An insurance firm in Michigan lost nearly $150,000 this month as a result of a single computer virus infection.
Port Austin, Mich. based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller was behaving oddly and would not respond. The company’s computer technician scoured the system with multiple security tools, and found it had been invaded by “ZeuS,” a highly sophisticated banking Trojan that steals passwords and allows criminals to control infected hosts remotely
The following Monday, Feb. 8, United Shortline received a call from the Tinker Federal Credit Union at Tinker Air Force Base in Oklahoma, inquiring about a suspicious funds transfer one of its customers had received for slightly less than $10,000.
After that call, United Shortline President Louis M. Schillinger said the firm found 14 other such unauthorized transfers had been made from the company’s account to individuals across the United States who had no prior business with Shortline.
“I said, ‘Oh my God, someone’s just taken all of the money out of our trust account,’” Schillinger said. The hackers moved money from the company’s trust account over to its operating account, and then made the illicit transfers from there.
Schillinger said the bank’s commercial banking platform requires users to enter a user name and password. The bank’s site occasionally asks users to “register” their computers if, for example, the customer is accessing his or her account from an unfamiliar PC. A customer might also receive such a prompt if his or her Internet address had changed. The registration process involves the customer providing the correct answers to a series of “challenge questions.”
In any case, the crooks evidently had no problems correctly answering the secret questions when challenged with them, Schillinger said.
“The bank said whoever logged in to make these transfers successfully answered those questions,” he said. “They had some very detailed information. [The thieves] knew our patterns, they knew our passwords, my mother’s middle name, favorite sports team. And this is all information I don’t even have written down anywhere.”
Schillinger said his firm has been able to work with its bank, Bay Port State Bank, to recover a little more than half of the money so far. Still, he said, both his company and the bank are still in shock.
“Both my bank and us are looking at each other, asking what could we have done differently to prevent it?”
Bay Port State Bank President Ed Eichler said the bank moved quickly to stop and reverse the transactions as soon as it got the call from United. But Eichler said the bank will be reviewing its processes to figure out how to spot this type of activity more quickly in the future.
“We haven’t had this happen before,” Eichler said. “Before it was a story problem, and now it’s a real life problem. You can do all the training on this you want to, but most of that doesn’t matter until this goes to something that’s actually happened to you that you can put your hands on.”
Eichler said he contacted some colleagues at a much larger bank, and was told that recovering 50 percent of the victim customer’s funds was actually pretty good.
“The big banks told us to go to bed and get over it,” Eichler said. “They told us, ‘We write off more than that every day.’ But we’re not really interested in having this happen to another one of our customers.”
Businesses do not enjoy the same protections afforded to consumers hit by cyber fraud. With credit cards, consumer liability is generally capped at $50. Consumers who report suspicious or unauthorized transactions on their ATM or debit card, or against their online banking account within two days of receiving their bank statement that reflects the fraud also are limited to $50 in losses. But waiting longer than that can costs consumers up to $500 (the liability is unlimited if a consumer waits more than 60 days to report the fraud).
Businesses have no such protection from fraudulent transfers. Generally speaking, banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by cyber fraud.
Unless and until regulators begin insisting that commercial banks assume more responsibility for monitoring customer transactions for anomalies that may indicate fraud, businesses would be wise to take basic precautions when banking online.
As I’ve advised previously, companies can insulate themselves from these attacks by simply using a dedicated machine for online banking. This may take the form of an inexpensive Windows netbook or laptop, for example, that is locked down, and used only for accessing the bank’s Web (and not for e-mail, casual browsing, etc). Alternatively, since 99.9 percent of all malware simply fails to load on non-Microsoft computers, using something other than Windows for online banking — such as a Mac or a Live CD solution — also is a very sound approach.
For more stories about how organized cyber gangs are stealing millions a week from small to mid-sized organizations, check out the Target: Small Businesses category. I also link to dozens of similar stories I wrote for The Washington Post in Story-Driven Resume: My Best Work 2005-2009.
Brian,
I think you’re about the only one that cares about the little guy. Like you said, the bigger banks just deal with it and move on, they can afford that stance. A dedicated PC is a good idea, but if it’s a Windows machine and connected to the company network ( a must on my network to see the Internet) then it is subject to network-aware bugs. Of course a dedicated Mac would be the smartest alternative, but it’s only a matter of time before that platform becomes susceptible as well, and it can be vulnerable to other vectors of attack.
I’m not sure of the cure, but solutions for the problem start with analysis, and that starts with making people aware that the problem is serious enough to galvanize banks and/or customers/third party vendors to find the solutions.
There must have been a keylogger or an inside accomplice on this one, either on the SMB side or the bank’s side.
In a recent pen test activity that I’m familiar with, several key internal managers for an organization, including accounting and HR, submitted credentials to a phishing site and/or opened malware-infected attachments. These folks had been trained and were intimately familiar with the issues but were victims nonetheless. It goes to show that awareness is not the issue. At some point, you have to put in real controls.
My recommendations to companies that I work with have been:
1) Dedicated machine. Windows-based is usually what will work best because it doesn’t require any additional training. Mac is great, but everyone always complains about something not working like Excel macros (which accounting folks may use to a great extent).
2) Dedicated network segment. Whenever possible, I suggest that companies (I usually work with small-to-medium sized companies) purchase firewalls that allow for at least this level of segmentation. It’s really the best way to segment the Internet traffic.
3) White-list web browsing. Restrict all web-browsing on the machine to only those sites needed to conduct accounting transactions. Further, restrict access to those sites from all other computers on the network.
4) Constrained email. Set up an email client that only has access to one email box, and make that box a generic-named account (i.e. bankingtxn@domainname.com). Set up all financial accounts to send email to that account as the primary.
These steps don’t handle all of the problems, but they do provide a lot of additional protection and they make folks much more aware of the related issues. A big problem is when an organization has more than one person responsible for handling financial transactions. For that, we’ve been exploring the use of hardened virtual desktops or having a “group public” system that is available to everyone responsible. But this gets a bit more complex to manage.
@Michael
“everyone always complains about something not working like Excel macros”
Just curious what program they were using for their spreadsheets. I’ve never had trouble using Excel macros on a mac but I was using Microsoft Excel which incidentally was one of the original ‘killer’ apps on the original mac. Were they using Apple’s Numbers? That may have been the problem.
Office for Mac 2007 killed macro support. For accounting folks in an organization, that pretty much killed the Mac as a potential system option.
That would have killed it for me too. Can’t imagine using excel without macros. Haven’t used it since 2007.
If it’s a dedicated computer, why is it running Excel? It should only be running applications required to interact with the bank’s commercial banking platform (i.e. web browser or application provided by the bank).
You don’t have to go completely insane.
Good border protection is a must. eSoft product if possible, or Untangle at least.
Common AV that is managed by someone that knows what they are doing. Kaspersky with Admin kit. AVG with SMB edition and management console. Avast with it’s client manager. etc.
Now, in the brick and mortar world, if someone saw a gang breaking into Shortline at say 3 AM and called 911 the robbery would most likely have been stopped and the criminals apprehended.
In the digital world, the equivalent of a 911 call would be emailing the registrar of the domain used to install the zeus trojan and having the domain shut down. However, emailing the registrar, would get a response equivalent to a 911 call getting a recorded message “Sorry, our office is closed. Please call back during normal business hours”.
And this is just what happened this weekend. After being notified that they had registered multiple domains used to install a trojan and been given references to reports on the fraudulent domains on friday, the Korean registrar kept the domain active all weekend. Didn’t take them down until monday. And these domains install the same type trojan that infected Shortline.
They are back up today under different names as I write this, again, registered with the Korean registrar. This active exploit installs the same trojan as was used for this fraud by pretending to be the IRS and asking you to download your tax statement for review.
Maybe Shortline and Bay Port should see about recovering their funds from the Korean registrar. They are just as guilty as Zeus.
Are American registrars any more responsive? No great love here for S.Korea. Remember when FIFA had to block their entire nation during the 2006 World Cup. But mentioning ‘Korean’ twice seems a bit gratuitous.
I mentioned Korea twice because they were the only registrar involved for the entire weekend supporting domains used to install the same trojan referred to in Brian’s article. They were also the only registrar involved in my “as I write this” comment. In fact they were involved four separate times in less than a week.
If you know of any other ccTLD or gTLD with domains used to install the zeus trojan during those times please tell us what they were. I saw none. The UK was used very briefly but the domains were taken down immediately.
My apologies: three times. I didn’t question the details–a Korean registrar. But no Korean malware writers or registrars have been mentioned in any of the iterations of this scam before this one. Three times is emphasis. Why emphasize Korea?
Thanks for continuing to log these stories.
Banks have to accept that they are going to be doing business with malware infected customers and act accordingly. Given the revenue these business customers generate (fees and interest income via loans) it is discouraging that a more proactive approach is not forthcoming.
I am still not convinced that the business banking and cash management product managers at banks, the people responsible for the bank’s online offering, are aware of the issue or it’s seriousness. They should be leading the charge for change inside their respective organizations. An “awareness survey” of bank staff would be interesting.
Dedicated PCs or LiveCDs are good ideas but how about not doing Internet banking at all? Is it unfeasible for business to only do physical banking? The company I work for does (cause I won’t let them do it online). I don’t do online banking for my personal banking either.
– SR
KeyScrambler claims to mask keystrokes from all trojans (beyond my capability to assess) and free for personal use. Free version masks keystrokes only in IE and Firefox, not for other programs. Available as Firefox extension or from their website. Appears to be honest freeware, didn’t ask me for personal info when I downloaded from their website. Can’t beat a live CD but it’s better than nothing. What deters me from trying Linux is I think I’ll have to replace my existing software modem with a hardware one and just for banking? I don’t know.
actually you can use software modems. ubuntu’s karmic koala recognized mine. when i started up it asked me if i would like to download the drivers for it.
If banks assume no responsibility for cyber crime against commercial customers, then they have little motivation to help solve the problem. It’s their security system that puts the customers at risk, so I find it ridiculous that they are not forced to cover the loss.
That kind of security do not cut it. You can not use username/pwd authentication to authorize cash transfers etc.
I have not heard of UID/PWD authentication to banks here in Sweden for at least ten years (if ever). All banks use soft or hard certificates, one time pwds or RSA type of devices with keypads. I have a hard time beliving that UID/PWDs are used 2010 to transfer money!!!
Two ways to solve this:
1. Customers should switch banks to those that have decent security. (probably will not happen in any scale that matters)
2. Banks should be liable. If they have silly security systems that can easily be bypassed, of course they should pay.
Even with RSA types tokens, there are still Man-In-The-Middle attacks and Man-In-The-Brower attacks. The weakest point here is the : The Customer. They don’t know anything about security and it is the easiest way for the scammers to steal their money !
Our bank has solved these kinds of Internet threats 10 years ago with AOS (www.ahnlab.com). This can be implemented by the bank and it secures the entire session from the client to the server. AOS is a unique product and delivers protection on the client level, the weakest link in the security when e-banking. More than 30 million users are working with it, Daily !
Loves it!
My credit union uses a different way of entering secondary passwords. It displays a little keyboard on the screen where they keys appear in a random order each time, and you have to click on the little keys. This prevents keyloggers from intercepting the passwords. In theory given enough effort, the bad guys could figure out what the user is clicking on, but at this time, they don’t have a reason to bother with it..
The live-CD approach seems safest to me. If you wanted, you could add home router/firewall and only use such the livecd machine behind this firewall.
Jack,
Technique being used by credit union can only be effective against conventional keyloggers who log keys as coming out of keyboard buffers..Modern malware with hijacked browsers pick these values from web forms so it doesn’t matters if these values are coming from a soft random keyboard or from the conventional hard one..
User training is the key. Technology cannot and will not ever solve every problem if the person ‘driving it’ is not trained and disciplined to do their job. All this talk about picking one platform over the other is an irresponsible attempt to put the blame on computers.
I completely agree. As an analogy, despite all the mandated safety features in modern automobiles, the driver training courses, and laws to obtain a drivers license, a driver can still cause a serious crash and potential loss of life. The human element is always the weakest link. Or as I like to refer to it, “Stupid is as stupid does”. Regardless, we should never replace the human part with machines, for that will be our ultimate undoing.
People who are aware of zeus inner working wouldn’t be surprised.
From article:
“The bank said whoever logged in to make these transfers successfully answered those questions,” he said. “They had some very detailed information. [The thieves] knew our patterns, they knew our passwords, my mother’s middle name, favorite sports team. And this is all information I don’t even have written down anywhere.”
Zeus uses MITB (Man in the browser techniques) to bypass multi factor authentication. I can imagine this incident like this:
After getting infected with zeus, victim would have tried to access his banking account. He would be little surprised that banking login screen is asking him for all the security questions along with username and passwords, like mother’s maiden name etc . Although he would know that these questions are only asked if account is being accessed from an unknown machine but in this confusion he would have given answers to all the security questions. He had no idea that actual banking server never asked for these extra questions..It’s the zeus who modified the html contents as coming from the server and injected its own html fields before the browser displayed it, fooling user into entering additional information. With all information in hand it’s not a surprise that attackers were able to access the banking account from other location without having any problem….
Good info Atif!
Referring to Brian’s story about using security questions in order to access the online bank. I have seen such security questions with answer that is pretty common to the folks who works there.
My best advice use something out of ordinary maybe related to the company and not related to the person because it is potentially possible for someone to use that information to do it elsewhere.
One thing to note is the source of the regulations that require the use of strong-auth technologies in the first place.
For those that want to see the actual compliance standards that banks are required to use, see the FFIEC document entitled “Authentication in an Internet Banking Environment”.
What’s very (horrifying|amusing) to see is how the concept of “multi-factor authentication” has been mangled by the industry. Many vendors I know of consider a challenge questions+password system to be multi-factor, and market their enhanced-security login products accordingly as “MFA” products. This bastardized definition has even snuck its way into the OFX v2 standard. (Shame on Intuit&Microsoft – they should know better.)
What’s even more interesting/depressing is to compare this snippet from the FFIEC’s document regarding the need to continually review security for high-risk transactions with real-life industry practice, “[the guidelines] require that an institution’s information security program be monitored, evaluated, and adjusted as appropriate in the light of changes in technology, the sensitivity of customer information, internal and external threats to information …”
I know there are banking geeks on this blog: Anyone out there getting any response from their vendors on this issue? I know our “MFA” solution is essentially a dead product with little ongoing maintenance, let alone a chance of a rewrite to better protect against Zeus et al.
One thing is certain, no one is afraid of getting caught.
http://fprison.wordpress.com/2009/11/09/federal-prison-camp
It’s a 24/7 party on the tax payers dollar.
In Spain, I work with a bank called “la Caixa”. You have a username/password plus a second password. Every time you make a transaction that is noy just a query, asks for the second password.
How does the second password work? There are two ways:
– a card with 40 four-digit numbers, it asks for one of them
– a numeric random password you get at your phone
There is a virtual keyboard on-screen that is different everytime, and you have to use your mouse to point-and-click over the virtual keyboard to enter that number.
It is not annoying at all, asking that second pin everytime.
Good luck getting people behind this one. Though you make some VERY fascinating points, you are going to have to do more than bring up a few things that may be different than what we ve already heard. What are trying to say here? What do you want us to think? It seems like you cant really get behind a unique thought. Anyway, that’s just my opinion.