Privacy and Identity Theft

In a very strange turn of events, PlainsCapital bank is suing its customer, Hillary Machinery Inc, in a case regarding cyber-theft.

It seems that in November 2009, Romanian fraudsters gained access to the usernames and passwords of Hillary Machine’s online corporate bank account with PlainsCapital. They transfered $800,000 out of the account. The bank was eventually able to recover $600,000, leaving Hillary Machinery, Inc. with a loss of $200,000.

Hillary Machinery complained to the bank and demanded that they cover the losses, and alleged that the bank’s security systems were not adequate.

Strangely, PlainsCapital has responded with a lawsuit, demanding that the courts find that their systems were in fact secure, and that it was a breach of authentication credentials that happened on Hillary Machinery’s computers (likely through Zeus malware infections).

Hillary Machinery has posted an alert about the issue on their website. “Small Business Alert – PlainsCapital Bank Target of Cyber Robbery. Is Your Bank Watching Your Back?”.

The Anti-Phishing Working Group released their fraud report for Q3 2009. They found a record number of phishing reports, unique phishing websites, brand-domain pairs, and hijacked brands.

Customers of financial services companies were the most targeted.

The full report can be found here.

The Financial Times in the UK today reported that social networks were used by attackers to target employees at Google, Adobe, and possibly other companies, in last month’s targeted malware attacks. In the incident, attackers got targeted malware onto the computers of Google employees, and used it to break into the company’s networks and steal sensitive corporate data. The attackers, allegedly from a group in China suspected of working with the Chinese government, used social networks to gain information about the friends of targeted employees. They then sent spoofed emails and initiated Instant Messaging conversations with the targeted employees, and sent malicious software to those targets. The malware exploited vulnerabilities in Microsoft’s IE 6 web browser, and installed itself on the employees’ computers.

The use of social networks to perform advanced reconnaissance by hostile attackers isn’t new, but it’s becoming more and more clear that cyber-criminals are getting much more sophisticated in their targeting and pre-planning of attacks.

These recent events are causing concern in the financial services industry, where malware such as the Zeus trojan, is getting onto the computers of finance and accounting professionals at companies, and is allowing cyber-thieves to hijack online banking sessions and transfer hundreds of thousands, and in some cases, millions of dollars from corporate coffers.

First Tech credit union has issued a security alert regarding a fraudulent Android smartphone app posted on Google’s Android Marketplace. The app purports to be mobile banking tool. Naturally it is actually a phishing scam, that will steal your banking username and password if you actually use it to log into your online bank account.

The app was posted by a user with the alias “Droid09″.

SCMagazineUS.com wrote today that several applications that were fraudulently using the names of banks, without their permission, have been removed from the Google Android Market.

NACHA, the American Banker’s Association, and the FBI are advising businesses to conduct commercial online banking transactions only from a dedicated PC that has a hardened operating system and is unable to do web browsing or email.

You can read more about it in this USA Today article.

I think this is an unreasonable security model, because firstly, if a computer is unable to do Web browsing, how will the finance manager access the bank’s corporate banking website?

Second, NACHA and the ABA recommend customers receive out of bank confirmation of payments (eg. email confirmations). If the banking terminal cannot receive these emails, is it likely that finance professionals will be doing this reconciliation?

Thirdly, this model breaks the finance workflow. Finance professionals routinely need to have an excel spreadsheet or other document open in order to know which payments to initiate.

At IronKey we have been working on virtualized operating system solutions that run off the IronKey devices, and leverage the on-board two-factor authentication and other security services, in order to create a secure and cost-effective solution. Look for more information later this month.

I was reading Brian Kreb’s Security Fix blog on WashingtonPost.com over the holidays. He wrote an article about a month ago about hackers targeting the corporate bank accounts of real estate, property management and title companies. In this particular article, hackers had used the ACH network to initiate over $1.3M of fraudulent funds transfers from a large property management company.

Of interest were two things. First, rather than hijacking the bank account of the property management firm and initiating wire transfers, the attackers used compromised corporate bank accounts of other companies, and initiated ACH debits from the targeted property management firm. They then wired the deposited funds out from the third party company to their money mule accounts at other financial institutions. This fraud vector really illustrates how compromises of corporate bank accounts can have far reaching consequences via both wire transfer and ACH network abuse. The ACH network is largely a trust-based system, and relies on its users not making fraudulent transactions. There’s little inherent security in the technology of the system itself.

The other interesting item was the targeting of real estate, property management and title companies. On reflection, and thanks to one of the people who commented on Brian’s article, it is clear why attackers are targeting these companies. It’s because these companies are regularly involved in large funds transfers (hundreds of thousands or millions of dollars), because they are frequently involved in real estate transactions.

Fraudsters would rather steal $1 million dollars at a time, than try to steal $9,000 a time from smaller businesses, or $1,000 a time from consumers.

Business owners should read NACHA’s guidance, issued in December, on how to protect their online commercial banking accounts.

Hackers broke into the point-of-sale computer at a restaurant in Anchorage, Alasaka, and installed malicious software on the computer in order to copy credit card information. They broke in through the network that the POS computer was connected to. The malicious software copied credit card details every time that a card was authorized for payment. It then sent this information to the remote hackers over the network. The card numbers were then used for fraudulent payments.

It’s an interesting example of the many ways that cyber-criminals are attacking our payments infrastructure. They attack the end users with phishing and malware. They attack databases of stored credit cards, such as the massive TJ Max breach which gained them over 100 million credit card numbers. Now they are attacking the point-of-sale systems themselves.

According to Tom Kellermann, a former senior member of the World Bank’s Treasury security team, “Ninety-eight percent of bank heists are now occurring virtually and not in the real world.”

He also said that the industry is “hemorrhaging funds” as a result.

These statements were made in response to an unsubstantiated report in the Wall Street Journal that the FBI is investigating an online fraud of tens of millions of dollars from Citibank. It’s alleged that the Russian Business Network (RBN) is behind the attack.

Listen to my interview with Dan Misener of the Canadian Broadcasting Corp (CBC) from this Saturday December 13, 2009. We discuss holiday e-greeting card email scams, malware, phishing and Internet fraud.

http://www.cbc.ca/spark/2009/12/spark-95-december-13-15-2009/

Fake emails are circulating on the Internet this week, purporting to be from the Center for Disease Control (CDC). These emails claim that an H1N1 Swine Flu vaccination registration is required. However, if you comply and click through to the website, your computer may be infected with a version of the Banker trojan, which steals usernames and passwords when you login to your online bank.

You can read more about the security advisory here.