Malware used to harvest bank account logons and send wires, FBI warns
The ease and speed of online business banking may be giving way to a growing amount of fraud. This month the Federal Bureau of Investigation warned about "a significant increase" in online banking frauds perpetrated on small and midsize businesses and local governments.
The FBI described a scenario in which a company's computer is infected when an employee—usually one with the authority to initiate funds transfers—clicks on an infected e-mail attachment or visits an infected Website. The malware installed on the computer harvests the logons for the company's bank accounts, and the cyber criminal uses that information to initiate ACH or wire transfers. An FBI report describing the problem estimates attempted thefts totaled about $100 million as of October.
Many small businesses aren't even aware of the threat to online banking until they're hit with a loss, says Avivah Litan, an analyst at technology research firm Gartner. And Litan notes that unlike consumers, who have legal protection in the case of such losses, businesses aren't necessarily able to recover money that is stolen from their accounts.
Observers point to the increasing prowess of the fraudsters. "We've seen much more sophisticated technology-based attacks being used to target small and medium-size businesses," says Paul Henninger, director of financial crime solutions Actimize, which makes fraud detection software for banks. "They involve things like Trojans and malware, which are used to log information as it's typed in on the customer's computer and in some cases to actually take over the computer itself."
"It's gone from gamers who were just being disruptive to incredibly well-organized and well-funded businesses, and they're doing some really sophisticated stuff," says Joe Spatarella, vice president of sales and marketing at Online Banking Solutions. Phishing e-mails used to be so sloppily done that they were easy to spot, he says. "Not any more, they're beautiful. Some of them, it's hard to tell."
Given that cyber thieves now have the ability to overcome many security precautions, like multifactor authentication, what should companies do?
Spatarella suggests that a PC or laptop be designated to be used only for banking, and never for e-mail or browsing the Internet. "The malware is introduced when people either get e-mail or go to other Websites," he notes. "The minute you go out there, that's when you're potentially introducing problems."
Litan recommends getting a non-Windows operating system and using it from an external drive, like a CD drive. "Don't use the browser on your PC to do online banking, especially if it's a Microsoft browser," she says. "If you use an operating system on an external drive that you don't typically use, and it's on a read-only disk, you're not going to get infected there."
"The other option is to get a locked-down browser," Litan says. "They block everything. All you can do is go to their portal and from there you go to the bank."
Online Banking Solutions markets such a locked-down browser to banks to supply to their customers. "What we're suggesting is that banks provide hardened browsers that work only with their systems," says Spatarella of Online Banking Systems. "Because the security threats have moved to the application, it's our position that application providers have to take responsibility for securing their own applications."
Litan argues that some of the onus is on the banks, noting that companies aren't in the security field, and says regulators should push banks to spend more money on security efforts, like programs that detect fraud. "These attacks are so surreptitious, you can't see them. Most of the antivirus software out there won't detect it," she says. "Banks have a responsibility here. If it's dangerous, at least they should warn their customers."