce

    This ‘enhanced’ message number occurs quite frequently, as I see it all the time.

    Thanks Brian for explaining how it can occur.

  14. Lynda

    I just did a quick bit of googling, and came up with a yahoo rendition of the WSJ article. There are several others, quoting the WSJ, along with a denial of the incident by Citi.

    Also worth noting is a 60 Minutes report, available on the web – episode 11/08/09. While it mostly focuses on vulnerabilities to our infrastructure there is an interview with the FBI re some attacks against banking.

    Ironically, the episode begins with a Viagra add. (Imagine me, rolling my eyes.)

  15. BrianKrebs Post author

    Great to see such a great discussion building on this topcic. I pasted this — sent from a reader via e-mail — in the comments section for another blog post on this site, but thought it probably also belongs here.

    I have read your column for many years and have always found you to be factual and on the cutting edge of cyber crime trends. I worked for an online financial services company for more than a decade. I was in their corporate security investigations group. I was the senior manager of investigations from late 2005 until I left and worked directly with law enforcement on the types of cases you have written about so well.

    My group investigated all fraud activity perpetrated against it and I can tell you we dealt with the Russian or as we told everyone “Eastern European” groups since 2003. They started small by opening accounts with stolen identities and funding via ACH and experimented with stock pump and dump as early as December 2003. Our firm lost less then a million dollars in 2004 to ACH, wire fraud and pump and dump and a couple of million in 2005, but we fully reimbursed customers because of what it could do to our business if it became public. We had compromised customers sign a general release/non-disclosure form to protect our reputation. We also had these customers send us their hard drives or we performed remote diagnostics and as a result were highly familiar with the viruses and how credentials were being stolen. We referred all of these cases to law enforcement and I worked directly with different FBI and Secret Service agents on many of these cases. We also participated in Secret Service Electronic Crime Task force groups around the country during this time frame of 04/05.

    2006 changed the course of history, as my firm lost more money between July and September then we had between 2001-June 2006, when we lost over $10 million. It was a result of pump and dump, as well as wire and ACH fraud. Of course this impacted everyone in the online brokerage business, but we were on the bleeding edge. As you well know, RBN and others learn quickly and they used all of the knowledge and skills they had accumulated over the past several years and they came at us hard and fast. We had founded a working group with NCFTA in Pittsburgh and had quarterly meetings to share all of this information and we also began sharing information directly via email within our working group real time to help combat this activity. It helped to slow it down, but we were never able to stop it.

    The “bad guys” continue to evolve and your articles have well documented how this evolution is continuing. They still hit individual accounts at banks and brokerages, but the bigger targets are now small business and local governments.

    Keep up the good work and hopefully you can bring more attention to this growing problem.

  16. BrianKrebs Post author

    Also, as some of you have already figured out, the comments on this blog are threaded, so feel free to reply to someone else’s comment instead of simply plopping a comment into the “submit comment” box at the bottom of the page.

  17. M Henri Day

    Brian, I hope that your new situation will permit you to be more outspoken than you were able to be when writing for the Washington Post, but at the same time that your articles will continue to be characterised by the careful research they have been known for in the past….


Comments are closed.