Last week I saw Hal Pomeranz of the SANS institute give a talk on how ACH (Automated Clearing House) fraud has become increasingly more sophisticated. It is a serious problem and it’s beginning to have a non negligible economic impact on business here in the USA. In this blog post I will summarize the takeaway points and suggest some counter strategies for people who are likely targets.
- For an initial investment of $3-4K, an aspiring fraudster can own a copy of the Zeus fraud software. That’s the basic package and there are add-ons that can cost them up to $20K. However, they stand to profit so much that even $20K is pigeon feed compared to the amounts they can steal.
- the fraudster no longer needs to be tech savvy. They have a GUI for everything.
- The software gives them access to command servers located in the USA and abroad, where they can configure and track their nefarious activities.
- They do their homework, and instead of just randomly spamming millions of random people, they specifically target the CFO’s of small businesses. Why small businesses? Because there is usually less financial oversight and monitoring, and less checks and balances, less division of labour, and less workstations. The fraudsters are hoping that the CFO does his online banking on the same box that he uses to read his email, and that he maybe closes the books once a month or so.
- The Zeus software includes injectable malware which completely controls the infected computer. This means that the fraudster can capture banking credentials, including security questions and answers.
- The fraudsters can profile the target and find out what he likes and craft a specialized phish email or drive by web infection. If the guy likes golf they might pretend to be a satisfaction survey from a golf supplies store or something.
So the fraudsters phish say a dozen individuals. If at first they don’t succeed, they may try again in a week until their little console lights up to say poor old Accountant Timmy Boggs has been captured. Now that they have him they sit back and wait for him to do some online banking. For all I know they already know where the company banks, or maybe they just have a database of bank IP addresses. Who knows. Anyway they get notified when Timmy logs into his bank and they sift out the credentials that the handy dandy keylogger has provided for them. Remember Secure Sockets is usesless against a keylogger because it logs the keystrokes before they are encrypted.
Once they have Timmy’s credentials they log into the bank account and usually set up a few phony users. Then they start pulling up a list of down-on-their-luck people whom they’ve recruited (often via legitimate job boards) for a work at home job. So let’s say single mom Nadine would like to make a few bucks moving money. She’s too naive to realize that the only reason the people wouldn’t move it themselves is due to the paper trail. So they promise Nadine a commission of say 2%. and the amounts are usually just under $10,000, due to US banking regulations where there ismuch more stringent vetting of transactions over that amount. $196 sounds pretty good to Nadine for the cost of a Western Union wire transfer. So the fraudsters log in as the non existent employees and transfer a sum in the neighborhood of $9800 into Nadine’s account. They instruct Nadine to wire $9600 to some account in the Ukraine and the $200 is left for her to keep for her commission. Nadine thinks that’s pretty easy money. The technical term for Nadine’s role in the scam is “Mule” — the unknowing dumb-ass who actually moves the money. The fraudsters repeat this game with several other mules until they have drained the company’s money. Of course it’s all done through proxies. They can not be traced. The paper trail points to Nadine and all the other mules like her. The next time old Timmy logs into the bank account, all the money is gone and the records of the fraudulent transactions only go to the mules. Good luck trying to get $9800 out of Nadine or any of them. Good luck trying to get any cooperation from the Ukraine!
Of course, business assets are not covered by FDIC. That program only protects individuals’ assets up to $250,000. Boom! That business is history.
How to protect yourself
- Your best line of defense would be just not to do online banking period.
- Of course, in this day and age people aren’t going to forego online banking, so your second best course of action would be to have an old computer that your company uses only for banking. Keep it offline the rest of the time.
- Don’t use Windows computers for your online banking. The fraudsters so far seem to focus on Windows systems because they are far and away the most used. So that dedicated banking computer? Make it an old Mac or a hardened Linux box.
- Help educate people about these work-at-home scams. Any job offer involving wire transfers of money should be looked at with great suspicion.
- Don’t fall for phish’s! See my detailed post on how to avoid being phished.