August 3, 2012

New data suggests that cyber attacks aimed at small businesses have doubled over the past six months, a finding that dovetails with my own reporting on companies that are suffering six-figure losses from sophisticated cyber heists.

According to Symantec, attacks against small businesses rose markedly in the first six months of 2012 compared to the latter half of 2011. In its June intelligence report, the security firm found that 36 percent of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. That figure was 18 percent at the  end of Dec. 2011.

“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said Paul Wood, a security intelligence manager at Symantec. “It almost seems attackers are diverting their resources directly from the one group to the other.”

I’m seeing the same uptick, and have been hearing from more small business victims than at any time before — often several times per week.

In the second week of July, for example, I spoke with three different small companies that had just been hit by cyberheists (one of the victims asked not to be named, and the other didn’t want their case publicized). On July 10, crooks who’d broken into the computers of a fuel supplier in southern Georgia attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed.

The bank, First National Bank of Coffee County, managed to claw back an unusually large amount — approximately $260,000. The fuel company hired an outside forensics firm to investigate, and found that the trouble started on July 9, when the firm’s controller clicked a link embedded in an image in an email designed to look as though it was sent by the U.S. Postal Service and alerting the recipient about a wayward parcel. The link in the image loaded content from a site hosting the BlackHole exploit kit, which downloaded the ZeuS Trojan to the controller’s PC.

Interestingly, the fuel company and its bank said one of the money mules that the attackers recruited to help launder the stolen funds turned out to be an employee of Wells Fargo from Alabama. Many money mules are simply not the brightest bulbs, and it is usually difficult to prove that they weren’t scammed as well (because more often than not, the mules end up losing money).  But one would think people who work for banks should be at least be aware of these schemes, and held to a higher standard. What’s more, if this mule wasn’t complicit then he probably suspected something wasn’t right, because he had the funds sent to an account he controlled at a local credit union in Birmingham — rather than an account at Wells Fargo.

By the way, this is the second time I’ve encountered a money mule working at a major bank. Last year, I tracked down a woman at PNC Bank in Maryland who was hired by a mule recruitment gang and later helped move nearly $4,500 from a victim business in North Carolina to cybercriminals in Ukraine. She claimed she did not understand what she had done until I contacted her.

Another small business hit during the week of July 9 was Hastings, Neb. based Consolidated Concrete, which lost more than $100,000 in a similar cyber robbery. The company learned it was being robbed when one of the money mules contacted them after receiving a large transfer from Consolidated’s accounts.

“We got a heads up from a guy saying that we’d put money into his account,” said Don Phillips, the controller for the concrete company. “He said he knew something was wrong, Googled us and gave us a call.”

The experience of both the fuel company and Consolidated Concrete is a fairly typical, unfortunately. Both companies managed their money online at small, local banks whose principal method for securing commercial accounts is to require a username and password. This is in direct violation of the guidelines issued by regulators at the Federal Financial Institutions Examination Council (FFIEC) last year.

That guidance, issued a year ago and effective as of January 2012, calls for “layered security programs, including methods for detecting transaction anomalies, dual transaction authorization through different access devices, and the use of out-of-band verification for transactions.

What sort of dual transaction authorization was First National Bank of Coffee County using? Would you believe just a username and password? How about Consolidated’s banks?  According to Phillips: A cookie placed on the customer’s computer, and a fax or phone call. The cookie protection fails when — as in the case with Consolidated and every other cyber robbery I’ve written about — the attackers have remote control over the victim’s PC; the bad guys can simply tunnel their connection through the victim’s PC.

“The machine itself has to have a cookie on it to be able to proceed, and usually we get a verification — we usually will ask for some sort of verification, either by fax or phone — of any large transfers,” Phillips said. “We usually set up any [payroll batches] on a PC, print it out, and then fax them a sheet that they verify and fax back to us. But I guess that didn’t happen here.”

The message I have been trying to drive home for small business owners is twofold: By all means, shop around if you can and find a bank that offers and advocates additional layers of security. But the best way to avoid a cyberheist is to not have your computer systems infected in the first place. The trouble is, it’s becoming increasingly difficult to tell when a system is or is not infected. That’s why I advocate the use of a Live CD approach for online banking: That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like ZeuS, your online banking session is protected.


38 thoughts on “Uptick in Cyber Attacks on Small Businesses

  1. Scott S

    Agrees that there has to be a secure separation involved when it comes to money handling and the idea of using a live CD is probably the best solution at present.
    However even with this in action detecting Mules in Banks will be greater issue because a mule is a mule is a mule….

  2. Ian Hardie

    You would think it was only small banks – i have been in discussion with a very large multinational as to why their online systems only runs on Java 6.3 and does not support latest versions of Java or browsers.

    They employ two factor in the form of a usb key but then insist on using old insecure versions of Java and browsers.

    If an attacker can have full control via a Java/Browser exploit the two factor becomes much less effective.

    Especially if the user leaves it in their PC permanently!

    Live CD would be best solution at the minute.

  3. Scott S

    Ian, if you were a company with sigifcant money transaction weekly or monthy etc wouldn’t you have a devoted laptop or desktop that was used soley for money handling with all the appropriate encryption and protection software, I know I would.

    1. John

      Most users only know how to turn their computer on, log into the email, surf the web and check their account balance. They don’t want or care what the risks are to online banking they just want it to work. Also many can’t afford another PC.

  4. Ian Hardie

    Yes for sure, or the Live CD option.

    What concerns me is the fact this bank seem unconcerned or oblivious (take your pick) to the risk of using such old versions.
    Providing dual factor becomes a box ticking exercise for auditors when they insist their customers use vulnerable versions of Java etc.

  5. Scott S

    If you think ahead say 5 years from now and allowing for the growth in cyber crime especially regarding sophistication, maybe the hacker can get better job selling devoted banking devices 🙂 .. ’cause that is where the money will be IMO

  6. Mike

    The dedicated computer if it is running Windows is not realistic. If it is running Windows, somebody will decide oh, it will be OK to find out the sports scores, pick up email, etc.

    The Live CD approach is the safest, as there is nothing saved from session to session.

    I switch to Linux to do my banking, in a dual boot configuration. And banking is all I do there.

  7. Scott S

    I would think that a devoted terminal would be run with a devoted OS. Certainly one designed specifically for the job wouldn’t be that hard to arrange would it?
    imagine: IBANK 1st generation banking terminal , ssl, encrypted etc [chuckle] No browser included nor needed

  8. Sam Sayen

    It would be nice if banks gave the options to do banking just using ssh. Obviously that would be for the more computer literate crowd.

  9. JC

    If your bank is not offering true out of band authentication that includes a verification phone call for the transaction to process…find another bank.

  10. Jonathon

    Questions:
    1. Will the Zeus trojan install and run on a limited user profile (non-admin account)?
    2. Is anyone seeing evidence of malware that runs under limited profiles?

    1. BrianKrebs Post author

      Yes to both questions, Jonathan. Limited user account is a nice idea, but it’s increasingly ineffective as a deterrent to malware.

      It may make the problem of getting rid of the malware easier, but ZeuS will happily infected a limited user account, and this behavior is not all that rare these days.

      1. whats in a name

        Limited user is ineffective because they either have or know someone with higher level rights, or malware is designed to install or run from user level folders. There are also a lot of third party programs or holes in Windows that allow exploits to gain rights they shouldn’t have.

        Live CDs are also flawed in that they are only as secure as that last update they had, if you are using the same live cd for over a week there is a chance the bank site or one of it’s advertisers might have something nasty running with a way to compromise it.

        1. John D

          You raise an interesting point. When we say “Live CD” from a security point of view, we mean “Insert a Live CD into your CD ROM drive, reboot your PC and hit the correct buttons to boot from CD, when it comes up open your browser and do your banking and only your banking, then remove the Live CD and reboot.” But this process is not clear from just saying “Live CD”.

          Everything described here has to be very prescriptive for the end users, because not everybody has the same level of understanding.

          1. BrianKrebs Post author

            John, that link at the end where I suggest using a Live CD takes you to a page that describes what a Live CD is, how to burn one and start up your computer with it.

            1. John D

              Thanks, Brian, I hadn’t followed your link.

              I was commenting because the parent post is discussing weaknesses that are present only if the whole process is not carefully followed – cached JavaScript attacks, etc. (He also points out threats from potential cross site attacks from scripts loaded from a banking site.)

              I was just trying to point out that Live CD is a whole “process” for safely banking that includes more than just “booting from a Live CD sometime last month” , and that when we say “Live CD” we have to be more clear. Perhaps we should say “Use a Live CD process designed for safe banking.”

  11. Nobody

    The feds could insert their own money mules and reimburse the money that way. A fake identity and a bankdrop should be easy to get for them. It wouldn’t stop the problem but would cut the criminal’s profits.

    1. AlphaCentauri

      There are two ways this could help: 1. Since the attacks involve transfers to multiple accounts at multiple banks, often overnight, if even a single mule sounds an alarm, the bank can retrieve the transfers from all the others before the bank branches open up and let the mules in to make their withdrawals. 2. If a large number responses to the recruitment spams are from undercover investigators rather than real potential mules, the ratio of sting accounts becomes high enough to make it difficult to transfer money to more than a few mules at a time, limiting the total losses.

  12. Mattias

    As an European bank customer I am always flabbergasted when reading about bank scams in the US – the lack of security is remarkable.
    My Swedish bank have been using a security token from day one back in 1996 when they went online. Simple device that I have replaced three times since 1996 due to batteries running out.
    I guess the convenience of simple username+password to login (as my US friends have on their banks) makes happy customers but if my bank had that “security” I’d rather take my money elsewhere.

    When I login I am presented with 8 digits that I enter into my security token (protected by a PIN) and then get 6 digits back that I enter on the web-page. Now I am logged in. The first digit here is always 9.
    To make a payment I sign the transaction with a 6 digit code together with the sum of all transactions. The first digit of the code is never 9 to prevent hijacking of login codes. Entering these into the security token I get a 6 digit code back that I enter to authorize the payment.
    There are malware that have successfully stolen money from Swedish bank customers by injecting transactions to accounts and then the user have failed to see the changed sum of all transactions and authorized the payment… Who’s to blame in that case?

  13. Niclo

    I think what everyone is overlooking is the fact that many small businesses don’t feel they should be bothered with security protocols and rules in order to secure themselves and they expect that things should be quick and easy. When the users find it’s not quick and easy they do shortcuts or use simplistic credentials to make it faster and easier for them. Compound this with them habitually abusing the CSRs at the bank when they do have to give a phone/fax confirmation and you now have CSRs who know the best way to deal with that problem client is to just let them have their way. So I’m sure the bank may play a part in the failure but the true failure comes down to the small business, and more importantly the prima donna’s in management that run the company’s operations.

  14. Matt Veksler

    I had to consider very similar scenarios when deploying notebooks to users (privileged remote access via potentially hostile networks), and settled on HP 6360t mobile thin clients. The learning curve for users was next to zero due to the familiar Windows interface, and the benefits are similar to that of a live CD. I think they would be very suitable for performing functions such as secure banking, due to the much tighter limitations of the Windows OS and limited user account (no Explorer windows, no right-click, no local admin account, etc). Access can be further tightened by disabling upstream DNS and just adding allowed domains to the hosts file. The downside, of course, is the proprietary hardware and OS, and resulting cost (~$700).

    1. Terry Ritter

      @Matt Veksler: “settled on HP 6360t mobile thin clients. The learning curve for users was next to zero due to the familiar Windows interface, and the benefits are similar to that of a live CD.”

      The typical Live DVD (or DVD-load or DVD-boot) system has two widely-misunderstood advantages against malware:

      1. Most DVD-boot systems use Linux. Linux is a big advantage, not because we are dedicated Linux fanbois or even Microsoft haters, but because over 99 percent of all malware is targeted at Microsoft Windows (see:

      http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/news/310770/99.4-percent-of-malware-is-aimed-at-windows-users

      ). So, 99 times out of 100, if malware gets in, Linux will not run it, which is much better than any antivirus. Simply using Linux instead of Windows stops the vast majority of malware.

      2. Most Live DVD’s do not require a hard drive or other local persistent storage which malware can infect. It is easy to imagine that when malware runs that is defeat and the end of the problem, yet it is the stored *infection* which runs on every subsequent session. Sometimes malware is just waiting for a banking session to occur, and is otherwise almost undetectable. Tools simply do not exist which guarantee to detect infection on a normal PC, so the probability of infection in local persistent storage only increases over time.

      Apparently the HP 6360t uses Microsoft Windows with an internal flash-based “hard drive,” which may mean that neither of the major anti-malware benefits of a “Live CD” are present.

  15. Jerrold Peterson

    Odd Question. Using my IE9 I receive the following Security Alert when opening your site:

    “The name on the security certificalt is invalid or does not match the name of the site”

    Am I missing someting here?

    Thanks

    1. JCitizen

      I’m surprised this page is under SSL at all! Wonder what is going on?

      Mine says the certificate is fine as far as domain verification.

      Must be using this to verify who is coming to the site? Perhaps! ]:)

  16. AbdulNahas

    What are the chances of these attacks happening on tablets or smartphones majority being iOS and Android. More over Tablets are coming to be more cheaper than a PC.

    1. Richard Steven Hack

      Right now, the odds are PCs are more actively exploited. That will change. Tablets and smartphones ARE computers. They are subject to the same vulnerabilities most computers are.

      And certainly the end users will be subject to the same vulnerabilities all humans are.

      1. anybody

        I would say there is at least one more exploit that phones and tablets are susceptible too. They are mobile devices. They are more easily removed from the premises than a desktop.

        They promote short, simple passwords, because who wants to type a 10 character password with punctuation, lowercase, uppercase, and numbers all included on a touch screen? That is at least 16 key-presses.

  17. Richard Steven Hack

    What’s important about the uptick in small business cybercrime is that it confirms what I’ve been saying for a while.

    The fact is that cybercrime is different from physical crime in one major way: it can become ubiquitous in a way that physical crime simply cannot. This is because cybercrime differs from physical crime in numerous ways: it has less risk, higher reward, can be scaled to a much greater level than physical crime, is generally conducted by people with at least slightly higher intelligence than physical thugs, etc.

    What this means is that sooner or later ALL businesses will be significantly effected by cybercrime. It’s not like “disaster recovery” – a fire is a relatively rare event. It’s not like “theft insurance” – a theft is a relatively rare event. Malware on the other hand is everywhere. Actual targeted attacks are on the upswing as well although they will never be as ubiquitous as malware in general.

    As someone in infosec said once, “There are two kind of companies associated with APT. Those that have been compromised and those that don’t know they’ve been compromised.”

    If that isn’t true now – and we don’t know that it isn’t – it will be true within a few more years.

    Bottom line: computer security is going to get WAY worse before it gets better – if it ever gets better. Everyone in business and most end users are going to have to come to terms with this and expend the effort to up their security as much as possible – or pay the cost sooner or later. The latter is not a question of “if” – it’s a question of “when”.

    1. Terry Ritter

      @Richard Steven Hack: “Bottom line: computer security is going to get WAY worse before it gets better – if it ever gets better.”

      Thank you for that apocalyptic vision! Surely there must be an alternative.

      The original security-free design of the Internet and Web has us locked into an insecure system. We cannot expect to prevent all malware from entering the PC or attempting to run, because it is simply impossible to find and fix every web-facing vulnerability. There will always be attacks which make it through defenses and attempt to run, and some will succeed. But even that does not have mean total defeat.

      We can operate securely *without* stopping all malware, provided we prevent *infection*. That allows us to greatly reduce malware running time, and also control the period of risk: If a reboot will clear any malware, and we reboot before banking, there is very little time to encounter malware. While there can be no absolute security, there can be a big improvement.

      For improved security right now, we can use a Live DVD, which may not be particularly convenient, but it works. If Intel, AMD and Microsoft would get off their collective butts, we could be similarly secure in a mostly-normal user environment. Unfortunately, the new Windows 8 UEFI system may not help overall security, and it may take a couple of years to demonstrate that. We should charge for the delay.

      One might hope that government would create security requirements for computer manufacturers as they did for car manufacturers and safety, but nobody seems particularly interested in that either.

      1. Richard Steven Hack

        “Surely there must be an alternative. ”

        Nope.

        As an aside, I’m not just talking about malware issues here, I’m referring to everything. But it’s also true in malware. No matter what you do, you’re facing an intelligent opponent with lots of resources (time and patience and detailed knowledge) on his side as well as the attacker’s advantage.

        You’re not going to win that game… The best you can do is hope to detect and respond before major damage is done.

        Sure we can encrypt and digitally sign EVERYTHING on a box. We can whitelist until NOTHING runs but precisely the few things we want to run. And eventually we will do this precisely because of what I said – things are going to get much worse before they get better – if they ever get better.

        But someone will still find a way to run malware on a box. The only thing we can hope for is that is will be the equivalent of “phishing” instead of mass infection, i.e., only a few people get hit with it instead of the situation now where just about every Windows machine has an average of 27 malware on it…

  18. John Gordon

    I convinced several IT clients of mine to use LiveCD for their commercial online banking because of scary stories at this site, which I sometimes send to my clients’ owners, accounting depts and office managers.

    The only problem so far is one accounting dept uses a check depositing scanner that needs Windows drivers, IE-ActiveX and Java — drats.

    I set up a new accounting Win7 laptop with ESET, no Flash, no Reader, wifi disabled (Ethernet cable only), OpenDNS’s servers for DNS, no Java until I had to install it for the check scanning machine, no bookmarks except the bheck deposit banking site, NO EMAIL, NO BROWSING, the Firewall turned on as Public with no file sharing, plus labels stating all this above the keyboard and giant red letters stating this on the desktop background image.

    They boot into LiveCD for online banking transfers and only use Windows for the check scan deposits.

    I tutored them with numerous scare stories from this site (THANKS KREBS for your community service postings for small businesses). I re–re-reinforce the best practice of never clicking an attachment if you even have the slightest doubt or confusion about it. With Krebs horror stories, I’ve really scared them, thank goodness.

    No other PCs in their offices have Java except for two needing it for some Java-crafted investor-monitoring website. Bummer.

    ——

    A local PC store I work with and trust told me a customer of theirs came in about 6 weeks ago with 3 PCs to have them all erased because the customer’s bank told him to do so.

    The store owner also knows an import/export businessman who paid $1million for a shipment from China to the U.S. ($500k up front then $500k upon arrival); the China-side got hacked and sent an email from the exporter’s email acct to the U.S. import side telling the U.S. side to use another bank account # for the second $500k. He did, but squirmed and called the China-side later and discovered the fraud. I don’t know if he recovered the money.

    It’s a jungle out there. It’s beyond my comprehension that any organization would use Windows instead of Linux or UNIX for anything super important (e.g., computers controlling and monitoring accelerators and reactors — crazy!). Also, plug/lock the USB ports or don’t have them revealed at all.

    So far, my small business clients have only bought into Linux on LiveCD and iPads (UNIX), plus a smattering of Macs (with Java off or not installed).

    1. JCitizen

      I know what you mean John; I have to have java for my UTM gateway. It is rather ironic, that I have to let myself remain exposed to java exploits, just because my stupid gateway company insists on using it. At least Secunia PSI helps me keep it updated.

      1. JCitizen

        Thanks Uzzi;

        So far I have an Emisoft product monitoring my java. So far it has hammered anything headed my way!

Comments are closed.