Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses. In a typical scenario, the attack vector is a "spear phishing" e-mail which contains either an infected file or a link to an infectious Web site. The e-mail recipient is generally a person within a company who can initiate funds transfers on behalf of the business, or a credential account holder (treasury management platforms typically support both wires and Automated Clearing House (ACH) transfers). Once the user opens the attachment, or navigates to the Web site, malware is installed on the user's computer. The malware contains a key logger, which harvests the user’s corporate online banking credentials. Shortly thereafter, the subject either creates another user account from the stolen credentials or directly initiates a funds transfer masquerading as a legitimate user. These transfers have occurred through both the wire system and the ACH Network; however, this bulletin specifically addresses incidents that have occurred through the ACH Network. In one case, the subjects used a Distributed Denial of Service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out. These ACH transfers ranged from thousands to millions of dollars.
Below is an example of a landing page where receivers of "spear phishing" e-mails were taken after clicking the embedded link within the e-mail. Spear phishing is a phishing attack that targets select groups of people with something in common-they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The emails are ostensibly sent from organizations or individuals the potential victims would normally get emails from, making them even more deceptive.
In this example the phishing e-mail was posing as a Microsoft Critical Update, thus bringing the user to a fictitious Microsoft page.
The FBI reports ACH transfers are directed to the bank accounts of willing or unwitting individuals within the United States. These individuals, known as "money mules", are recruited via "work from home" advertisements or are contacted by recruiters after placing resumes on popular employment web sites. The mules are directed to open personal or business bank accounts to receive the fraudulent money transfers. Often within a couple days, or even hours of opening the accounts, the money is deposited and the mule is directed to immediately forward a portion of the money to subjects overseas, typically to Eastern Europe, via wire transfer services, including Western Union and Moneygram.
As of August 2009, the infection vector has not been determined in every case; however, FBI analysis has identified more than two dozen different pieces of malware on the compromised account holders' computers all containing key loggers.
FBI interviews revealed that the threat stems not only from the malware involved in these cases, but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider level. For instance, in several cases banks did not have proper firewalls installed, nor anti-virus software on their servers or their desktop computers. The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system.
Discussions with Federal law enforcement agencies, commercial security intelligence service providers, and commercial incident response companies reveal the effectiveness of existing signature-based anti-virus and intrusion prevention systems is diminishing in the face of the rapidly evolving malicious code environment and the prevalence of custom-designed, signature-defeating malicious code.
Consequently, an approach not fully dependent on those systems must be considered, with particular emphasis on user privilege reduction, application whitelisting (only allowing known software and libraries to execute on a system), and heuristic detection.
FBI analysis has found in most cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions. The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions. Often, the targeted entities have their contact information, or an organizational chart, posted on their web site. This may provide the perpetrators with information on who handles the financial transactions for that business or agency. The ACH transactions are typically in increments of less than $10,000 to avoid currency transaction reporting
For businesses who believe they have been victims of this type of attack, it is recommended you contact your financial institution to prevent these attacks from recurring. Financial institutions' members may wish to contact their institution’s FS-ISAC member to obtain further information on mitigation strategies for internal and customer use.
The FBI encourages victims of cyber crime to contact their local FBI field office, or file a complaint online at www.IC3.gov.