Posted December 2, 2009
This ACH Operations Bulletin provides information to Participating Depository Financial Institutions about “corporate account takeover” – a specific type of cyber-crime that is targeting small- and medium-sized business customers of financial institutions.
This Operations Bulletin also provides guidance for financial institutions on steps that they and their business customers each can take to reduce their respective vulnerabilities to corporate account takeover.
WHAT IS CORPORATE ACCOUNT TAKEOVER?
“Corporate account takeover” is when cyber-thieves gain control of a business’ bank account by stealing the business’ valid online banking credentials. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects a business’ computer workstations and laptops.
A business can become infected with malware via infected documents attached to an e-mail or a link contained within an e-mail that connects to an infected web site. In addition, malware can be downloaded to users’ workstations and laptops by visiting legitimate websites - especially social networking sites - and clicking on the documents, videos or photos posted there. This malware can also spread across a business’ internal network.
In a recent attack, cyber-thieves sent millions of e-mails purporting to come from NACHA. Mimicking a reputable, national organization is a common tactic used by cyber-thieves to gain credibility and lure unsuspecting individuals into taking some action. The e-mail “reported” a rejected ACH transaction, and included a link for an “Unauthorized ACH Transaction Report.” A recipient who clicked on the link would be taken to a fake web site that mimicked the real NACHA web site, which prompted the recipient to click on a fake transaction report. If the recipient clicked the link, the malware was downloaded to the recipient’s computer.
The malware installs keylogging software on the computer, which allows the perpetrator to capture a user’s credentials as they are entered at the financial institution’s web site. Sophisticated versions of this malware can even capture token-generated passwords, alter the display of the financial institution’s web site to the user, and/or display a fake web page indicating that the financial institution’s web site is down. In this last case, the perpetrator can access the business’ account online without the possibility that the real user will log in to the web site.
Once installed, the malware provides the information that enables the cyber-thieves to impersonate the business in online banking sessions. To the financial institution, the credentials look just like the legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns, and ACH and wire transfer origination parameters (such as file size and frequency limits, and Standard Entry Class (SEC) Codes).
The cyber-thieves use the sessions to initiate funds transfers, by ACH or wire transfer, to the bank accounts of associates within the U.S. These accounts may be newly opened by accomplices or unwitting “money mules” for the express purpose of receiving and laundering these funds. The accomplices or mules withdraw the entire balances shortly after receiving the money, and then send the funds overseas via over-the-counter wire transfer or other common money transfer services.
WHY ARE SMALLER BUSINESSES AND ORGANIZATIONS TARGETED?
The cyber-thieves appear to be targeting small- to medium-sized businesses, as well as smaller government agencies and non-profits, for several reasons:
WHAT CAN A FINANCIAL INSTITUTION DO?
Financial institutions and business customers have distinct responsibilities to help address the security of online access to businesses’ accounts. Each can take steps to protect corporate accounts from being taken over.
The top things financial institutions can do are:
Financial institutions should educate their business customers on prevention, detection and reporting measures. The top things a business can do are:
ACH OPERATOR SERVICES
Financial institutions should consider fraud detection and risk management services offered by their ACH Operators. For example, a threshold or a cap on ACH credit origination could alert a financial institution, particularly a small institution with low average daily ACH credit origination, to irregular origination activity.
WHAT TO DO IF YOUR CUSTOMER IS VICTIMIZED
A financial institution whose customer has been victimized can:
HOW TO SPOT A MONEY MULE
The corporate account takeover scheme relies on “money mules” for the final transfer of funds out of the U.S. Money mules are typically individuals unrelated to the cyber-thieves. They are recruited either through online advertisements for work-at-home and mystery shopper schemes, or through online job sites where they have posted resumes.
Once recruited, a money mule is instructed to open a bank account. Shortly thereafter, large deposits are made into the account by ACH credit or wire transfer. The money mule withdraws the funds (less a commission or fee), and then uses an over-the-counter wire transfer service to remit the funds out of the country to his or her “employer.”
To spot a money mule, a financial institution can look for a pattern of activity that is consistent with the corporate account takeover scheme:
In many of these cases, the dollar amounts of the deposits and withdrawals are often around $9,000, apparently due to a belief on the part of the cyber-thieves that transactions of $10,000 or more receive more scrutiny by financial institutions.
According to the FDIC, “money mule activity is essentially electronic money laundering addressed by the Bank Secrecy Act and Anti-Money Laundering Regulations. Strong customer identification, customer due diligence, and high-risk account monitoring procedures are essential for detecting suspicious activity, including money mule accounts.”
ADDITIONAL INFORMATION AND RESOURCES
Banking regulatory agencies consider funds transfers initiated via Internet banking to be inherently “high-risk.” The agencies consider “single-factor authentication, as the only control mechanism, to be inadequate” for securing such high-risk transactions.
Regulators and law enforcement agencies that have issued relevant guidance include:
Fraudulent Work-at-Home Funds Transfer Agent Schemes – October 29, 2009
Fraudulent Electronic Funds Transfers (EFTs) – August 26, 2009
Fraudulent Automated Clearing House (ACH) Transfers Connected to Malware and Work-at- Home Scams – November 3, 2009
Local FBI Offices
Red Flags Rule
Internet Crime Complaint Center
Financial Services – Information Sharing and Analysis Center