NEW YORK – Valiena Allison got a call from her bank on a busy morning two years ago about a wire transfer from her company?s account. She told the manager she hadn?t approved the transfer. The problem was, her computer had.
As Allison, chief executive officer of Sterling Heights, Mich.-based Experi-Metal Inc., was to learn, her company computer was approving other transfers as she spoke. During hours of frantic phone calls with her bank, Allison, 45, was unable to stop this cybercrime in progress as transfer followed transfer. By day?s end, $5.2 million was gone.
She turned to her bank, a branch of Comerica Inc., to help recover the money for her metal-products firm. It got all but $561,000 of the funds. Then came the surprise: The bank said the loss was Experi-Metal?s problem because it had allowed Allison?s computer to be infected by the hackers.
?At the end of the day, the fraud department at Comerica said: ?What?s wrong with you? How could you let this happen?? ? Allison said.
In increments of a few thousand dollars to a few million per theft, cybercrooks are stealing as much as $1 billion a year from small and midsized bank accounts in the U.S. and Europe like Experi-Metal, according to Don Jackson, a security expert at Dell SecureWorks. And account holders are the big losers.
?I think they?re losing more now than to the James Gang and Bonnie and Clyde and the rest of the famous gangs combined,? said Sen. Sheldon Whitehouse, D-R.I., who chaired a Select Committee on Intelligence task force on U.S. cybersecurity in 2010.
Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren?t covered by insurance as individual accounts are.
?If everyone knew their money was at risk in small and medium-sized banks, they would move their accounts to JPMorgan Chase,? said James Woodhill, a venture capitalist who is leading an effort to get smaller banks to upgrade anti-fraud security for their online banking programs.
JPMorgan Chase, the second-largest U.S. bank, is the only major U.S. bank that insures commercial deposits against the type of hacking that plagues smaller banks, Woodhill said. JPMorgan spokesman Patrick Linehan declined to comment.
Smaller banks as well as many of the victims tend not to make the thefts public, according to interviews with the customers and experts such as Woodhill. As the threat becomes better known, small-business customers and other target entities may shift their business to large, national banks, which can better absorb the losses to maintain customer relations and which have better security policies to protect clients from such crimes.
?It?s frightening for small businesses because they have no clue about this,? said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc., which does computer analysis. ?They just don?t have any clue, and everyone expects their bank to protect them. Businesses are not equipped to deal with this problem, and banks are barely equipped.?
Customers used to being made whole when they are victims of credit-card fraud or ATM thefts have had to sue small and medium-size banks to recover losses after being blamed by their branches for permitting the crime, as Allison was.
The traditional help of law enforcement hasn?t been there either for such customers. In the heyday of bank robberies in the 1930s, the FBI became famous for Tommy-gun shootouts with the bad guys, who were put on the Most Wanted list. In most cases, the identities of the John Dillingers and Pretty Boy Floyds of the 21st century aren?t known because of online anonymity, and the bureau doesn?t disclose statistics on how much these cybercrooks are stealing.
Victims in the last two years have ranged from Green Ford Sales, a car dealership in Abilene, Kan., to Golden State Bridge Inc., a construction company in California wine country. No need to use a mask or gun. These criminals can steal millions from the comfort of their homes dressed in their pajamas.
The crime profits can be staggering and the risks minimal. Jackson, the security expert, said three sophisticated gangs each haul in at least $100 million a year. That dwarfs the $43 million taken in all conventional bank heists in the U.S. last year, from stick-ups to burglaries, according to the FBI.
?A $100 million hit on a bank or a series of banks,? Whitehouse said. ?That?s a pretty big bank robbery. And it doesn?t even make the press. It just trickles through in FBI tip sheets.?
To law enforcement officials, cybercrime is a new priority. Both the FBI and the Secret Service, which has jurisdiction over financial crimes, have boosted manpower to combat computer-enabled robberies and have formed partnerships with foreign law-enforcement agencies.
Those efforts have been swamped by the explosion in e-commerce, said Chris Swecker, a former FBI assistant director who advises companies on cybersecurity. As millions of customers have shifted online, criminals have followed, their hacking tools and nimble criminal organizations racing ahead of old-school law enforcement models.
The banking industry?s reluctance to confront this problem head-on has allowed criminals to reinvest some of their booty to create better, more effective malicious software, known as malware, according to Woodhill.
Malware is what hurt Earl Goossen, business manager for Green Ford Sales, when he logged on to the company?s payroll account at First Bank Kansas at 7:45 a.m. Nov. 3, 2010. Just two days earlier, he?d used his computer to arrange for the bank to send out the $63,000 payroll to employee accounts. Everything went smoothly at first. Goossen responded to a follow-up email request from First Bank Kansas to OK the payroll, just as he did on the 1st and 15th of every month.
Unbeknownst to Goossen, malicious software had infected the computer with a so-called worm, which had the ability to grab passwords, user names and credit card data.
Some malware allows hackers thousands of miles away to take remote control of machines it infects, as if they were sitting at the keyboard. This malware is affordable and easy to obtain. A basic version sells for less than $5,000, Jackson said. Many models, licensed like commercial software from Microsoft and Adobe Systems, even come with tech support, he said.
The worm on Goossen?s machine allowed thieves to log onto the website of the auto dealer?s bank using Goossen?s credentials and set up a second payroll batch for the usual amount for nine non-existent employees. The additional payroll was sent out overnight by First Bank.
The software allowed the hackers to grab Goossen?s email password and banking details. All they had to do was change the notification email address to a name under their control.
When an amount like Green Ford?s $63,000 is taken from a bank by gun-toting robbers, the FBI would typically dispatch special agents to cordon off the crime scene and interview witnesses.
No agents arrived in Abilene on Nov. 4, and no one at the company was ever interviewed by the bureau about the theft.
Green Ford?s owner, Lease Duckwall, filled out a report with local police, who don?t have a cybercrime unit. The Kansas Bureau of Investigation examined his computer and found nothing of use. Frustrated, Duckwall turned detective, interviewing bank employees, victims of similar crimes and whoever knew anything about cybertheft. In the end, the trail went cold.
Representatives of the FBI and the Secret Service insist they are not overwhelmed.
?I don?t think it?s right to conclude that because there are not a lot of arrests that law enforcement is not doing its job,? said Gordon Snow, the FBI?s assistant director of the cyber division.
Article source: http://www.journalgazette.net/article/20110815/BIZ07/308159985/-1/BIZ09
View full post on National Cyber Security » Virus/Malware/Worms