In a year marked by record bank failures and Wall Street swindlers walking away with tens of billions of investor dollars, it’s perhaps not surprising that the activities of organized cyber gangs looting at least $100 million dollars from small to mid-sized businesses went largely unheralded.
The mainstream media could be forgiven for focusing on bigger fish. For one thing, this particular strain of fraud has many moving parts and is challenging to explain to broad audiences. Also, raising awareness about fraud is always tough because the issue almost invariably involves U.S. banks and federal law enforcement, two entities that by their very genetic makeup resist discussing anything that is not tightly scripted and on-message: The FBI is hyper-reluctant to discuss or even acknowledge ongoing investigations (particularly those in which the main actors are overseas), and the banks simply don’t want to spook customers in any way.
But law enforcement and the banking industry appear to have been at odds over how and how much to communicate with the public about the seriousness and impact of these crimes. The following anecdotes offer a peek into some of the struggles I experienced last year trying to extract useful and truthful information from both parties.
Friday, Aug. 21, 3:00 p.m. ET: I was wrapping up a story for The Washington Post about a confidential alert drafted by the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry group representing some of the nation’s largest banks. The document I’d gotten hold of seemed to validate the focus of my reporting for the previous 10 weeks: It said the FBI was tracking a major upswing in incidents involving organized computer thieves who were using malicious software to steal tens and hundreds of thousands of dollars from countless small- to mid-sized businesses throughout the United States.
I had finagled a draft version of the alert, and understood that the final version would be sent sometime later that day, although the distribution list was reportedly limited to a few hundred people — mostly law enforcement and bankers. Problem was, I couldn’t confirm whether the alert had in fact been sent as planned, or whether the final version was changed much from the version I’d obtained.
What’s more, after two days of waiting, I still had no meaningful response from the FBI to my query, which sought to verify the alert’s statement that the FBI believes organized cyber thieves involved in this type of crime were stealing at least a million dollars a week from victims, and that several new victim firms were coming forward each week.
My editor was restless: Without an answer to these questions, the story would hold until next week. The answers didn’t come, and the story held.
When I finally got confirmation the following Monday that the alert had gone out, I also learned that the final version had been significantly watered down. Gone were the monetary damage estimates, including this stark assessment: ‘Total economic impact of these activities, if they continue unabated, is likely to be in the hundreds of millions of dollars.’
Gone was any mention of specific countries to which the stolen tens of millions were flowing (Russia, Ukraine and Moldova). Removed was the part about the quasi-financial institutions responsible for the cross-border flow of stolen cash (Moneygram and Western Union).
Mind you, this was an alert that was not intended for public distribution, but merely to be sent to a small group of banks and law enforcement folks.
So why was the alert watered down? One explanation is fear. Avivah Litan, a fraud analyst with Gartner Inc., said the banks are deathly afraid of anything that would cause businesses and/or consumers to lose confidence in online banking.
“The banks realize such huge savings from having people bank online that they just can’t afford to go back” to a world in which more consumers start doing their banking only at the local branch, she said.
Indeed, another tidbit axed from the original FS-ISAC alert stated the real threat plainly:
“The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system. The continued misappropriation of funds by these cyber criminals using this form of social engineering attack model combined with malware has the potential to impact the confidence of businesses to use various forms of electronic payment initiation services offered by their financial institutions. This could impact the continued growth of various corporate-to-corporate, corporate-to-government, and corporate-to-consumer electronic payment applications.”
October 23: I’d heard from a source whose boss had recently returned from a banking industry conference at which a high-ranking official from the FBI’s cyber division spoke about a spike in these attacks against small businesses. The source’s boss took copious notes, and cited the FBI agent as saying that cyber gangs had stolen an estimated $40 million from small to mid-sized businesses so far in 2009.
I dialed up FBI headquarters in Washington to verify the figure. As the day wore on, I grew increasingly anxious to verify the numbers, and finally received a call at around 3 p.m. that confirmed the $40 million figure “as of August 2009.” My editor wanted to double check that the $40 million was all from 2009, as my source had stated, so that necessitated another call to the FBI and a waiting period afterward.
During that interval, unbeknown to me at the time, the source who’d originally shared the damage estimates with me tried to help out by sending a message to members of the FS-ISAC (the banking industry group whose confidential alert formed the basis of my August story), asking if anyone could help verify the information. The source told me later that several banking industry executives subsequently contacted the FBI, apparently concerned about my impending story on specific monetary losses due to this type of fraud.
At 6:30 p.m. that day, I heard back from the FBI, which informed me that the $40 million in losses actually involved cases going back as far as 2004. I was flabbergasted and indignant: None of my sources could recall a single case of the kind I was writing about going back further than the latter half of 2008.
With the exception of reports from USA Today‘s Byron Acohido and IDG News’ Robert McMillan, the rest of the media have largely ignored this story. The Wall Street Journal published a report near the end of the year that included the tale of an attempted million-dollar heist against a Citigroup business customer, but that victim’s experience was buried in and conflated with a strongly-refuted claim that the attack was the result of a computer intrusion at Citigroup.
Between June and December 2009, I wrote more than two dozen articles for The Washington Post about this type of fraud, chronicling the damage done to more than 50 companies across the country. Still, dozens of victim companies I spoke with last year later changed their minds about speaking publicly of the incident, and pleaded with me not to publish their names. I honored those requests because I did not think it was fair to play “blame the victim” if the private company in question was unwilling to have their story act as a warning to others. I honored that promise even though some of their losses dwarfed those of the companies I had mentioned in earlier stories.
This type of crime isn’t going away, and in fact I am now hearing from at least one new victim a week. Nearly all lost tens of thousands of dollars, all because of a single virus infection. In response, some banks are making their business customers whole, and some are even making additional efforts to communicate with their customers that severity of the threat. Unfortunately, most continue to disavow any responsibility for the losses.
I will continue to write about this type of crime in 2010, and to dig deeper into the security weaknesses that allow this form of cyber crime to flourish.