We regularly hear from financial institutions how much they appreciate information we share about the latest banking fraud activities. Towards that end, this post pulls together recent news stories across the spectrum of banking fraud developments.
We also distribute this as a monthly Fraud Factor email. If you’d like to be added to the distribution list, please go to our Contact Us page.
The 2015 edition of the annual “Worst Passwords List” highlights the insecure password habits of Internet users. “123456” and “password” once again reign supreme as the most commonly used passwords, as they have since SplashData’s first list in 2011. The list was compiled from more than 2 million passwords leaked during the year, and it demonstrates how people’s choices for passwords remain consistently risky.
Threats From All Sides – Social Engineering, ID Theft, Insider Fraud, and Zero Day
In May, 2014, Texas-based manufacturing firm AFGlobal Corp. was hit by a business email compromise (BEC) attack that resulted in fraud losses of $480,000. AFGlobal subsequently filed a claim with its insurance company, but the insurer denied that claim, stating that business email fraud does not meet the definition of “computer fraud” covered by AFGlobal’s policy. Fraud and legal experts have a close eye on this case because it raises an important legal question: Who is responsible for fraud losses in a case of business email compromise where an internal person willingly transferring funds? (See our BEC Best Practices.)
Reports of identity theft shot up in 2015, largely driven by an increase in tax refund fraud, according to the Federal Trade Commission. From 2014 to 2015, there were 51 percent more complaints related to tax and wage identity theft, which isn’t all that surprising. All thieves need is a Social Security number — say, one that got stolen in one of the many data breaches from recent years — to file a fraudulent tax return. (see our write-up of fraudulent tax returns.)
A former Wells Fargo bank employee and his friend are both charged with conspiracy, grand theft, embezzlement and money laundering involving more than $800,000. This is an interesting combination of an insider threat with a scheme targeting closed or inactive accounts, which we described in detail in our Absent Account Holder Fraud Informer.
An Israeli cybersecurity startup has discovered a zero-day security flaw in the Linux kernel that runs millions of servers and desktops and affects at least 66 percent of mobile devices that use the Android operating system. An attacker could abuse the flaw to gain root-level privileges on a device and execute arbitrary code or steal any data stored on the device.
PII Worth More than Credit Card Details, while Hyatt and Neiman Marcus are Back In the News
New research shows that user names and passwords for high-profile digital services now fetch a higher price on the deep web than traditional payment details. According to CNBC, while personally identifiable information could make hackers $1 to $3.30, stolen Uber information sells for an average of $3.78 per account, a PayPal account with a $500 balance can make $6.43, and a Facebook login can make $3.02. But a set of U.S. credit card details is likely to be listed for less than 22 cents. Cyber criminals likely use the account details to gain more information on a potential target for a larger-scale identity theft operation.
A recent breach of customer accounts at luxury retailer Neiman Marcus is, once again, putting the spotlight on the vulnerabilities created by relying only on user names and passwords for online authentication. Hackers used automated attacks to access online accounts by trying various login and password combinations. The company suspects this attack was rooted in breaches at other companies where a user may use the same login name and/or password.
A widespread malware attack on Hyatt Hotels last year hit approximately 250 locations worldwide – with nearly 100 of those in the United States – according to a list published by the hotel chain. The unauthorized access occurred between August 13 and December 8, 2015, exposing names, card numbers, expiration dates and internal verification codes. The breach included several Hyatt brands, including the Hyatt Regency, Park Hyatt, and Andaz.
Compromised Websites Spreading Malware while RATs Target Finance Employees
Symantec has identified over 3,500 websites that have been injected with script code to redirect to additional scripting code. Of the compromised websites, 75 percent are located in the U.S. and target a variety of organizations, including businesses, educational institutions, and government agencies. It is likely that the attacks are a reconnaissance activity to learn more about users and utilize that information in another attack.
Attackers have been spreading two families of remote access Trojans (RATs) to small businesses since the start of 2015. The attackers have been targeting employees responsible for accounts and fund transfers in order to steal money from affected organizations. They spread the RATs by sending finance-related emails from spoofed or compromised accounts. Through these infections the attackers can log keystrokes and steal files and passwords, and they are using the targeted employee’s privileged access to transfer money to an account under their control.