Cyberthieves loot SMBs, transfer millions to firms in China, FBI warns

More than $11M stolen from 20 businesses in past month

Some U.S. companies may unwittingly be funding businesses in China to the tune of millions of dollars.

An alert ( pdf format ) from the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) this week warned U.S. small and medium businesses (SMBs) to be on the lookout for online account takeovers and fraudulent Automated Clearing House (ACH) transactions.

The warning stems from a rash of recent incidents in which online bank accounts belonging to SMBs were hijacked and money from them was stolen and transferred to accounts apparently held by several legitimate businesses in China's Heilongjiang province along the Russian border.

Between March and April, the FBI identified at least 20 incidents in which cybercriminals compromised the SMBs' banking credentials of SMBs, such as usernames, passwords, or authentication tokens, and used them to electronically wire money to accounts held by "Chinese economic and trade companies," the alert said.

The illegal wire transfers have ranged from $50,000 to $985,000, with the majority being involving sums or more than $900,000.

Many of the companies that have received the money are registered in port cities such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The companies appear to be legitimately registered businesses and typically have accounts at the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China, the alert said.

So far, the break-ins have siphoned $11 million out of SMB accounts. In all, the crooks have attempted to steal $20 million in the past month from SMBs, the alert warned.

Such online account takeovers are not new. The FBI, the FS-ISAC, and NACHA, the body that oversees the ACH network, issued a similar warning in the fall of 2009.

At that time, the FBI said several new cases were reported weekly. In most instances, the crooks used sophisticated keystroke logging and Trojan horse programs to steal login credentials from company employees authorized to initiate funds transfers on behalf of the business, the FBI had noted in that alert.

The same warnings were repeated in this week's alert. The alert noted that the malware used in the recent attacks had not been identified in all cases, but at least some instances involved the ZeuS banking Trojan, Backdoor.bot keylogger, and Spybot, an IRC backdoor Trojan.

In addition, one victim reported being hit with a malware program that allowed the hackers to completely erase the hard disk of the infected computer before any investigations could be done, the alert said.

The FBI alerts urged banks to notify customers if they notice any wire transfers destined for Raohe, Fuyuan, Jixi City, Xunke, Tongjiang and Dongning.

Avivah Litan, an analyst with Gartner, said that banks need to do more to mitigate such attacks, especially since they are in a better position to tackle the problem.

"These attacks are using the same techniques that have been used for a couple of years against business bank accounts and more recently against enterprise systems and security companies," Litan said. "The attacks keep coming, because most banks have yet to build up sufficient defenses," she said.

There has been speculation that the Federal Financial Institutions Examination Council (FFIEC), a standards-setting body for financial institutions, could soon require banks to implement stronger forms of user authentication, but no action has been taken.

A Gartner survey conducted in February found that many banks continue to rely on "crude" security measures, such as cookies and secret questions, to protect online accounts, Litan said.

"Nearly two-thirds of the surveyed banks manage their fraud detection and customer authentication projects by committee, which means 'it's always someone else's responsibility.' It should come as no surprise, then, that the attacks are succeeding."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].

Read more about financial services in Computerworld's Financial Services Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags financeFinancial Servicesindustry verticalsMalware and VulnerabilitiesIT Governance and Compliance

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Jaikumar Vijayan

Jaikumar Vijayan

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?