eBanking Victim? Take a Number.

March 16, 2010

Over the past nine months, I have spent a substantial amount of time investigating and detailing the plight of dozens of small businesses that have had their bank accounts cleaned out by organized criminals. One of the most frequent questions I get from readers and from my journalist peers is, “How many of these stories are you going to tell?”

The answer is simple: As many as I can verify. The reason is just as plain: I’m finding that most small business owners have no clue about the threats they face or the liability they assume when banking online, even as the frequency and sophistication of attacks appears to be increasing.

I am now hearing from multiple companies each week that have suffered tens of thousands or hundreds of thousands of dollar losses from a single virus infection (last week I spoke with people from four different companies that had been victimized over the past two months alone). In each of these dramas, the plot line is roughly the same: Attackers planted malicious software on the victim’s PC to steal the company’s online banking credentials, and then used those credentials to siphon massive amounts of money from the targeted accounts. The twists to the stories come in how the crooks evade security technologies, how the banks react, and whether the customers are left holding the (empty) bag.

In most cases I’ve followed, the banks will do what they can to reverse the fraudulent transactions. But beyond that, the bank’s liability generally ends, because — unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them.

Earlier this month, I spoke with the CEO of Eskola LLC, a Treadway, Tenn. roofing firm that had $130,000 stolen from its online bank accounts in a series of five unauthorized wire transfers in late January. The bank was able to reverse most of those transfers, but Eskola was unable to recover more than $30,000 of the stolen money.

“It really took our bank by surprise and triggered a whole series of internal reviews, because they told me they’ve been hit several other times since then,” Jon Eskola said. “They said so far this year, it’s been the number one thing that’s come across their plate, and that this type of crime had increased 500 to 600 percent over a year ago.”

Continue reading

Stopgap IE Fix, Safari Update Available

March 15, 2010

Microsoft has issued a stopgap fix to shore up a critical security hole in older versions of its Internet Explorer browser. Meanwhile, exploit code showing would-be attackers how to use the flaw to break into vulnerable systems is being circulated online.

Microsoft warned last week that it was aware of public reports that criminal hackers were using the vulnerability — present in IE 6 and IE 7 — in limited attacks. A few days later, a security researcher put together a working exploit for the flaw, based on a snippet of code he said he found referenced on a McAfee blog post (McAfee says it will be closely reviewing future blog posts to make sure they don’t inadvertently help the bad guys).

Continue reading

Advertisement

FBI: Online Fraud Costs Skyrocketed in 2009

March 13, 2010

Source: ic3.gov

Reported losses from online fraud more than doubled last year, from $265 million in 2008 to nearly $560 million in 2009, according to figures released Friday by the FBI.

The figures come from complaints referred to the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. Last year, the IC3 received some 336,655 complaints, a 22.3 percent increase from the year prior.

Ironically, among the largest sources of complaints (16.6 percent) were e-mail scams that fraudulently used the FBI’s name to gain information from the recipient. Of the top five categories reported to law enforcement during 2009, non-delivered merchandise and/or payment fraud ranked nearly 20 percent; identity theft 14 percent; credit card and auction fraud, just over 10 percent each. The median dollar loss was $575, while the highest median losses were associated with investment fraud ($3,200), overpayment fraud ($2,500) and advanced-fee fraud ($1,500).

The full report is available from this link at ic3.gov (.pdf).

Crooks Crank Up Volume of E-Banking Attacks

March 11, 2010

Computer crooks stole more than $200,000 from an auto body shop in Ohio last month in a brazen online robbery. The attack is yet another example of how thieves are using malicious software to bypass bank security technologies that are often touted as strong deterrents to this type of fraud.

The latest victim is Clarke Collision Center, an auto body shop in Hudson, Ohio. According to Craig Kintz, owner of Kintz Tech, a local security consulting company that responded to the incident, on Feb. 23 an employee of the victim firm noticed something strange when she went to log in to the company’s online bank accounts: The site said the bank’s system was down for maintenance.

Clark Collision’s bank, Cincinnati-based Fifth Third Bank, requires business customers to enter their user name and password, and a one-time passcode generated by a battery-operated key fob that is synched up to the bank’s back end servers. This approach — what banking regulators call “multi-factor authentication” — involves asking the user to provide something they know (a user name and password) in addition to something they have (a code generated by a security token).

But Kintz said that when the body shop employee visited the bank’s site and entered her user name, password and the output from the security token, she was directed to a page that said the bank’s site was temporarily unavailable. The page she was sent to even included a 1-800 number supposedly for the bank’s customer service line.

Kintz said the woman called that number, but quickly found that it was not in service. When the employee looked up the real customer service number for the bank and called to complain about the suspicious activity, she learned that there had just been a large number of wires and money transfers out of the company’s accounts to individuals in the United States and overseas, Kintz said.

“She reported it to the bank at 9 o’clock that morning,” Kintz told Krebs on Security. “By 11:30 a.m. the bank had frozen all of the company’s accounts, but by that time those accounts had all been emptied.”

Continue reading

Secret Obsession: Odd Windows Crash Alerts

March 11, 2010

Microsoft Windows isn’t restricted to just laptops and tower PCs: It is also common for Windows to serve as the dominant operating system these days inside of ATMs, cars, vending machines, kiosks, taxi meters, medical imaging devices, advertising display boards and so many of the computerized screens that we gaze upon and take for granted every day.

That is, until they stop working. Indeed, often the first indication that these things are run by Windows is when something causes them to crash, at which point the all-too-familiar Windows error messages or dreaded Blue Screen of Death (BSoD) splashes up on the device’s display. True, malicious software can cause BSoDs, which is the operating system’s way of shutting down to prevent irreparable damage to the underlying system. Just as often, however, a BSoD or critical stop error is the result of some kind of hardware malfunction, such as faulty memory, a failing power supply, or overheating.

It seems I’ve been seeing these BSoDs and “fatal error” type messages in the oddest places lately. Below is a gallery of just a few that I’ve shot recently with my trusty iPhone (aside from that last three, which came from friends and readers). Click one of the images to cycle through a slideshow.

Continue reading

Dozens of ZeuS Botnets Knocked Offline

March 10, 2010

NB: This story has been updated several times. Please read through to the end

Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

Image courtesy ZeusTracker

Sold for anywhere from $300-$2,000 in shadowy underground forums, ZeuS is a software kit that allows criminals to set up distributed networks of hacked PCs, usually for the purposes of siphoning user names, passwords and financial data from victim computers. A criminal operating a ZeuS botnet can control the systems from afar using a central “command and control” (C&C) server, and it is not uncommon for a single ZeuS C&C server to control tens of thousands of infected hosts. In most cases, the infected PCs continuously upload the victim’s personal data to so-called “drop servers,” or data repositories online that are specified by the criminal controlling the ZeuS botnet.

According to Roman Hüssy, the Swiss information technology expert who runs ZeusTracker – probably the most comprehensive site that tracks ZeuS activity — on the evening of Mar. 9, the number of active ZeuS C&C servers he was tracking fell instantly from 249 to 181.

In an online chat conversation with Krebs on Security, Hüssy said the average ZeuS C&C he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.

Continue reading

Microsoft Warns of Internet Explorer 0day

March 9, 2010

Microsoft issued two security patches today to plug important security holes in its Windows operating system and Office software. The software giant also warned that it is aware of hackers exploiting yet another unpatched security flaw in older versions of its Internet Explorer Web browser.

Microsoft said it is investigating public reports that hackers have worked out how to exploit a previously unknown security hole in IE versions 6 and 7 as a vehicle for installing malicious software. Redmond says it is only seeing this flaw being used in “targeted” attacks at this point, but of course these types of pinprick attacks on unpatched vulnerabilities in IE often precede their much wider exploitation by the criminal hacking community.

If you depend on IE for browsing the Web, upgrade to IE8 if possible. Otherwise, consider switching to an alternative browser, particularly something like Firefox with an add-on that blocks scripts by default, such as Noscript or Request Policy. Yes, these add-ons take a bit getting used to, but from where I sit, allowing Javascipt and Flash to load unrestricted as you browse the web is simply unsafe on today’s Internet.

One of the updates Microsoft released today fixes a problem with the Windows Movie Maker application as shipped on Windows XP and Vista. The second patch fixes at least seven vulnerabilities in Microsoft Excel that Microsoft said are present in all supported versions of Microsoft Office, included Mac Office 2004 and 2008.

Updates (including IE8) are available through the Microsoft Update Web site, or via Automatic Update.

Monoprice.com Shuttered After Fraud Complaints

March 9, 2010

Audio visual cabling giant monoprice.com shut down its Web site – possibly for the next couple of weeks – while it investigates the possible compromise of its customer credit and debit card information.

Vincent Lim, monoprice.com’s operations manager, said the company took the site offline around midnight on Friday, Mar. 5, after it received e-mails and phone calls from several customers complaining about fraudulent charges on their cards that they had used on monoprice.com.

“A few of our customers recently reported to us that information from credit cards they used on the Monoprice website had been misused,” Lim said. “We promptly began an investigation with the help of expert computer forensic investigators to determine if any card data had been stolen from our computers.”

To date, he said, investigators have found no evidence that card information has been stolen from Monoprice’s computer network. The site is now allowing customers to browse products, but Monoprice won’t be taking any new orders until the investigation is completed, Lim said.

“We want to ensure that there is no security vulnerability in any part of our computer network system. We notified local and federal law enforcement agencies, our credit card processing business partners, and all credit card companies that some of our customers reported concerns regarding their card information to us,” the company said in a statement that now frames the top of its Web site. “We also advised these entities that we are working with outside security specialists to determine if there was breach of our computer system. We will post additional information when it is available.”

Monoprice’s corporate page on Facebook.com features a number of interesting comments from customers, some of whom attributed recent fraudulent charges to the incident, while others are praising the company for being so forthcoming and providing continuous updates via Facebook.

Cyber Crooks Leave Traditional Bank Robbers in the Dust

March 9, 2010

Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.

Speaking at the RSA Security Conference in San Francisco last week, David Nelson, an examination specialist with the Federal Deposit Insurance Corporation (FDIC), said online banking attacks against small businesses of the sort I have chronicled countless times over the past year netted thieves $25 million between July and September of 2009.

I wondered how that stacked up against real-life bank robbers here in the U.S., so I had a look at the FBI‘s published bank crime statistics for that same time period last year. Turns out, traditional bank robbers committed a total of 1,184 bank robberies during those three months, netting slightly more than $9.4 million (including $3,071 in travelers checks).

In fact, real-life bank robbers stole a total of just over $30 million in the first three quarters of 2009, just $5 million more than cyber crooks did in the third quarter of last year alone.

Small wonder that the haul from cyber bank robberies has overtaken that of physical heists:  Cyber thieves take far fewer risks to life, liberty and limb than do real-life bank robbers. In that same three month period last year, the FBI says bank robberies at bricks-and-mortar institutions caused five deaths — all them perpetrators of the crime.

What’s more, the perpetrators of these incessant attacks against small businesses banking online for the most part reside in countries that are traditionally beyond the reach and influence of U.S. law enforcement. Sure, bank robbers occasionally kill people (more often themselves) while they’re stealing your money, instead of silently lifting it out of your bank account from afar like cyber thieves. That alone makes them a more emotional high-value target for the feds. But let’s face it: Traditional stick up artists are a lot easier to collar. For one thing, by necessity they are all here in the United States.

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

Continue reading

Energizer Battery Charger Software Included Backdoor

March 9, 2010

Security experts at Symantec have discovered a software application made for a USB-based battery charger sold by Energizer actually included a hidden backdoor that allowed unauthorized remote access to the user’s system. The backdoor Trojan is easily removed, but Symantec believes the tainted software may have been in circulation since May 2007.

The product is the Energizer Duo USB battery charger, a device that charges batteries by drawing power from a USB port. The downloadable software that goes with the product — designed to monitor the charger’s performance and status — was available for both Mac and Windows, but according to the U.S. Computer Emergency Response Team (US-CERT) only the Windows version was affected.

Symantec said it found the backdoor after analyzing a component of the USB charger software sent to it by US-CERT. The backdoor is designed to run every time the computer starts, and then listen for commands from anyone who connects. Among the actions an attacker can take after connecting include downloading a file; running a file; sending a list of files on the system; and offloading the files to the remote attacker.

U.S. CERT has published an advisory that explains in greater detail how to remove this backdoor, should you have been unlucky enough to have installed the software. But the incident is the latest reminder that USB-based devices should always be considered hostile. At the very least, users should disable the autorun capability in Windows (which many malware families use to piggyback on removable media), and thoroughly scan any removable media for malicious files.

In another incident of malware hitchhiking on USB devices, Panda Security published a blog post Monday saying it had found a brand new Vodaphone HTC Magic mobile with Google’s Android operating system that came factory-packed with malicious software. According to Panda, the malware, which took advantage of the autorun functionality in Windows, was set up to enslave the host computer in the Mariposa botnet.