Banking Trojans Targeting SMB Are Sweeping Across America

A recent survey of over 500 SMB organizations surfaced some alarming statistics (conducted by the Ponemon Institute and Guardian Analytics):

• 55% of the SMBs experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

From a separate study of 50 SMBs that fell prey to online banking Trojans in 2009, they initially lost $157,000 on average.  Those that discovered the fraudulent bank transfers and notified their banks within 24 hours recovered significantly more than those that did not.  On average, the victim SMBs recovered approximately 44% of their initial losses.

Risks to SMBs Under-Reported Due to Lack of Government Oversight

SMB decision-makers are unaware of their growing risks from online banking fraud because no government entity tracks and reports on the number of victim organizations and the amounts lost.  Until Banks start losing money, the Federal Deposit Insurance Corporation (FDIC) will not seek permission from the White House to require banks to submit incident reports. 

[Update] We have summarized a series of banking Trojan Loss incidents reported by the Washington Post in the summer of 2009, whose columnist Brian Krebbs may have collected more incident reports than federal organizations.

Banks Not Obligated to Cover Commercial Online Banking Fraud

“Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and non-profits have suffered some relatively large losses”, said David Nelson, an examination specialist with the FDIC. 

Banks are not required to reimburse enterprise victims of Banking Trojans.  They will work with a victim to try to reverse fraudulent transfers.  However, after 24 hours, the odds of succeeding diminish greatly.  Ultimately, the customer is required to discover and report the fraudulent bank transfers to their bank within that 24 hour period.

Such was the case for Little & King LLC, a marketing company that is facing bankruptcy due to a computer virus infection that siphoned $164,000 from their commercial bank accounts.

Cyber criminals are targeting small to medium businesses because they do not have the checks and balances in place to monitor their commercial bank accounts on a daily basis.  Further, smaller organizations have fewer defenses in place.

Update: FBI Does Not Open a Case for a Victim that Lost Less than $500,000

Brian Krebs recently reported that a dental practice in Springfield, Missouri fell prey to a Banking Trojan that stole $205,000.  The office manager said that the FBI told him that they do not open a case for lossess under $500,000.  However, the FBI said a task force in Omaha, Nebraska investigating similar cases would include the information from the dental practice in their efforts.  One hopes this task force stationed in the great metropolis of Omaha is well resourced.  What do you think?   Me too. 

 Your Up-to-Date Anti-Virus/Spyware Will Not Detect Today’s Banking Trojans

An information security firm that finds malware on legitimate websites, in part by observing certain types of changes to the website, conducted a six month long study on the effectiveness of leading anti-virus/spyware products.  At the end of each day, they’d collect hundreds of new malware samples, then they tested the ability of 14 leading anti-virus/spyware products to detect the samples.  The daily average detection rate was a mere 25%, tabulated below.

DIY Zeus Banking Trojan Kits Mean Any Idiot Can Empty Your Commercial Bank Accounts

Panda Labs reported finding 77% more unique Banking Trojans in 2009 than in 2008.  The widespread availability and affordability of malware kits that automate the creation of unique Banking Trojans will mean that Panda Labs will certainly be reporting a much higher growth rate next year.  Anyone with the skills to use iTunes can use one of these kits to steal hundreds of thousands of dollars from an SMB commercial bank account.  Basic kits cost $400 to $700.  They enable a person you wouldn’t hire to wash your windows to send you day-old Banking Trojans that elude your traditional anti-virus/spyware products.  Actually, the malware that will infect your computer will likely be less than 10 minutes old. 

Every petty criminal in the world is hearing stories of others making a lot of money with very little risk.  For example, a German cyber gang called Cosmos made $7 million from just a week’s worth of attacks. 

Most organizations have thus far not been attacked by Day-Old or Zero-Day malware because there were so many other fish in the barrel for those with the required skills to attack .  Malware kits are a game-changer.

 Two Factor Authentication Does Not Deter Today’s Banking Trojans

“Online banking customers are getting too reliant on authentication and practicing layers of controls”, says FDIC David Nelson.

Today’s banking Trojans, such as the Zeus family, employ several different techniques to circumvent one-time pass code tokens, such as a man-in-the-middle or more aptly called a man-in-the-browser attack.  In short, when users enter the six character code into a form, they’re actually entering it into a fake form that is dynamically generated within the users’ web browser.  Another technique involves stealing the “session cookie”.  So, when the user thinks she’s logged off, the banking Trojan has not and continues to conduct fraudulent transfers.

A New Hampshire based IT consulting firm, Cynxsure LLC,  employed a fingerprint scanner for authentication to mitigate risks from password-stealing malware.  However, Cynxsure lost nearly $100,000 February 2010.  Zeus family Banking Trojans include a feature called “form grabber” that effectively steals the fingerprint authentication data before the web browser can encrypt.  Consequently, after just one use, such a Trojan can use it later.  Two factor authentication implicitly assumes its host computer is not compromised.

Blue Ridge Enterprise Solutions

Online Banking from Enterprise-Owned Computers

AppGuard can triple you’re your effective computer protection by blocking the new malware attacks that elude traditional anti-virus/spyware software.   Different organizations can choose different forms of AppGuard protection: centrally managed do-it-yourself, managed security service, or employee self-managed.

Online Banking from Employee-Owned Computers

Pixie provides a virtual workspace that is locked-down and malware-free for safely conducting online banking.

Posted: Wednesday, March 24th, 2010 - Endpoint Security
RSS 2.0 - Comment - Trackback