Cyber-Crooks Target Small Business
Wednesday, August 26, 2009 at 11:07 PM EDT
Brian Krebs has a story in Tuesdayâ€™s Washington Post about a new trend in the ongoing saga of Internet-based fraud. Apparently, criminal groups, many based in Eastern Europe, are focusing their attention on small- and medium-sized businesses in the US, and stealing electronic banking credentials in order to carry out fraudulent wire transfers.
The attack typically begins with an E-mail message sent to the corporate treasurer, controller, or other financial officer. The E-mail will typically be tailored to the recipient, and contain links to apparently legitimate Web sites. If the recipient clicks on the link, he is taken to a site that downloads and installs malware, typically a keystroke logger or other trojan designed to steal passwords and other credentials. With these in hand, the crooks initiate wire transfers from the target companyâ€™s account, often using intermediaries (sometimes unwitting ones) to disguise the ultimate destination of the funds.
The businesses involved often are embarrassed to report the fraud to authorities. Because they are businesses, they also lack some of the statutory protection that consumers have for electronic transfers.
This trend reinforces some security lessons that are by no means new.
Itâ€™s also important, if you work in a financial function, to make sure that you read and understand what the rules are that apply to your online banking activities. It should come as no surprise to anyone that banks have made some significant investment in fraud-prevention for their consumer banking operations, since the applicable law and regulations make them responsible for losses in some cases. In the case of business accounts, the losses are usually borne by the account holder, and this externality means that the bank doesnâ€™t care all that much.
This article originally appeared on Rich's Random Walks.