Lawsuit Seeks End To Bank Cybercrime Secrecy
Business bank accounts are being looted in a surge of cybercrime, leaving companies with serious losses.
Tens of millions of dollars are being stolen from corporate bank accounts every month by cyber criminals, but the victims are largely reluctant to acknowledge the scope of the problem.
To force banks to share information about security breaches, Project Honey Pot, a spam defense initiative created by Unspam Technologies, in conjunction with corporate Internet fraud attorney Jon Praed of the Internet Law Group, filed a lawsuit in Virginia on Wednesday against the unidentified cyber thieves.
Using the CAN SPAM Act, the lawsuit aims to use the legal discovery process to obtain forensic information about the bank breaches so that the perpetrators can be pursued. Spam is one of the vectors used to spread the keylogging Trojan malware used to steal account information.
Banks typically refuse to discuss security issues for fear of reputation damage and potential liability. But computer security experts generally argue that information sharing is a better way to make systems more secure.
"The purpose of the lawsuit is to say that this is an amazingly serious issue that banks need to start talking about, so we can track down the individuals behind this and put security in place to stop this," said Matthew Prince, co-creator of Project Honey Pot and an adjunct professor of law at John Marshall Law School, in a phone interview.
Prince says that in the past six months, keystroke logging viruses have been spreading like wildfire. These Trojan malware programs -- mainly two known as Zeus and Clampi -- are designed to steal financial account information to facilitate remote pilfering of online bank accounts.
"We were seeing just wave after wave after wave of these viruses being distributed across the Internet," he said.
The lawsuit explains the typical pattern for corporate bank account robbery: "In the case of a compromised business bank account, the thief will typically exploit the bank account by logging into the bank's Web site using stolen credentials and initiating an automated clearinghouse (or ACH) transfer drawn against the businesses' bank account. Because many companies pay employees via ACH, these fraudulent transfers are often disguised as direct deposit payroll to the bank account of a bogus 'employee' added to the list of payroll recipients..."
The recipient of the funds is typically a "mule" who takes the cash to a money transfer store to move the funds overseas.
The problem is particularly serious, said Prince, because unlike consumer customers, banks typically don't reimburse business customers for cybercrime losses.
"I have never seen anything like this," he said. "The s*** is about to hit the fan." Underscoring the seriousness of the issue, the National Automated Clearinghouse Association (NACHA), which oversees the ACH Network, issued a warning about this kind of cyber crime eight days ago.
The August 12 NACHA Risk Management alert says, "Financial institutions' business customers are being attacked by malicious software in which perpetrators are attempting to obtain valid online banking credentials. ...Once a business' credentials are stolen, the perpetrator has online access to the business' account and any funds transfer capabilities associated with the credentials."
"The fact that NACHA has put out an alert to me confirms what we're seeing behind the scenes," said Praed in a separate phone interview.
Next month, NACHA plans to conduct a teleseminar about keylogging cybercrime that acknowledges the problem thus: "Corporate accounts have also been the target of fraudsters using malware to pose as legitimate users to originate wire transfers and ACH batches. The process of recovering losses incurred by the customer or financial institution after an attack can be lengthy and inundated with problems."
That may be an understatement. "I am not aware of a single commercial customer that has been reimbursed by its bank," said Praed, who estimated there have been thousands of corporate victims over the past six months to a year, with losses averaging six figures.
"Overnight, $150,000 gets transferred out and they do that every other day until the money is gone," he said, describing a typical pilfering pattern.
"The problem that we're seeing is of such an order of magnitude and is so damaging that I don't see how any system with this kind of problem can survive unless something is done," said Praed. "You're going to see many more losses going forward, which is why it's important for commercial bank customers to talk to their banks about their security procedures." He also said that he'd like to hear from businesses that have been affected by this sort of cybercrime.
Prince said that he hoped the government would step in to insulate banks from liability so that breach information can be shared more easily. "Banks that thwart attacks need to step up and inform other banks," he said. "Security in this space isn't a competitive advantage."
Customers burned by online banking don't switch to the competition, he said. They stop banking online.
According to Prince, the cyber criminals responsible appear to be operating out of Russia and Ukraine and to have ties to the nationalist hackers who directed a denial of service (DoS) attack at Twitter and other social sites to silence a pro-Georgia blogger recently.
"The same resources that were used a week and a half ago to initiate the DoS attack on the Georgian blogger are the same resources we were previously seeing purposed for the distribution of this virus," he said.
InformationWeek has published an in-depth report on managing risk. Download the report here (registration required).
Read more about:
2009About the Author
You May Also Like