Business Email Compromise Scam: Stories From Victimized Businesses

We have found that an effective way for making fraud attacks and schemes real and believable is to tell specific stories about real attacks, real losses.

Nearly every financial institution we talk to has a story about a business client that has been victimized by the Business Email Compromise (BEC) scam. Here are six to highlight the variations and similarities across the attacks, and the effort criminals will put into these attacks to make sure that the fraudulent requests look legitimate, which is what makes this scheme so hard to detect.

While not all attacks share all of these, some of the more common characteristics of this scam captured in these stories are:

  • Compromised or spoofed email address
  • Credible story, consistent with company plans
  • Request for urgency and secrecy
  • Request to only use phone number and email address in the initial email
  • Timed for when the requester (CEO or CFO) is traveling
  • New payment instructions from a vendor

Behavioral analytics would have detected every one of these attacks because in every case there is something inconsistent with prior behavior. Often it’s well hidden or disguised, but it’s always there.

Story 1: Auditor Asks for Payment for Acquired Business  

The corporate controller received emails that appeared to be from the company’s outside auditing firm with requests to transfer millions of dollars to a Chinese bank. Three wire transfers were requested and sent for a total of $17.2 million.

The initial emails included language focusing on secrecy, urgency and sensitivity, including: “I need you to take care of this. For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company. … This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”

The Controller called the auditor to confirm, using the phone number provided in the email. The criminal was ready with a person in place posing as an employee of the auditing firm to confirm the requests. There also was an element of consistency between the wire requests and the company’s business plans as the company had been discussing the expansion into China and they were in the middle of an audit.

Story 2: Wire Transfer with Immediate Money Mule Action

The Controller received email that appeared to be from CEO requesting a wire transaction to an individual in Pennsylvania. The $38,000 wire was processed on a Friday morning to bank A. Shortly after, the beneficiary went into bank A to request a wire transfer to bank B for $31,400, a second wire for $6,000 through Western Union, and then withdrew $600 in cash.

On Tuesday morning, the Controller received and submitted a second wire request from the CEO, this time for $78,000 payable to a business in Kansas. The bank flagged the request only because of an invalid routing number. The bank contacted the requestor who, only when they went to look up the correct routing number realized that the request was fraudulent. If not for a typo on the part of the criminal, the business surely would have been victimized for an additional $78,000 instead of only being scammed for $38,000.

Story 3: Fraudsters Mined Email for How to Submit Wire Request

This attack started with the criminal compromising the business’ email system to look for details of how to submit a legitimate-looking wire request. They also learned that the bookkeeper had just received approval via email from CEO to submit and approve wires.

The next day the bookkeeper received a request from the CEO to submit a wire transfer request, which was consistent with how previous wire requests had been submitted. After receiving the transfer order, the bank called the company because the wire request seemed out of character, but the bookkeeper was insistent that it was a legitimate request and that it came from the CEO. The bank processed the payment before the business realized that it was a fraudulent request.

Story 4: Fraudster Poses as Vendor and Gets Paid Twice

This attack started when the business received an email from a vendor explaining that they have changed payment instructions. New payments were to be sent to an account in China. The financial institution thought it looked suspicious and called to confirm, but the business insisted it was OK.

When the wire request came back “unable to apply” the business checked the wire instructions and submitted the wire request again, and this time the receiving bank did not reject it. Then the fraudster, posing as the vendor, called to say that they had not received payment yet, and the businesses submitted the wire request a third time, resulting in total payments exceeding $200,000.

Story 5: “Attorney” Calls with Wire Instructions

The finance department received an email from their CEO regarding a company acquisition that was top secret. The email explained that an attorney working on the acquisition would send payment instructions. They subsequently did receive an email (from the fraudster), and it was from a compromised email address at a real law firm, adding legitimacy to the request. The “attorney” then called to provide wire instructions over the phone. The loss was averted only when the FI called the CEO to confirm.

Story 6: Request Timed with CEO Travel

A company’s accountant received an email from the CEO instructing him to send out wire transfers totaling over $100,000. The accountant tried to confirm by phone but was unable to reach the CEO who was traveling overseas. When the accountant responded to the email instructions with a follow-up question, he received an abrupt reply reprimanding him to get it done. Although there were internal checks in place and a controller raised questions, the air of business urgency won out and the wires were ultimately sent out.

The wire transfers were directed at legitimate businesses in a different state. These businesses promptly received calls from the fraudsters claiming to be from the Minnesota company, indicating that they had accidentally sent the funds and instructing that the funds be “returned” this time being directed to a third account controlled by the thieves. (Thanks to for this one.)

Additional Resources

Financial institutions are invited to download our BEC Scam Detection Kit that includes resources for you and your business customers. It includes best practices for businesses (including a version you can brand as your own), best practices for FIs, and our Fraud Update describing this scam.

Our recent webinar goes into much more detail about how fraudsters prepare for and execute this attack, highlighting why it’s so hard for businesses and FIs to detect. Learn more and watch the recording here.


Fraud Factor – November 2015

We regularly hear from financial institutions how much they appreciate information we share about the latest banking fraud activities. Towards that end, this post pulls together recent news stories across the spectrum of banking fraud developments.

We also distribute this as a monthly Fraud Factor email. If you’d like to be added to the distribution list, please go to our Contact Us page.

Breaches Continue to Steal the Headlines

It’s ironic that Cyber Security Awareness Month saw a flurry of data breaches. Here are some of the more noteworthy examples of data now in the hands of fraudsters as they build out dossiers on their soon-to-be victims.

Scottrade – Retail brokerage Scottrade announced that it had suffered a data breach affecting 4.6 million customers. The attack targeted client names and street addresses, although Social Security numbers, email addresses and other sensitive data also were contained in the system accessed.

American Bankers Association – Email addresses and passwords used to make purchases or register for events through’s Shopping Cart have been compromised, exposing at least 6,400 members.

Trump Hotels – Customer credit and debit card numbers may have been stolen at seven Trump hotels after its payment systems were hacked for over a year. Hackers gained access to its front desk systems plus restaurants and gift shops.

America’s Thrift Stores – The company acknowledged that a data breach took place through software that was used by a third-party service provider. As a result, criminals were able to obtain payment card numbers and expiration dates.

Android Devices Targeted with Something New, Something Old

Android Banking Trojan Delivers Customized Phishing Pages Straight From the Cloud

A new Android threat uses a flexible social engineering technique to steal banking credentials. Rather than disguising itself as a specific app, Android.Fakelogin identifies the banking app that’s running on the device and overlays a customized, fraudulent login page. It does this by accessing cloud-based logic hosted on a remote command-and-control (C&C) server to determine the exact page to display. The malware also uses stealth technologies and obfuscation techniques to make itself difficult to find and reverse-engineer. All of these features make Android.Fakelogin a formidable threat to mobile devices.

Stagefright is Back in the Limelight

The researchers who discovered the first vulnerability have announced the discovery of two more holes that allow for remote code execution on devices running Android 5.0 or later. The newly-discovered vulnerabilities are triggered when Android devices process infected MP3 or MP4 files. The danger is that the vulnerability is in the metadata of the files themselves, allowing for “remote code execution,” which allows the cybercriminal to run whatever code they like on the device.

Social Engineering Schemes Proving Difficult to Prevent

Why Low-Tech Fraud Is a Growing Risk

While sophisticated cyber attacks get most of the attention, social engineering schemes and other low-tech attacks are far more common and pose a greater fraud risk. Neira Jones, an independent cyber and payments security expert, showed why username and password authentication has to go, and added that until we use biometrics and behavioral analytics for authentication, fraudsters will have the upper-hand.

BEC Scam Continues to Plague Business Account Holders

The recent skyrocketing trend of the business email compromise (BEC) is taking both banks and businesses by storm. Fraudsters have found a scheme that works, is fast, gives them access to an enormous amount of money, and, to date, is hardly being stopped. Just about everything a financial institution might do to validate the socially engineered request will come up “approved.” Learn how the scam works, why it’s effective, and how to detect it in our upcoming webinar.

Attacks To Watch Out For, Including Defeating EMV

Top 7 Cyberthreats to Watch Out for in 2015-2016

These are boom times for cyberthreats, cyberattacks and cybercrime. From identity theft to the retail hacks, these attacks are dominating the news cycle. Kapersky Lab’s seven ongoing threats that showcase today’s challenges in keeping data protected include smartphone vulnerabilities, phishing and social engineering, and attacks on banks.

How Criminals Cracked EMV

European criminals cannibalized stolen EMV cards, combining clipped smartcard chips with miniature microprocessors to construct fake payment cards that defeated point-of-sale security checks, enabling them to commit as much as $680,000 in fraud. “This particular attack no longer works as it was ‘fixed,’ but I have to say experience shows that where there is one [attack], there will be others,” said University of Surrey computer science professor Alan Woodward.

DDoS Attacks Can Last for Weeks

Kaspersky DDoS Intelligence Report Q3 2015

In Q3 2015, botnet-assisted DDoS attacks targeted victims in 79 countries around the world, with 92% of targeted resources located in 10 countries, led by China, the US and South Korea. The longest DDoS attack in Q3 2015 lasted for 320 hours (or 13.3 days). One of the leading trends emerging from Q3 was DDoS attacks targeting financial organizations for the purpose of extortion.

Malware Hijacks MySQL Servers to Perform DDoS Attacks

Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets. The attackers are compromising MySQL servers to take advantage of their large bandwidth. With these resources, the attackers could launch bigger DDoS campaigns than if they used traditional consumer targets.


BEC Scam – Yeah, we detect that! If only business account holders would listen.

This blog post differs from most of our educationally oriented marketing programs and content in that it’s somewhat self-serving, but we have a point to make.

The recent skyrocketing trend of the business email compromise (BEC) scam (see our earlier write-up) is taking both banks and businesses by storm. In fact, per an FBI alert, this scam has resulted in $1+B in losses worldwide, and that’s just what’s been reported.

Fraudsters do their homework and know who requests and approves wires. They check travel schedules so they can time their attack for when execs are unavailable to reconfirm the request. They then use social engineering techniques to trick business employees into submitting a wire transfer request. Some BEC attacks start with compromising and mining a company’s email system for examples of how wires are requested. So the fraudster can closely mimic prior payment amounts and the tone and style of the executive they’re impersonating.

Fraudsters have found a scheme that works, is fast, gives them access to an enormous amount of money, and, to date, is hardly being stopped. Just about everything a financial institution might do to validate the socially engineered request will come up “approved.” When the bank calls into their customer to verify the wire transfer, the requestor is absolutely sure that the wire request is legit. Indeed the business client often actually gets a bit annoyed at their FI for questioning the request. The bank processes the wire, and then, sometime later after the wire has already been sent, the customer calls back when they realize they have been scammed.

Certainly there must be some way to curb this scheme that’s robbing businesses and putting a stress on the customer – bank relationship. And there is!

We can tell when a wire is fraudulent. The perpetrators don’t know their victim’s prior wire behavior. FraudMAP does. FraudMAP compares new wire requests to earlier wire transfer activity to identify high-risk wires, such as those resulting from the BEC scam. We also arm the FI with specific details that make for a more productive call with the requestor.

We’ve been talking to many of our customers about this scam and we’re hearing a similar story from all of them: they have business customers who have been victimized, and they have successfully detected the suspicious wires with FraudMAP. When they call to confirm, the business (hopefully) listens and realizes they’ve been duped, or they insist it’s legitimate and basically force the bank to process the payment, only to realize their mistake later.

Our latest educational effort is to help banks not take “send” for an answer with high-risk wires. We’ve assembled Best Practices for Financial Institutions to Detect the BEC Scam, which includes what to look for and how to conduct what could be a delicate conversation with the business account holder.

To learn more about how this scam works and how to detect it, please attend our upcoming webinar on November 18th. If you have business accounts that have been victimize and you would like to improve your ability to protect them from these losses, plus save yourself the cost of trying to unwind the payments when your clients finally see the light, please contact us to learn more about FraudMAP Wire.


Fraud Factor – October 2015

We regularly hear from financial institutions how much they appreciate information we share about the latest banking fraud activities. Towards that end, this post pulls together recent news stories across the spectrum of banking fraud developments.

We also distribute this as a monthly Fraud Factor email. If you’d like to be added to the distribution list, please go to our Contact Us page.

It’s National Cyber Security Awareness Month

Recognizing the importance of cybersecurity to our nation, President Obama designated October as National Cyber Security Awareness Month. It is designed to engage and educate public and private sector partners through events and initiatives (see schedule in this article) with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.

EMV is Here, and DDoS is Back In the News

EMV: Countdown to the Fraud Shift

The fraud shift as a result of the migration to EMV chip payments in the U.S. will extend beyond card-not-present payments. First-party or new account fraud and business email compromise attacks are likely to increase, too, as EMV shores up the security of card transactions at the point of sale. In addition, banks should be bracing for more distributed denial-of-service attacks.

Bidding for Breaches, Redefining Targeted Attacks

A growing community of private and highly-vetted cybercrime forums is redefining the very meaning of “targeted attacks.” These bid-and-ask forums match crooks who are looking for access to specific data, resources or systems within major corporations with hired muscle who are up to the task or who already have access to those resources.

DDoS Attacks on the Rise, but Consumers Remain Unaware

A new Akamai report shows a 132 percent increase in the volume of second-quarter DDoS attacks, compared with the same period last year. One theory about why DDoS attacks are on the rise is that they are easy to put together, and there are a number of DDoS-for-hire services (also called ‘stressers’) that are available for anyone with a few dollars to spare.

Perilous Pop-ups: How Malvertising is Getting Added Muscle

There’s a problem with online advertising today. No, it’s not that the ads are intrusive or unrelated to your interests. It’s that cybercriminals can easily weaponize online ads to infect your computer with viruses. The technique is called malicious advertising, or malvertising, and it uses online ads to spread malware. According to a new report from Cyphort Inc., The Rise of Malvertising, these attacks rose 325 percent in the past year and have been found on many popular sites.

Fraudsters Breach More Fingerprints Than Reported, Experian Data, Even Satellites

Hackers Took Fingerprints of 5.6 Million U.S. Workers

Office of Personnel Management acknowledged that the hackers who stole security dossiers from the agency got the fingerprints, not of the 1.1 million employees as originally reported, but of 5.6 million federal employees. As we commented when first sharing this story, this is an example of how biometric authentication can be compromised, and once exposed, biometric data such as fingerprints is not as easy to change as a password.

Experian Data Breach Affects 15 Million People

Credit reporting agency Experian acknowledged that a data breach at one of its business units may have compromised the personal records of 15 million people. A hacker or hackers appear to have obtained access to an Experian server that hosted the personal information of people who applied for T-Mobile’s services between September 1, 2013 and September 16, 2015. The information accessed included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, and passport IDs, all of which helps fraudsters build dossiers on their victims to be used to bypass authentication systems.

Russian Hacker Group Exploits Satellites to Steal Data

(Blogger’s Note: While this article isn’t explicitly about financial fraud, it highlights the capabilities of cyber criminals and the lengths to which they’ll go to capture the information they seek.)

A group of sophisticated Russian-speaking hackers is exploiting commercial satellites to siphon sensitive data from diplomatic and military agencies in the United States and in Europe as well as to mask their location. “For us, it was very surprising,” said Stefan Tanase, senior security researcher at Kaspersky Lab. “We’ve never seen a malicious operation that hijacked satellite” connections to obtain data.

Patreon Donor Details Apparently Spilled After Massive Hack

Crowd funding site Patreon is the latest victim of a data breach, though with a unique twist. Hackers gained access to names, email addresses, posts, and addresses, along with encrypted passwords, Social Security numbers, and tax form information. The problem is that the hacked data appears to include source code, which hackers could use to dig up programming errors that might aid the password cracking process. If Patreon’s encryption key is discovered, it could reveal users’ Social Security numbers and tax IDs.

iOS and Gamers Targeted – Is No One Safe?

First Major Malware on iOS Devices

A new strain of malware called “XcodeGhost” can compromise a number of applications running on iOS devices, exposing some device-specific information and putting devices further at risk. This malware originated via the Apple store in China and most applications affected are Chinese, however, there also are a significant number of affected applications outside of China.

Dridex Banking Malware Back in Circulation

Conspicuously off the grid for close to two months, the Dridex banking Trojan made some noise when a large phishing campaign was corralled by researchers at Palo Alto Networks. The phishing emails are laced with a Microsoft Word document that entices users to enable macros that call out to attacker-controlled websites and download the banking malware.

Run, Jump, Shoot, Infect: Trojanized Games Invade Google Play

A newly discovered mobile sneak attack has taken aim at casual gaming fans with a ploy to deliver the Mapin Trojan with games that look like popular titles. While they’ve now been taken off the Google Play store, these Trojanized apps were there for a year-and-a-half and remain proliferated in third-party app stores. Mapin contains functionalities to push notifications, download, install, and launch apps, and get access to private information on the device.



Video: Are You Ready for New Fraud Risks Introduced by Same Day ACH?

We have blogged about this before, but some things are worth repeating, especially if it’s done so with a video that makes it particularly easy to hear and share the message.

After quickly summarizing the ACH payments landscape and the new Same Day ACH rule, our video explores how fraudsters could take advantage of the disruption that Same Day ACH will create. We have repeatedly seen criminals’ creativity and innovation in how to take advantage of any disruption or change.

It also reviews the options that FIs are considering for how to adapt their operations. These possible strategies are derived from conversations we’ve had with FIs plus our own experience with how fraudulent payments can still slip through undetected, or how FIs can stop them.

You can watch our video here.

And our earlier blog post on the subject goes into more detail than we were able to cover in the video.

The bottom line is that September 2016 will be here before we know it, and fraudsters will immediately start looking for ways to benefit from the tighter processing window. FIs need to be exploring now how they will handle the higher volumes and how to successfully and efficiently prevent fraudulent payments.

Our FraudMAP ACH solutions for ODFIs and RDFIs automate reviews, calculate risk scores for payments based on prior originator and recipient behavior, automatically release low risk payments, and provide historical context to speed fraud analysts’ reviews of high risk payments that warrant a closer look.


Wealth Management Account Takeover – An old scheme with a new twist

Brokerages and financial institution that offer wealth management services need to be on the lookout for a fraud scheme that hinges on taking over wealth management accounts.

The simple description of it is, a criminal buys a stock, manipulates the stock price higher, and then sells his position, making a profit. It’s a classic “pump & dump” scheme (i.e. pump up the price, then dump the stock). But this time it has a new, modern twist.

Fraud Incident Details

1. Criminals identify target stocks they’ll use for this scheme, typically thinly traded securities where even modest volume can have an impact on price. And they buy shares to hold in their own account.

2. They compromise a brokerage or wealth management account, or more likely many accounts, and begin reconnaissance, monitoring frequency of activity and account balances.

3. When the time is right, they sell holdings in the compromised accounts and use the proceeds to buy shares in their target stock. They will do this across all of the accounts they’ve compromised, pushing the price higher. They often also will send emails, posing as an analyst or advisor, encouraging others to buy the stock, further inflating the price. The initial buy action can demonstrate market interest in the stock to the readers of the email, validating the prediction for a nice run-up.

4. Once the stock price has risen sufficiently, the criminal will sell his position, reaping a nice gain relative to his purchase price, and leaving his victims’ accounts in tatters.

What’s New About this Scheme?

Pump & dump schemes have been around for a long time, historically relying on email to get others to bid the price up. In this new version, the criminal is taking an active role in inflating the price by compromising brokerage and wealth management accounts and using other people’s money to force the price up.

Who’s Hurt?

Even though the criminal is manipulating the stock price, which is illegal, he is not actually stealing money from anyone, so one might wonder who really is hurt by this scheme.

The victims whose accounts have been compromised are hurt because their portfolio has been completely rearranged. The criminal may have sold stocks that the victim didn’t want to sell, realizing a gain with tax implications, and the victim ends up with some holdings that they never wanted, and the value of which may fall below the purchase price once the criminal dumps his holding, resulting in a loss for the victim.

The other victims are the financial institutions with whom the victimized investors have placed their money and their trust. They will have some unhappy account holders wondering how the FI could allow the trades to go through, possibly having to provide restitution to the victims in the interest of avoiding losing the business. And they risk suffering damage to their brand and reputation.

Prevention Tips

To execute this scheme, criminals need to log into their victims’ brokerage or wealth management accounts. By modeling account access behavior, financial institutions could detect anomalies that indicate the account has been compromised. Specific signals could include:

  • The account was accessed from a device with a different operating system, browser, or other characteristics
  • The account was accessed through a different network or Internet service provider using a different IP address
  • Timing of the account access was inconsistent with when (time of day, day of the week) the victim typically accesses their account
  • The frequency of access was inconsistent with previously established patterns. For example, the victim typically only accesses his account once a month, and then there’s a flurry of multiple logins over just a couple of days.
  • A combination of all of the above, especially when the variation of any one factor seems minor all by itself.

Guardian Analytics FraudMAP automatically models the login activity of every account holder to detect unusual or suspicious characteristics of all subsequent account accesses.


Fraud Factor – September 2015

We regularly hear from financial institutions how much they appreciate information we share about the latest banking fraud activities. Towards that end, this post pulls together recent news stories across the spectrum of banking fraud developments.

We also distribute this as a monthly Fraud Factor email. If you’d like to be added to the distribution list, please go to our Contact Us page.

IRS: Thieves Stole Tax Info From Additional 220,000 Potential Victims

A computer breach at the IRS in which thieves stole tax information from thousands of taxpayers is much bigger than the agency originally disclosed, now totally 334,000 potential victims. The thieves accessed a system called “Get Transcript” that required the Social Security number, date of birth, tax filing status, and street address. The IRS believes the thieves were downloading prior tax filings to get even more information about the taxpayers, which could help them claim fraudulent tax refunds in the future. (see our summary of the Identity Theft Tax Refund Scam.)

Compromised Email Accounts Headline Recent Schemes

Increase in Email Account Compromise Scam

This FBI alert explains how fraudsters use social engineering or computer intrusion techniques to compromise the e-mail accounts of unsuspecting victims. After completing their reconnaissance, the criminals create spoofed email accounts for the purpose of initiating fraudulent wire transfers. This is very similar to the business email compromise scam reported on earlier (see our summary of the Business Email Compromise attack), but now is targeting individuals. Tips provided by the FBI for detecting these fraudulent wires include recognizing changes to wire transfer instructions and knowing your customers’ typical wire transfer activity, which is precisely what behavioral analytics is designed to do.

Tech Firm Ubiquiti Suffers $46M Cyberheist

In a related story, a technology company, Ubiquiti, has fallen victim to the business email compromise scheme referenced above. Ubiquiti didn’t disclose precisely how it was scammed, but this attack usually begins with the thieves using an exec’s compromised email account or a look-alike domain name to instruct a subordinate employee to initiate a wire payment.

Spam and Phishing in Q2 2015 Report: Exploiting World Events

Kaspersky Lab’s Spam and Phishing in Q2 of 2015 report describes a marked increase in the use of world events in spam emails in attempts to extract personal data. For example, fraudsters sent notifications of being chosen through a lottery drawing for tickets to the 2016 Olympic Games in Brazil, which was an attempt to persuade recipients to provide personal data to receive the prize.

Worst Month Of Malvertising Ever plus “Just in Time” Malware

In the first six months of 2015, malvertising was one of the biggest threats to endpoint security. In particular, Flash zero-days made it easier to deliver ransomware and banking Trojans, and commit click fraud. Another discovery was the increased use of “just-in-time” malware attacks, where the malware is delivered in innocent-looking pieces to avoid detection, then assembled on the endpoint device.

New Malware Strains Set Record, Gather Credentials, and Steal Certificates, Tokens, and More

Malware Trend Continues Relentless Climb

Malware development continues to remain healthy. Intel Security Group’s McAfee Labs Threat Report: August 2015 shows malware’s quarterly growth at 12 percent for the second quarter of 2015. The overall count of known unique malware samples has reached a mesmerizing 433 million, headed for half a billion by Q4. This McAfee blog post provides a link to the study, and an interesting point of view regarding the steady, relentless climb in unique malware samples.

New Shifu Banking Trojan An ‘Uber Patchwork’ of Malware Tools

A dangerous new banking Trojan, dubbed Shifu, combines elements from multiple existing malware tools. The Trojan is designed to steal usernames and passwords to financial accounts, credentials that users key into HTTP forms, private certificates, and even external authentication tokens. Shifu also steals data from smartcards if it discovers a smartcard reader attached to the compromised endpoint, can search for and steal from cryptocurrency wallets on infected systems, and if it detects that it has landed on a point-of-sale system, it steals payment card data. Described as the Frankenstein of Trojans, it borrows heavily from Shiz, Gozi, Dridex, and ZeuS.

New Version of Carbanak Banking Malware Seen Hitting Targets in U.S. and Europe

Earlier Carbanak campaigns targeted banks directly, rather than going after end users. The attacks began with spearphishing emails that had rigged attachments containing the Carbanak backdoor. Once on a compromised machine, Carbanak gave attackers remote control of the machine that the criminals use as a foothold on the bank’s network, and then stole money in several different ways. Changes include how it eludes detection, and it now has its own proprietary communications protocol.

Watch Out for CoreBot, New Stealer in the Wild

A new piece of data-stealing malware has a real thirst for credentials—and the potential for worse trouble down the line. CoreBot is a generic information-stealing malware with a modular design that gives it enough flexibility to ramp up its capabilities to exfiltrate data in real time.


For the Record, Why We Believe Rules Are Ineffective For Stopping Fraud

Anyone who knows Guardian Analytics knows that we’ve built our business on the knowledge that using behavior is far more effective at detecting fraud than using rules. But do you understand why? Let us explain, first why we believe rules are ineffective, and then (quickly) why modeling behavior works so much better.

The challenges with rules are that they:

  1. Require knowing what fraud looks like or what an analyst is looking for. So, detection requires a massive number of rules to look for the endless proliferation of fraud schemes.
  2. Will miss new schemes until the scheme is discovered, understood, and a new rule is created.
  3. Assume all (or a very large group of) users are alike. For example, having a rule to flag transactions over a specific amount will flag legitimate transactions from account holders for whom such payments are common, and will miss fraudulent transactions that are lower than what is typical for the users, generating numerous false positives while damaging service levels and customer service. The same could be said about rules based on location, time of day, or other factors.
  4. Require time and effort to define and maintain the rules as some schemes disappear and others emerge.
  5. Trigger on isolated activity, without context of what else is going on. For example, a user changing his phone number in his online banking profile is not necessarily high-risk, but combine that with activating mobile banking and it becomes more suspicious. Rules would have to be complicated and account for every possible suspicious combination of activities.

Behavior-based systems like FraudMAP, on the other hand, start by asking what legitimate activity looks like instead of having to know what fraud looks like. Using behavior doesn’t require knowing what to look for, will detect new schemes, models the unique behavior of every individual account holder instead of treating everyone the same, automatically adapts to changing schemes and changes in legitimate client activity, and evaluates activity in the context of everything else taking place with that client

And we’re not the only ones promoting the use of behavioral analytics. This approach is validated by some pretty credible sources, including the FFIEC. Here’s a sample of third-party comments endorsing the use of behavior to prevent fraud.

“Advanced analytics is indispensable in fighting fraud. As fraud becomes more sophisticated and schemes more complex, simple rules are not adequate to protect the financial institution or its customers.” Shirley Inscoe,  Aite Group.

“Banks have to put mechanisms into their systems so that when data like [the Heartland Payment Systems breach] is stolen, they can detect behaviors within the account or activities that might be abnormal.” “All types of attacks are continuing to penetrate organizational defenses, highlighting the fact that most security is based on yesterday’s security concepts that use rules and signatures to prevent ‘bad’ occurrences. What’s needed is rapid detection and response enabled in part through behavioral analytics.”  Avivah Litan, Gartner

“Based on the incidents the Agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.” FFIEC Guidance.

“Our recent research shows that institutions find behavioral analytics to be one of the solutions that FIs perceive to be most effective and least intrusive.” Julie Conroy, Aite Group.

“We are also going to see a rise in products focused on analysis of user behavior – both as an ongoing way of verifying the user’s identity as part of the authentication process, and also as a way of anomaly detection by running activities through various data models to determine the level of risk associated with a particular activity. There is clearly a security visibility gap today that behavioral analysis can fill.” SC Magazine.

If you disagree, or agree, please share. We’d love to read your reaction.

(Sources available on request.)



Replacing MFA with Biometrics Simply Amounts to Swapping Out One Vulnerable Authentication Mechanism for Another

The federal Office of Personnel Management (OPM) recently disclosed that the personal information compromised in last month’s data breach included 1.1 million fingerprints. This is cause for sobering consideration about using biometrics for authenticating into secure systems such as online and mobile banking services.

The appeal of biometrics is compelling. They’re stronger than passwords, they’re unique to each user, they’re easy, and cannot be lost or forgotten. However, there are limited biometric options (fingerprints, retina scan, face recognition, voice print, heartbeat), they’re dependent upon users having the needed technology (such as fingerprint scanners on smartphones), and they can’t protect against romance scams or unauthorized activity by friends and family.

As financial institutions debate adopting biometrics as a compelling replacement for simple, multi-factor, or knowledgebase authentication, this latest breach highlights very clearly that despite its benefits, using biometrics is insufficient by itself.

For biometrics to work for account authentication, there must be an image of the user’s fingerprint (or retina or facial image) digitized and stored somewhere. Each subsequent access compares the current fingerprint against the stored image to validate that the user is indeed who he says he is. And once a fingerprint is digitized and added to a database, it simply becomes part of one’s PII along with a phone number, mother’s maiden name, and zip code. Furthermore, a fingerprint can never be modified. Perhaps the article in National Journal put it best: “unlike a Social Security number, address, or password, fingerprints cannot be changed—once they are hacked, they’re hacked for good.”

According to Goode Intelligence, over 1 billion people worldwide will be using biometrics to access financial accounts by 2017, and it will be the predominant authentication mechanism by 2020. If all of these financial institutions are thinking that all they have to do is replace MFA with biometrics and their accounts will be protected, we encourage them to rethink their strategy. We believe that the OPM data breach offers sufficient reason to believe that replacing MFA with biometrics simply amounts to swapping out one vulnerable authentication mechanism for another.

Behavior, on the other hand, is equally as unique as a fingerprint, but is not a simple, singular piece of data that must be stored and is therefore vulnerable to being compromised. While criminals probably have richer, more in-depth dossiers on FIs’ clients, the FIs have much richer data than fraudsters will ever have on each account holder’s banking behavior.

FIs can model each client’s unique behavioral patterns and then compare new activity – in online banking, mobile banking, debit card use, and various types of payments – to detect anomalies that indicate possible account compromise or fraudulent transactions. And it’s invisible to the account holder so it doesn’t involve any changes to the user experience.

Blending biometrics with behavior will provide a much higher level of confidence that individuals accessing accounts are indeed who they say they are, lowering fraud risk while also improving the user experience and decreasing friction.


Fraud Factor – Latest News on Banking Fraud – August 2015

We regularly hear from financial institutions how much they appreciate information we share about the latest banking fraud activities. Towards that end, this post pulls together recent news stories across the spectrum of banking fraud developments.

We also distribute this as a monthly Fraud Factor email. If you’d like to be added to the distribution list, please go to our Contact Us page.

Company Suffers $46M Cyberheist
Networking firm Ubiquiti Networks Inc. acknowledged that cyber thieves stole $46.7 million using a scam in which crooks spoof emails from executives at the victimized firm in order to initiate unauthorized international wire transfers. (see our Fraud Informer on this scam.)  This scheme is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments.

Threats Span Phone Hacks, Fingerprints, Google Compromise, and more

Nearly 1 Billion Phones Can Be Hacked With 1 Text
Think twice before giving away your cell phone number—especially if you happen to own a phone that runs on Google’s Android operating system. That’s the only thing a hacker needs to compromise a handset. A mobile security researcher has uncovered a flaw that leaves as many as 95% of Android devices—that’s 950 million gadgets—exposed to attack.

How Much Damage Can be Done With a Million Fingerprints?
The OPM data breach included 1.1 million fingerprints. Security professionals are particularly troubled because of the permanent nature of fingerprints and the uncertainty about just how the hackers intend to use them. Unlike a Social Security number, address, or password, fingerprints cannot be changed—once they are hacked, they’re hacked for good. This lies at the core of concerns about using biometrics for financial authentication.

Malvertising Attack Hits Yahoo! Ad Network
A large malvertising attack hit the Yahoo! advertising network over the course of a week before it was discovered and shut down. Many of the website’s 6.9 billion readers could have been affected, making this one of the largest malvertising attacks ever detected. Victims were infected with ransomware and possibly banking Trojans.

Alert: ATM Skimming Up in U.S.
A new security alert from ATM manufacturer NCR Corp. warns that ATM skimming attacks in the U.S. are on an upswing. The trend likely is being fueled by the migration away from magnetic-stripe technology toward EMV chip technology. ATMs will increasingly be targeted, experts predict, because the vast majority of ATMs in the U.S. won’t even begin their migrations toward EMV for another two to three years.

ZeusVM Malware Leak May Cause Botnet Surge
The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free. ZeusVM, also known as KINS, hijacks the browser process in order to modify or steal information from websites opened by victims on their computers. It’s primarily used to steal online banking credentials.

New Phishing Campaign Targets Google Credentials
Criminals have again leveraged users’ trust in Google with a newly discovered campaign designed to steal credentials that grant access to the multitude of Google’s online services, including email. The campaign is similar to the one discovered in March 2014, and if it’s the same group, then their work is evolving and they’re taking additional steps to elude detection.

Fraudsters Show Their Flexibility, Sophistication

Banks Brace for Fraud Migration
Big banks are bulking up their IT security budgets as they brace
for fraud to migrate to the online and mobile channels in the wake of the U.S. implementation of EMV chip technology for payments, says Julie Conroy, the Aite research director. Banks anticipate that faster ACH payments could also create new risks of fraud.

Russian Cyber Underground Goes From Strength to Strength
The Russian cybercrime underground has evolved to a new level of sophistication and professionalism, with enhanced features such as automation to accelerate sales, as well as translation and anti-spam proof services.

Criminals Continues Assault on PII is Increasing Pressure to Drop MFA and KBA

Data Breach At a Zoo Near You
Anyone who’s visited one of at least two dozen zoos over the last several months may want to check their credit and debit card statements. A third party operator of concessions and retail services at zoos from Hawaii to Florida acknowledged that attackers commandeered point-of-sale systems for nearly three months, from March to June. The compromised information may contain everything from card numbers and names to the three-digit CVV security codes that appear on the back of most payment cards.

United Airlines Hacked Again—by China?
The Chinese hacking team behind the strike on the US government’s Office of Personnel Management is believed to be responsible for a fresh hack of United Airlines. The US Department of Defense has claimed that China is developing a vast database of information about US citizens, which would be used to craft crippling attack strategies.

62 Percent of Android Infections Steal Sensitive Info
In their Q2 2015 Android Malware and Vulnerability Report, 360 Security found that for nearly two of every three Android devices, the malware steals sensitive, personal information. The report also found that only 1.4 percent of devices were infected by malware, which makes the other finding easy to dismiss, but when you consider that 334 million Android devices were shipped, in real numbers that equates to 2.9 million Android owners who whose personal information has been compromised.

Breached PII: Why KBA Has to Go
A wide variety of personally identifiable information (PII) is readily available to fraudsters as a result of data breaches. With so much stolen PII available, it’s time for banking institutions to enhance the technologies and techniques they use to authenticate customers’ identities. Knowledge-based authentication, based on questions derived from PII, is no longer reliable.


About Guardian Analytics

Guardian Analytics is the technology leader in the prevention of online account fraud, providing real-time risk management solutions that protect online channels. The company supports the end-to-end online risk management process with rich analytics and behavior-based modeling. We offer an analytics-based software solution that addresses the entire risk management lifecycle.