The surge of ACH fraud committed by criminals stealing the online banking credentials of small and midsize businesses has resulted in approximately $100 million in attempted losses, according to the FBI.
Criminals are hitting businesses at a rapid clip, with several new cases opened each week, the FBI said in an intelligence note released Tuesday by the Internet Crime Complaint Center (IC3).
"FBI analysis has found in most cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions," the IC3 reported. "The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions."
The IC3 alert comes less than a week after the Federal Deposit Insurance Corporation warned of an increase in scams that recruit "money mules" to siphon money from business bank accounts through fraudulent electronic funds transfers, such as Automated Clearing House transfers. The FDIC issued an alert on Aug. 26 about increased reports of fraudulent EFTs hitting banks' business customers.
IC3, which is a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance, said the attacks on SMBs typically start with a spear phishing email that contains an infected file or link to a malicious website. The email usually targets a company official who can initiate funds transfers; opening the attachment or visiting the website triggers a malware infection that includes a keylogger, which harvests banking credentials.
Fraudulent ACH transfers are directed to bank accounts of money mules, who are often recruited by criminals over the Internet with bogus work offers and directed to forward the bulk of the money overseas, the FBI said. In its alert, the IC3 noted that the fraudulent transfers in these scams also occur through the wire system, but that its bulletin specifically focused on the fraud occurring in the ACH network.
The FBI said the infection vector hasn't been determined in every case, but it identified more than two dozen different pieces of malware on the compromised computers, all with keyloggers. However, the malware isn't the only threat; the FBI's investigation revealed that a lack of controls at a financial institution or third-party in some cases also posed a threat.
"For instance, in several cases, banks did not have proper firewalls installed, nor antivirus software on their servers or their desktop computers," the IC3 wrote. "The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system."
In one case, criminals used a DDoS attack against a compromised ACH third-party provider that prevented the provider and the bank from recalling fraudulent ACH transfers before money mules could cash them out, according to the IC3 alert. The transfers ranged from thousands to millions of dollars.
Terry Austin, president and CEO of Guardian Analytics, an online banking security technology provider based in Los Altos, Calif., said the alert reflects the trends his company has been seeing. Attackers have been targeting specific small and midsize businesses, which tend to bank at small or regional financial institutions that haven't had the resources to invest in fraud prevention, he said.
"What it comes down to is the big vulnerability these banks have is the online account," Austin said. "You almost have to assume the user's computer has been compromised by the criminals in some way, whether by phishing or downloaded malware. No amount of anti-phishing or anti-spyware user education will prevent all endpoints from being compromised. The attacks are too prolific."
Over the past six months, his firm has seen increased interest in its fraud detection technology from regional banks trying to solve the current fraud problem, Austin said. Preventing the problem requires monitoring every user and every session, he added.
The FBI said that today's malware is reducing the effectiveness of signature-based antivirus and intrusion detection software, making it necessary to consider additional approaches such as user privilege reduction, application whitelisting, and heuristic detection.