The agency responsible for improving online security for EU financial institutions recently warned banks to “assume that all of your customers’ PCs are infected.” The European Network and Information Security Agency, working for the EU Institutions and Member States, delivered its warning in response to the recent “High Roller” cyberthefts that were reported by security firms McAfee and Guardian Analytics.
The High Roller Report described a series of highly automated cyberattacks targeting high-balance accounts (hence the name “High Roller”) using customized SpyEye and Zeus malware. The attacks began in Europe and spread to Latin America and the United States. According to the report, cyberthieves attempted to steal at least $78 million in fraudulent online transfers from accounts at more than 60 financial institutions.
The U.S. victims were all companies with commercial accounts that typically held a minimum balance of several million dollars. Companies, unlike consumers, are not protected when online financial fraud occurs. For consumers, federal banking regulations limit liability for cyberfraud, but there are no such protections for commercial accounts.
The High Roller victims were found through online reconnaissance and targeted spear-phishing emails to individuals or businesses that banked with specific financial institutions. Phishing is a method of email fraud in which the perpetrator sends out legitimate-looking emails in an attempt to gather personal and financial information from recipients. Generally, phishing emails come from what appear to be well-known and trusted websites like eBay or PayPal. I’m sure that many readers have received such emails and have learned to be suspicious of unexpected requests for confidential information, and do not divulge personal data in response to these types of general phishing email messages.
However, a spear-phishing attack is a different story. Those emails are likely to be from what appears to be a trusted source, like someone within the recipient’s company who is in a position of authority. Cyberthieves conduct reconnaissance and social engineering, often through social media sites like Facebook and Twitter, to obtain information to bolster the legitimacy of the spear-phishing email. Spear-phishing is often successful because the apparent source of the email is likely to be a known and trusted individual, there is information within the message that supports its validity, and the request the email/individual makes seems to have a logical basis to the recipient.
According to security experts, employee awareness is your best defense against being duped into disclosing online banking credentials to cybercriminals. Businesses should explain to all employees that they should never respond to an incoming message requesting private information and should never click on a link sent in an email from a dubious source. Businesses should also establish specific guidelines for employees who use social media sites to make clear what topics and details about the company can be discussed in a public forum.
Employee awareness, however, will not completely insulate a company from cyberfraud, as many computers are already infected. According to a federal complaint filed by Microsoft, it has detected more than 13 million suspected infections of malware worldwide, with more than 3 million infections in the United States. Businesses cannot rely on antivirus software to determine if their machines are infected as the Zeus malware is detected only 23 percent of the time by the most up-to-date antivirus software.
According to the High Roller Report, fraud prevention solutions like anomaly detection have proved effective. Often, cybercrooks’ behavior can be detected because they do something different from the legitimate, routine behavior of the actual account holder. For instance, your business may only initiate domestic wire transfers, but a cyberthief might attempt to initiate multiple international transfers, which will appear out of the ordinary compared to your usual online activity. The basic idea of anomaly detection is to monitor the online banking activity of each account holder from login to logout and compare it to established legitimate patterns. Any action or transaction that seems out of the ordinary is suspicious and alerts the bank to a potential threat. The Federal Financial Institutions Examination Council (FFIEC) highlighted the effectiveness of anomaly detection in preventing banking fraud when it included anomaly detection as a minimum expectation for a layered security approach in its 2011 Guidance Supplement. Unfortunately, not all banks currently meet these minimum guidelines.
Therefore, at a bare minimum, businesses should determine if their financial institutions comply with the FFIEC guidance and employ anomaly detection measures. If your bank
cannot provide sufficient assurance of such monitoring, you should seriously consider moving your accounts to an institution that offers more robust protection. You think you can’t be duped, but keep in mind that malware botnets have enabled the theft of more than $100 million from online victims since 2007.
Look for a future article about