Guest Post - Nick Volpe - Small Businesses Need More Banking Protection

Nick Volpe is a Spring Semester Cybersecurity Research Analyst at Fortalice®, LLC.  He is a student at Immaculata University.

Research Outline 
by Nicholas W. Volpe 

Topic: Small and medium sized businesses are getting hacked and their bank accounts wiped out.
Date: 3/22/10 

TEASER/TITLE: Small Businesses Need More Banking Protection Like Consumers Do 

SUMMARY PARAGRAPH: Cyber-attacks by crooks are being targeted at businesses and their banking institutions. This can be attributed to the fact that small and medium sized businesses do not have all of the protections that consumers have on their banking accounts. This means that many fraudsters will exploit the flaws in the banking system to steal money from companies who may never get that money back. 

CASE 1

• Pennsylvania housing development company
• Cumberland County Redevelopment Authority
• Theft took place against their bank, M&T on September 22, 2009
• $479,000+ was stolen from their bank account
• About $109,000 was originally recovered with no record of additional recovered amounts
• The criminals used a Clampi Trojan to infect a computer to get the necessary information required in the theft of the money
• Money was dispersed to other accounts at numerous other banking institutions

CASE 2

• Bullitt County, Kentucky
• $415,000 stolen from the county’s payroll accounts beginning on June 22, 2009 and lasting a few weeks
• Criminals used a key logging Trojan known as “Zeus” or “Zbot” on county treasurer’s PC
• Stolen information is sent via instant message
• Creates a tunnel between infected computer and infector’s computer so that the criminal can log on to the bank account with the infected computer
• Criminals dispersed funds to about 25 co-conspirator third-parties throughout the country
• Some if not all of the co-conspirators, or “money mules”, were recruited via Careerbuilder.com.
• Money was wired to the criminals in the Ukraine
• Bank told county that some of their money probably could be recovered but they weren’t sure of how much could or would be as of the writing of this article

CASE 3

• Western Beaver School District outside of Pittsburgh, PA
• More than $700,000 was stolen from the school district’s account
• The school district filed a lawsuit against their bank, ESB Bank, alleging that the bank should have prevented or flagged the fraudulent transaction because of the excessive amount of transactions in the school district’s account. The lawsuit seems to still be open.
• Criminals used some type of malicious software to steal the funds
• Funds were transferred between December 29, 2008 and January 2, 2009 in 74 transactions to 42 random individuals throughout the country

CASE 4

• Slack Auto Parts in Gainesville, GA
• About $75,000 was stolen from company’s bank account between July 3 and July 7, 2009
• An additional $69,000 theft was attempted but blocked by the bank
• Criminals used malicious Clampi Trojan, or "Ligats" and "Rscan", key logger on the company controller’s Windows PC to steal bank account passwords and access information
• Malicious software was found by a computer investigator to have been present on the system for over a year
• 9 transactions were wired to at least 6 “money mules” all over the country
• The bank was able to reverse $14,000 worth of wire transfers and the CEO of the company worked with the bank to try and recover the rest of the funds

   
IMPLICATIONS & RECOMMENDATIONS:
5-10 BULLETS

• Consumers are protected from unauthorized transactions by US law
• Businesses are not protected by the same laws
• Many banks do not have algorithms to detect fraud against business transaction processing systems, commonly ACH systems
• Businesses should only do online banking from locked down workstations with web browsing and email disabled
• Businesses need to be more vigilant and constantly checking their account to see exactly what is happening with their money

   
SOURCES:

1. Krebs, Brian. "PC Invader Costs Ky. County $415,000." Security Fix. The Washington Post, 2 July 2009. Web. <http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html>.
2. Krebs, Brian. "The Growing Threat to Business Banking Online." Security Fix. The Washington Post, 20 July 2009. Web. <http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html>.
3. "$479,000 heist from small business bank account lends weight to calls for online banking 'lock-down'." Finextra. Finextra Research, 16 Oct. 2009. Web. 23 Mar. 2010. <http://www.finextra.com/News/fullstory.aspx?newsitemid=20617>.