ACH Fraud becoming ever more clever

Last week I saw Hal Pomeranz of the SANS institute give a talk on how ACH (Automated Clearing House)  fraud has become increasingly more sophisticated. It is a serious problem and it’s beginning to have a non negligible economic impact on business here in the USA. In this blog post I will summarize the takeaway points and suggest some counter strategies for people who are likely targets.

  • For an initial investment of $3-4K, an aspiring fraudster can own a copy of the Zeus fraud software. That’s the basic package and there are add-ons that can cost them up to $20K. However, they stand to profit so much that even $20K is pigeon feed compared to the amounts they can steal.
  • the fraudster no longer needs to be tech savvy.  They have a GUI for everything.
  • The software gives them access to command servers located in the USA and abroad, where they can configure and track their nefarious activities.
  • They do their homework, and instead of just randomly spamming millions of random people, they specifically target the CFO’s of small businesses. Why small businesses? Because there is usually less financial oversight and monitoring, and less checks and balances, less division of labour, and less workstations. The fraudsters are hoping that the CFO does his online banking on the same box that he uses to read his email, and that he maybe closes the books once a month or so.
  • The Zeus software includes injectable malware which completely controls the infected computer. This means that the fraudster can capture banking credentials, including security questions and answers.
  • The fraudsters can profile the target and find out what he likes and craft a specialized phish email or drive by web infection. If the guy likes golf they might pretend to be a satisfaction survey from a golf supplies store or something.

So the fraudsters phish say a dozen individuals. If at first they don’t succeed, they may try again in a week until their little console lights up to say poor old Accountant Timmy Boggs has been captured. Now that they have him they sit back and wait for him to do some online banking. For all I know they already know where the company banks, or maybe they just have a database of bank IP addresses. Who knows. Anyway they get notified when Timmy logs into his bank and they sift out the credentials that the handy dandy keylogger has provided for them. Remember Secure Sockets is usesless against a keylogger because it logs the keystrokes before they are encrypted.

Once they have Timmy’s credentials they log into the bank account and usually set up a few phony users. Then they start pulling up a list of down-on-their-luck people whom they’ve recruited (often via legitimate job boards) for a work at home job. So let’s say single mom Nadine would like to make a few bucks moving money. She’s too naive to realize that the only reason the people wouldn’t move it themselves is due to the paper trail. So they promise Nadine a commission of say 2%. and the amounts are usually just under $10,000, due to US banking regulations where there ismuch more stringent vetting of transactions over that amount. $196 sounds pretty good to Nadine for the cost of a Western Union wire transfer. So the fraudsters log in as the non existent employees and transfer a sum in the neighborhood of $9800 into Nadine’s account. They instruct Nadine to wire $9600 to some account in the Ukraine and the $200 is left for her to keep for her commission. Nadine thinks that’s pretty easy money. The technical term for Nadine’s role in the scam is “Mule” — the unknowing dumb-ass who actually moves the money. The fraudsters repeat this game with several other mules until they have drained the company’s money. Of course it’s all done through proxies. They can not be traced. The paper trail points to Nadine and all the other mules like her. The next time old Timmy logs into the bank account, all the money is gone and the records of the fraudulent transactions only go to the mules. Good luck trying to get $9800 out of Nadine or any of them. Good luck trying to get any cooperation from the Ukraine!

Of course, business assets are not covered by FDIC. That program only protects individuals’ assets up to $250,000. Boom! That business is history.

How to protect yourself

  • Your best line of defense would be just not to do online banking period.
  • Of course, in this day and age people aren’t going to forego online banking, so your second best course of action would be to have an old computer that your company uses only for banking. Keep it offline the rest of the time.
  • Don’t use Windows computers for your online banking. The fraudsters so far seem to focus on Windows systems because they are far and away the most used. So that dedicated banking computer? Make it an old Mac or a hardened Linux box.
  • Help educate people about these work-at-home scams. Any job offer involving wire transfers of money should be looked at with great suspicion.
  • Don’t fall for phish’s! See my detailed post on how to avoid being phished.

19 comments to ACH Fraud becoming ever more clever

  • After reading stuff like this, I’m kinda glad my online bank uses a passcode sheet with one time use numbers that the banking system asks when you log in. One code only works for one log in.

    In addition, they employ a sheet of reusable passcodes. When you try to do something, such as wire money, the system asks for one of the codes randomly.

    Good luck trying to do anything without the sheet.

  • […] This post was mentioned on Twitter by Colleen Dick. Colleen Dick said: blogmeat: ACH Fraud becoming ever more clever […]

  • That does make it harder to hack. It also makes online banking less convenient but I think it’s a fair price to pay. The reusable codes could be hacked but it would take the hackers a lot longer to capture all of them.

    One time use numbers is the way things are inevitably moving. Either that or biometrics….

  • I think these types of programs, which open the doors to script kiddys and the like, although most script kids don’t have $20K lying around, are the worst, because they don’t take any real knowledge or skill to use them.

    In regards to online banking, using a Linux Live CD, which lets you boot Linux from a CD, is often the best way. There is no way that programs can be installed or modified on the Live CD, so as long as you get it from a reputable source, you can check your bank from almost anywhere that will let you boot from CD…

  • admin

    I guess it’s worse now in the sense that it enables a lot more people to successfully steal from you, but the person who has just been robbed doesn’t care much about the technical skills of the robber. If he was skillful enough to push the right buttons, then he won and you potentially lost your livelihood.

    I should have said booting from a Live CD is an excellent way to do online banking. That’s actually how I do it so I don’t have to have a completely dedicated box. Thanks for adding that. 🙂

  • Wow! Time to look at installing Linux on my machine!

  • Wow that’s insane. I find it strange that so much criminal software isn’t custom but more or less off the shelf sold in back hat/hacker forums. Decent tip on the old offline computer tho.

  • Online banking is really becoming very risky; but if follow your tips then it will be harder for hacker to hack them. thanks for sharing.

  • […] Last week I saw Hal Pomeranz of the SANS institute give a talk on how ACH (Automated Clearing House)  fraud has become increasingly more sophisticated. It is a serious problem and it’s beginning to have a non negligible economic impact on business here in the USA. In this blog post I will summarize . . . → Read More: ACH Fraud becoming ever more clever […]

  • From the day one, people like hackers try to steal others money and assets, so its like syber world have thieves in shape of crackers. (Some believe that hackers are positive and crackers do evils).

  • Colleen

    You can distinguish between “hackers” and “crackers,” but it’s actually quite grey. What if a “hacker” is exploited to do evil, or what if the hacker thinks it’s for a good cause but maybe not everyone agrees. Obviously, stealing money is evil, stealing information sometimes more and sometimes less so. Depends how it’s used and how far it gets.

  • Great blog here. I think it’s really amazing!!! kudos 2 you

  • Good website, exactly where did you arrive up because of the info in this article? I’m pleased I identified it even if, ill be checking back soon to determine what other content articles you also have.

  • Appreciation pro sharing this impressive article, This board is very sunny! I choice visit again.

  • It’s excellent page, I was looking for something like this

  • It’s good webpage, I was looking for something like this

  • I really like the article, thanks for sharing the info. It’s not too often that you find a blog post where the authorwebmaster knows what they are ranting about. Grammar and spelling are right on as well, only trouble I seemed to have was loading up the website, seemed a bit unresponsive. Any other replies have the same trouble?

  • interesting content.. will pass on

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.