The ATMs of the Internet are the online retail and
commercial banking sites. These systems,
particularly the commercial banking sites, allow account holders to transfer
money to external accounts using bill pay, wire and ACH transaction functions.
This opportunity is not lost on enterprising fraudsters who specialize in
gaining unauthorized access to online bank accounts and use that same
functionality to transfer the money to their own offshore accounts.
Phishing attack data, the primary method for hijacking
online accounts up through mid-2009, serves as a good guide to the evolution
and magnitude of bank account hijacking.[1] The Anti-Phishing Working Group has tracked the details of these attacks since
January 2004. In that month, the APWG
reported 28 known unique phishing attacks, 11 of them targeting financial
institutions. As news of the success of
early attacks spread, more fraudsters joined in the scheme. The number of
unique attacks peaked in September 2007 at 38,514, each targeting thousands of
on-line account holders. Since 2004, 82% of all phishing attacks have targeted
online financial systems.
Consumer online bank accounts were early targets. In 2007,
hackers targeted customers of Sweden’s Nordea Bank with a phishing attack
through which they tricked customers into installing malicious software on
their computers. Using the malicious software, the fraudsters were able to gain
access to 250 accounts, netting $1.1 million in the process.[2]
While consumer accounts are profitable, commercial
accounts held by businesses provide much higher profit opportunity because of
the higher account balances and transaction limits of commercial accounts. But,
banks had put strong defenses on these accounts to keep the bad guys out;
primarily strong authentication in the form of one time password tokens.
Gaining access to these accounts wasn’t as simple as using a phishing attack to
trick the victim into revealing their username and password.
In June of 2005 though, a hacker proved that the
commercial accounts could be compromised. Through an attack that involved
placing malicious software on the computer of a Miami businessman, a hacker was
able to fraudulently wire over $90,000 to an account in Latvia.[3] The businessman wanted his bank to cover the loss; the bank claimed they
weren’t responsible because it wasn’t their computer that got hacked. Other
fraudsters caught on and developed techniques to defeat advanced commercial
security solutions. In the third quarter
of 2009 alone, fraudsters successfully hijacked hundreds of U.S. small business
online accounts, hauling away over $25 million.[4]
1) A phishing attack is a process for fraudulently acquiring sensitive information
by falsely representing a trusted entity using electronic means. Commonly,
phishing is manifest as an email falsely purporting to be from a company
prompting the user to click on an embedded link that directs them to a false
site where the user is tricked in to divulging sensitive information such as
their user id and password.
2) http://www.cbronline.com/news/nordea_loses_11_million_to_online_fraud
3) http://www.finextra.com/news/fullstory.aspx?newsitemid=13194
4) http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/