thinksecurityfirst.us

Banking Trojans represent a new and potentially costly menace to the nation's small businesses
September 14 2009
 

Financial institutions in the United States and Europe recently warned of a spike in attacks on small businesses by organized cyber gangs using increasingly sophisticated malware. The attacks typically take the form of hijacking and the emptying the victim’s bank account, often by using logins and passwords stolen from the victim’s computer through the installation of banking Trojans or “keyloggers.”

The thieves can quickly empty the victim’s business accounts before being discovered, leaving the victim business with little recourse. Because business accounts don’t have the same zero liability protections as consumer accounts, victims are rarely compensated by their banks.

The resulting loss could be too much for smaller businesses to recover from, which is why we believe this is one of the most serious and dangerous cyber threats ever faced by the small business community and one that requires immediate attention and vigilance on the part of small businesses.

[NOTE: Think Security First is working with security experts and small business groups nationwide to raise awareness of this new Trojan War. If you'd like to participate or learn more, please contact Neal O'Farrell, founder of Think Security First, at neal (at) thinksecurityfirst.us.]

Think Security First also offers a free alert service to give you early warning of these and similar attacks. Click here to sign up.

Background

In late August 09, the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry group representing leading financial institutions around the world, issued an alert to its members that stated "In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses,"

At around the same time, NACHA—The Electronic Payments Association, sent an alert to its members warning of a spike in attacks on small businesses using Trojans and other malware. NACHA operates the Automated Clearing House (ACH) Network that provides electronic funds transfer services to more than 12,000 financial institutions in 34 countries.

These warnings follow a series of similar warnings throughout the year by security experts and the media after the discovery of new class of very sophisticated banking Trojans being used by organized crime gangs around the world.

Small businesses are believed to be exceptionally vulnerable because they typically don’t have the prevention or warning systems in place to mitigate this threat.

Real Victims

The Washington Post and other media outlets have highlighted the plight of just a small sampling of victims, and here are just a few recent cases:

•    Bullitt Country Kentucky lost $415,000.

•    Western Beaver School District in Pennsylvania lost $700,000.

•    Slack Auto Parts in Gainesville Georgia lost $75,000

•    Unique Industrial Product Co., in Sugarland Texas lost $1.2 million.

•    JM Test, a small electronics testing firm in Baton Rouge, Louisiana lost $100,000, of which only $7,500 recovered.

According to media reports most victims are unlikely to report the crime to avoid scaring their customers or creating problems with their banks.

Why is this such a serious threat?

•    Banking Trojans are becoming more sophisticated and may be the most dangerous weapon available to cyber gangs

•    These programs can easily infect an unprotected computer, and because they work in stealth mode they can be hard to detect and remove.

•    Small businesses are especially vulnerable because they typically don’t have the skills or resources to protect themselves sufficiently, often don’t detect the theft until it’s too late, and don’t have the same account protections as consumers have.

•    Banking Trojans are able to circumvent many of the security and authentication measures banks rely on, using Twitter-like instant messaging for real time communications with the hackers so the hacker can be logged in at the same time as a legitimate user.

•    Real time hacking means that as a user is making a transfer to another account, the Trojan can immediately intervene and redirect the transfer to another account.

•    Some Trojans are also able to steal the answers to security questions banks use as authentication.

•    If you’re a victim you may have no way of proving that thieves emptied your accounts because they will have user real credentials.

•    Banks are reluctant to cover these losses, especially if a legitimate login and password is used. Banking Trojans steal legitimate user logins and passwords.

•    In addition to stealing login credentials, variants of this malware could also steal employee payroll info and customer data.

•    Some variants include botnets that can use one infected computer to infect other computers. This could create additional legal problems for small businesses whose unprotected computers are hijacked to attack others.

The biggest threat for small businesses is that they often have limited funds available and usually on deposit in a single account. A breach of that account could deprive a small business of all its funds and its ability to survive.

How do banking Trojans work?

Nearly 60,000 different varieties of Trojans were identified in 2008, a nearly 300% spike in the previous year. And more than 70% of new malware discovered by Panda Labs in the second quarter of this year were Trojans.

There are believed to be thousands of varieties of banking Trojans in circulation, and some (like the Zeus Trojan) can be purchased as complete ready-to-go kits for as little as a few hundred dollars.

Most Trojans will infect computers by using spam with infected email attachments, or by infecting web sites which in turn will infect unprotected computers visiting those sites – known as “drive by” infections.

There has also been an increase in targeted or spear attacks where the attackers take some time to research a specific target, and then use the information gathered to make it easier to trick a user or employee at the business into opening an infected file.

And when a gang can easily steal hundreds of thousands of dollars from a small business on the other side of the world, they can justify investing a little time in “scouting” their victims.

Trojans are becoming increasingly sophisticated and are continuously finding ways to evade anti-virus software. They can update and improve themselves constantly, communicate securely and secretly with the criminal gangs that operate them, and lie in wait on a computer until they recognize a user attempting to log in to an online bank account.

Money siphoned from hijacked accounts often passes through “mules” – usually innocent individuals who answered advertisements for work-at-home jobs and whose personal banks accounts are then used to channel the money to the gangs.

If the money is not recovered before the mule passes it on, it is rarely recoverable.

Media Comments and Coverage

“The attacks also are exposing a poorly-kept secret in the commercial banking business: That companies big and small enjoy few of the protections afforded to consumers when faced with cyber fraud.” The Washington Post, July 09

“If I was a small business banking online right now, I'd switch my company's account from a business account to a personal account.” Gartner Research

“If a company gets hacked and someone manages to clean out that firm's bank account, the company's bank is under no obligation to make that customer whole.” Avivah Litan, a banking fraud analyst with research firm Gartner Inc., speaking to the Washington Post.

European Cyber-Gangs Target Small U.S. Firms, Group Says (Washington Post)

More Business Banking Victims Speak Out (Washington Post)

Cyber crooks increasingly target small business accounts (NetworkWorld)

The Growing Threat to Business Banking Online (Washington Post)

Cyber Thieves Steal $447,000 From Wrecking Firm (Washington Post)

How to avoid banking Trojans and minimize the damage

1. Scan all business and home computers, either using your existing anti-virus software or using any of the free scanning services listed on our web site.
   
2. Layer every computer with the best virus and spyware protection available and update it constantly. But be aware that having the latest anti-malware protection in place is no guarantee that you'll be able to prevent or detect an infection.
   
3. Patch your computer constantly and make sure your computer settings are configured to automatically download and install patches as soon as they become available.
4. Avoid opening email attachments or click on links in emails unless you’re able to verify the email is legitimate, and be careful about visiting web sites you’re not familiar with.
5. Teach all employees to be especially vigilant for phishing schemes and to watch out for unusual or personalized emails with attachments or links that are not familiar.
6. Set up account alerts to notify you of any transactions or changes in account balances, and work with your bank to see if there are additional layers of authentication they can use to prevent or alert you to unauthorized transfers.
7. Spread your funds between a number of accounts and limit the number users on each account.
8. Change your passwords regularly, make them tough to guess and protect them well.
9. Use just one computer for online banking, and make sure that computer is highly secure and ideally not used for email or any other internet connected activity.
10. Be vigilant when visiting your bank login page, especially for any changes to the login procedure or requests for additional information.

Free tools to detect and remove Trojans

Online Malware Scanner from F-Secure

ActiveScan from Panda Security

HouseCall from Trend Micro