Wednesday, February 5, 2014

Threat Agent Profile: Bank Account Hijackers

The ATMs of the Internet are the online retail and commercial banking sites.  These systems, particularly the commercial banking sites, allow account holders to transfer money to external accounts using bill pay, wire and ACH transaction functions. This opportunity is not lost on enterprising fraudsters who specialize in gaining unauthorized access to online bank accounts and use that same functionality to transfer the money to their own offshore accounts.

Phishing attack data, the primary method for hijacking online accounts up through mid-2009, serves as a good guide to the evolution and magnitude of bank account hijacking.[1] The Anti-Phishing Working Group has tracked the details of these attacks since January 2004.  In that month, the APWG reported 28 known unique phishing attacks, 11 of them targeting financial institutions.  As news of the success of early attacks spread, more fraudsters joined in the scheme. The number of unique attacks peaked in September 2007 at 38,514, each targeting thousands of on-line account holders. Since 2004, 82% of all phishing attacks have targeted online financial systems.

Consumer online bank accounts were early targets. In 2007, hackers targeted customers of Sweden’s Nordea Bank with a phishing attack through which they tricked customers into installing malicious software on their computers. Using the malicious software, the fraudsters were able to gain access to 250 accounts, netting $1.1 million in the process.[2]

While consumer accounts are profitable, commercial accounts held by businesses provide much higher profit opportunity because of the higher account balances and transaction limits of commercial accounts. But, banks had put strong defenses on these accounts to keep the bad guys out; primarily strong authentication in the form of one time password tokens. Gaining access to these accounts wasn’t as simple as using a phishing attack to trick the victim into revealing their username and password.

In June of 2005 though, a hacker proved that the commercial accounts could be compromised. Through an attack that involved placing malicious software on the computer of a Miami businessman, a hacker was able to fraudulently wire over $90,000 to an account in Latvia.[3] The businessman wanted his bank to cover the loss; the bank claimed they weren’t responsible because it wasn’t their computer that got hacked. Other fraudsters caught on and developed techniques to defeat advanced commercial security solutions.  In the third quarter of 2009 alone, fraudsters successfully hijacked hundreds of U.S. small business online accounts, hauling away over $25 million.[4]  

1) A phishing attack is a process for fraudulently acquiring sensitive information by falsely representing a trusted entity using electronic means. Commonly, phishing is manifest as an email falsely purporting to be from a company prompting the user to click on an embedded link that directs them to a false site where the user is tricked in to divulging sensitive information such as their user id and password.