Corporate bank accounts continue to be targeted by criminals who use various forms of malware to gain access to the account and then wire money out of the account.  One variation of these cyberattacks occurs in the form of a virus that captures corporate online banking credentials combined with a DDoS attack against the bank.  The virus is a variation of the Zeus virus, and it is being sent through spear phishing e-mails designed to look they are being sent by NACHA to alert a user of a problem with an ACH transactions.  NACHA has continued to post alerts on its website since mid-November warning about the false e-mails.  Apparently, when the attackers capture online banking credentials, they initiate a denial of service attack against the bank in an effort to distract the bank IT team and victim (the victim cannot log-in to their account to see that the transfers are occurring) from detecting and stopping the fraudulent wire transfers.  This article summarizes the new attack. 

When the criminals are successful, the customer of the bank naturally asks the bank to make them whole and if the bank declines, litigation often ensues.  There have been diverging results in recent court decisions on claims to recover money lost as a result of fraudulent wire transfer have losses.  The plaintiffs base their negligence claims on allegations that the banks failed to comply with the FFIEC guidelines because they are only using single factor authentication (user name and password) for online banking access (e.g. Global Title, LLC v. Capital One Bank).  It is likely that we will continue to see these cases being filed, especially if the bank involved is not in compliance with the revised FFIEC guidelines (Supplement to Authentication in an Internet Banking Environment) that took effect January 1, 2012.  And following the new multi-factor authentication guidelines is not a guarantee of security. Criminals have developed, for example, a man-in-the-browser attack to defeat multi-factor environments.


Criminals have also recently targeted another potential weakness in a financial institution’s security measures, which has nothing to do with their computer systems:  call center representatives who have been trained to assist customers by providing them with information about their accounts.  This potential vulnerability is in large part dependent upon the vast amount of personal information that is now available on the internet.  With a few simple searches, criminals can know a person’s home address, home and work phone numbers, and work email address in a matter of minutes.  This, of course, is the same type of information financial institutions use to verify a customer’s identification when they call with questions about their accounts.

Armed with this information, criminals then attempt to social engineer call center representatives to collect more.  In particular, they want to collect the account and pin numbers and log in identifications that are necessary to enable them to initiate wire transfers out of the customer’s account.  This type of low-tech social engineering scheme may take place over a period of months.  As the scheme evolves, however, the process generally remains the same:  repeated phone calls to call center representatives, in an attempt to get these representatives to unwittingly provide them with the necessary information they need to initiate wire transfers out of the customer’s account.

With that having been said, we believe there are four steps any financial institution can take to help them from being victimized by this type of fraud.  First, make call center representatives aware of its potential.  They are the front line of defense, and educating them should go a long way toward preventing a low-tech scheme from being successful.  Second, enabling call center representatives to quickly check for repeated call activity from a customer.  This does not need to be done on every call, but is good to have available when there is reason to be suspicious.  Third, refusing to ever disclose account numbers, log-in identification and pin numbers over the phone.  Fourth, and finally, setting up the financial institution’s Fed Ex or UPS accounts so that packages containing log-in identifications and pin numbers cannot be re-routed.  If the accounts are not set up in this way, criminals can use the same social engineering techniques on the shipping companies, and have the packages re-routed to their own address. 

These four steps should help prevent financial institutions from becoming the victim of a low-tech social engineering data breach.  At the very least, raising awareness among the bank’s workforce of the potential for this type of fraudulent activity should go a long way toward preventing it from being effective.

Authorship Credit: David A. Carney & Craig A. Hoffman