Lately our fraud researchers have noticed a disturbing trend toward “inside jobs” – schemes that rely on money mules recruited from within the legit business’ own employee ranks.  Enlisting them is difficult, so mule handlers offer higher commissions to their traitorous partners. The more common commercial account fraud method is the use of professional mules who set up fictitious companies specifically to receive stolen payouts.

Corporate account credentials command a higher price on the criminal black market. Why? Business-to-business accounts typically transfer higher dollar amounts, more frequently, than retail accounts.  International transfers are easier. Repetitive transactions in a short period of time are easier. These realities all provide more incentive for business mules to complete fraudulent transfers… again and again. Repeat use of business mules is becoming disturbingly common.

These witting mules are hard to detect. The fraudster is relying on a business mule’s seemingly legitimate actions to bypass any security controls. Anti-fraud technology often focuses on business-to-consumer fraud, so B2B transactions receive less scrutiny. The best method of detecting and preventing a mule from emptying your corporate account is to detect account takeover attempts early, before the money is gone. Early fraud setup activity – such as creating a new (fraudulent) payee – can be detected using anomaly detection technology that monitors account activity from login to logout.

My colleague Craig Priess explains business mule scenarios in this video explaining their tactics. Check back with this blog for the latest cybercrime tools and techniques from our fraud and threat research teams.

Recent industry coverage has only reinforced the continued increase in the overall volume of fraud attacks. In addition, fraudsters are becoming annoyingly adept at covering their tracks with smokescreen methods such as distributed denial-of-service (DDoS) attacks.

What we’re reminded of repeadedly is that financial institutions must be prepared to defend against a wide range of sophisticated attacks plus new schemes that emerge regularly. Here are a few articles that may be of interest as you develop risk mitigation strategies this year:

New Strains of Malware Emerge…

New Mac Malware Exploits Java Bugs to Steal Credentials
Flashback.G is the first Trojan variant of a well-known family of Mac malware to use an attack vector that doesn’t require any user interaction. This new version exploits Java vulnerabilities in Mac’s legacy operating system to keylog usernames and passwords for online payment, banking, and credit card websites.

Citadel Banking Malware Is Evolving and Spreading Rapidly
Malware development has gone open source. Citadel, a new ZeuS variant, is evolving and spreading rapidly because its creators adopted a community-based development model. Each version of Citiadel adds new modules and features, some submitted by “customers” themselves.

Banking Malware Finds New Weakness
A new ZeuS variant called Ice IX (“ice-9”) automates the process of stealing and changing account holder phone numbers to defeat two-factor authentication. Fraudsters are using it to intercept verification phone calls and pose as the customer to approve their own fraudulent transactions.

….While New Attacks Demonstrate Fraudsters’ Perseverence…

Banking Trojan Hijacks Live Chat to Run Real-time Fraud
A new attack on the Shylock malware platform is hijacking live chat sessions to get business banking customers to hand over their credentials or authorize fraudulent transactions. This Man-In-the-Browser assault interrupts an online session to chat up the victim about a “system check” while the cybercrook simultaneously completes the theft in real-time.

New Cyber Scam Is More Polished than Most
More professional and elaborate than most social engineering scams, a realistic-looking shopping scam email disguises its executable payload as a harmless PDF where “your recent order can be viewed.” It’s really a nasty Trojan with bot and keylogging capabilities that steals banking credentials.

New Malware Attacks Target Online Banking
A new Man-In-the-Browser attack tricks users who log into a bank’s real site with an offer of training in a new “upgraded security system.” After stealing account holder funds it changes on-screen balances to hide its activities, rendering evidence of the theft invisible.

…And the Volume of Attacks Continues to Increase.

780 New Malicious Internet Banking Programs Every Day
Kaspersky Labs reported on the recent explosion of banking malware: 1.1 percent of all malicious programs detected – or 780 new programs EACH day – target financial data. A malicious program of this kind is detected on an average of 2,000 unique users’ computers every day.

Mobile Malware Doubled in 2011  
The 2011 Mobile Threats Report from Juniper Networks found that the amount of malware created for mobile devices across all operating systems more than doubled in 2011. 63 percent of the malware found could collect financial information.

We recently released an Anomaly Detection Toolkit to help educate financial institutions on the topic. Here is our infographic on what anomaly detection is, how it works to detect fraud attacks, and how financial institutions can respond to any anomalous, or suspicious, online banking activity. 

We here at Guardian Analytics know a little something about anomaly detection. We’ve pioneered use of this technology to detect online banking fraud, and currently deliver this powerful capability to about 150 banks and credit unions – day in and day out.

If you want to hear this graphic come to life, here’s a video with voiceover that explains the whole process.

(click to enlarge the infographic in a new window)

Fraudsters are getting creative and employing a new, retail-based approach. Why? To decrease the risk of their mules getting caught. They are using high-end jewelry stores to essentially launder their loot.

Here’s how it works:

1. The fraud victim – typically a business banking customer – gets a phishing email that appears to originate from reputable organizations like the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC). When this attack was first launched, all emails appeared to originate from NACHA. The email may claim that there is problem with a recent transaction that requires the user’s attention.
2. When the link in the email is clicked, the victim is sent to a bogus website and inadvertently downloads a new variant of the notorious ZeuS malware called “Gameover”.
3. Once infecting the victim’s PC, “Gameover” keylogs all online banking activity and sends stolen account credentials to the criminal.
4. In a new wrinkle, the criminal employs a DDoS attack to cover their tracks. When the attack begins, the victim’s business may be hit with DDoS to prevent Internet access so they don’t notice the attack and can’t reverse the transaction.
5. In a more sophisticated version of the scheme, the financial institution is included in the DDoS attack, further decreasing the likelihood of the fraudulent transfers being noticed.
6. The criminal wires money to a high-end jewelry store and then places an order for precious stones or expensive watches.
7. A mule physically visits the store to pick up the order.  The jeweler checks their account, sees that the funds are there, and delivers the merchandise to the mule.
8. The mule may then turn the jewelry over to the fraudster or sell it for cash.
9. When the fraud is discovered, it can be the account holder or the jewelry store itself that’s hit with the loss.

It’s definitely “game over” for the victims of this fraud scheme.

This use of the Gameover Trojan was recently written up by the FBI and my colleague Craig Priess explains it nicely in a video explaining this attack. Our fraud and threat research teams stay up to date on the latest cybercrime tools and techniques and I hope you will use this blog as a resource for combating fraud at your financial institution.

Recently we heard a tale from one of our customers with an interesting twist. At Guardian Analytics we are passionate about the concept of great security AND a great account holder experience.  The plot twist in this fraud story highlights how the right protections can create the right customer experience that builds trust and loyalty. And lack of the right protections creates, well, something very different.

The movie begins with one of our customers, Bank A, a mid-sized bank using FraudMAP that proactively detected suspicious activity in an account.  FraudMAP alerted the bank to unusual behavior before any sort of transaction was initiated.

Based on the suspicious behavior, the bank called the account holder to inquire about the activities.  The account holder confirmed that they had not logged in to their account at that time or from that location. He was thrilled that the bank was proactively looking out for his safety and was able to catch this before any money was moved.

Now for the twist: while they were on the phone discussing next steps, the account holder realized that if his account at Bank A had been compromised, it was likely his account at Bank B had been compromised as well.

He logs into his account at Bank B, a much larger national bank, and discovers that a very large wire transfer had been initiated through his account and released by the bank. He had to make “the call” that far too many banks receive – according to a survey done by ISMG – 76% of FIs find out about fraud from their customers.

One client, two banks. One happy ending, one nightmare.  The FFIEC got it right. In their new Guidance for online banking security, they call for all banks to have anomaly detection as the foundational component of their security strategy.  This account holder’s money was clearly safer in the bank with sophisticated anomaly detection looking for signs of suspicious activity before money leaves the bank.  Powerful protections and a great customer experience can and do co-exist.

Which movie would you star in? The fairy tale? Or the horror story?

With so much going on, we thought we’d use the blog to regularly summarize the hot news. Welcome to our first “Fraud Roundup”:

• New FFIEC Supplement and Clarifications from the Agencies

The FFIEC raised the bar on expectations for layered security, risk assessments and customer education. Following the Supplement’s release, there has been a lot of discussion on the topic of the guidance and layered security.

In recent presentations by the FDIC, OCC and the Federal Reserve Board, the Agencies make one thing very clear about the Supplement: all institutions are expected to have layered security; layered security at a minimum is defined by the capability to detect and respond to anomalous customer behavior at login and initiation of transaction. The Agencies further clarified this is expected for retail and commercial banking and that business accounts.

For more details, resources, and to track what key topics about the Supplement, please visit our FFIEC Resource site.

• New ACH Fraud Suit Filed, BankInfoSecurity.com

In March 2010, Village View Escrow of California had its online bank account infiltrated by hackers, suffering $465,000 in losses. The company now has filed a lawsuit in the California Superior Court against its bank. This is the latest in a stream of other recent commercial banking fraud lawsuits.

• FBI Investigating Online Banking Theft of $139,000 from Pittsford, NY, Krebs on Security

The fraud losses continue. The latest theft is the latest reminder that cybercriminals are effectively bypassing existing controls.

• More Fraud Losses – eThieves Steal $217k from Arena Firm, Krebs on Security

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

• Spam Fraud Down, Targeted Phishing Attacks Up 400%, Bank Technology News

End users aren’t getting any relief. A Cisco study finds that cyber fraud has shifted from mass, generalized attacks to very specific spear phishing hits that harness stolen user information to dupe unwitting consumers (such as bank customers and cardholders) into divulging account information.

• SpyEye hacker toolkit to lead to surge in cyberattacks, USA Today

Security experts are expecting a surge in SpyEye attacks this year, after the license key to SpyEye, the top rival to the ZeuS banking Trojan, was exposed. Hackers started making versions of SpyEye available for $100 (down from $10,000), making the Trojan kit much more readily available to criminal gangs. More than 2.2M computers are estimated to be infected and under the control of SpyEye botnets.

• Mobile Malware on the Rise, McAfee

McAfee reports that the Android was the most popular target for malware developers in Q2 2011. Researchers highlight mobile crimeware on the Android that forwards SMS messages, a technique to thwart out of band authentication and verification.

The article pretty thoroughly covers the commercial account fraud ecosystem and the devastating results of fraud.  But while it nicely admires the problem, it fails to point out that there are solutions within the reach of every bank and credit union, and that many are equipping themselves to proactively stop these attacks.  And they are doing so successfully and affordably.

A rapidly growing number of national and community banks and credit unions are using FraudMAP, our anomaly detection and transaction monitoring solution, to identify account takeover and stop the very fraudulent wire and ACH transfers described in this article. These institutions consistently detect and stop fraud, spend less than an FTE to investigate high-risk accounts, and receive high praise from their account holders when they make a call to discuss suspicious activity. It took many of these institutions less then a week to deploy the solution on a wide variety of online banking platforms, and it costs them less then one average ACH or wire fraud.

As I discussed in my last blog post the FFIEC recently updated its guidance on Internet Banking security. They too agree that the threat has grown too great, criminals can defeat existing controls, and this is an issue banks must tackle. They are now expecting all institutions to have the capability to detect and respond to anomalous behavior.

We had an interesting call from one of our customers today that highlighted the difference between banks that are equipped to solve the problem and those that are not.  Our customer, lets call them Bank A, used FraudMAP to proactively detect an account compromise for one of their accounts. Our solution alerted Bank A to suspicious activity in the account and they quickly notified the account holder. This all happened before a fraudulent money transfer was even attempted.  While discussing the situation, the account holder mentioned that they had also an account at a different institution, Bank B, which is not a user of FraudMAP.  When the account holder checked their account at Bank B, they found an unauthorized wire transfer and a significant amount of $$$ missing from their account.

Bank B now is faced with 1) spending time to attempt claw back the money, 2) trying to explain why they were not able to stop a fraud that Bank A could and 3) a potential customer loss.  Customer churn is a common outcome of these attacks – our 2011 Business Banking Trust Study reports that 43 percent of SMBs take their banking business to another institution following a fraud attack. Despite the title of the article, nobody wins when a commercial account is raided.

This real-world scenario shows that with the right protections in place, money can be safe in the bank. And it can be safe at large banks, midsize banks and small banks.  Businesses don’t need to run to the large institutions, they should just work with banks that have the right security.

By this time next year, if institutions meet the updated layered security expectations set forth in the guidance, the story should be very different. Instead of focusing on the villains and victims, we’ll be hearing stories of the heroes who stopped the criminals in their tracks.  We’ll be hearing more stories of  ordinary institutions providing extraordinary fraud prevention.

And while all of these points have some element of truth to them, it is important not to overlook that at its heart and most importantly the guidance acknowledges that today’s threats are too sophisticated for yesterday’s controls.  Authentication alone is no longer effective for protecting online accounts and transactions and financial institutions now have new expectations for risk assessments and layered security strategies.

The supplement reinforces the need for a layered security approach, and explicitly states that the agencies expect (not suggest or encourage, but expect) that an institution’s layered security program will contain two elements at a minimum: 1) the ability to detect and respond to suspicious activity, and 2) improved control of administrative functions. It defines the first element as processes designed to detect and effectively respond to suspicious or anomalous activity related to initial log-in and electronic transaction requests. That is, check for suspicious activity from log-in to log-out.

There is a reason detecting anomalies and suspicious activity is first – it works across all customers and across the widest array of threats.  The Guidance even states, “transaction monitoring and anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.”

Our company was founded on the idea that the best way to prevent online and mobile banking fraud is to do precisely this – look for anomalous activity at the individual account holder level that is indicative of account takeover, account reconnaissance, and fraudulent transactions. More than 50 financial institutions who we have the privilege of calling customers know this, too, and have day in and day out seen the benefits of proactively stopping criminals in their tracks, before money leaves their institutions.  And now its expected of all institutions.  We think this is a positive step forward and that banks, credit unions, and their account holders will benefit.

There has been a perception perpetuated in the industry that fraud monitoring is difficult to implement and complex to operationalize.  This is just wrong. Our online and mobile banking fraud prevention solution, FraudMAP, is rapidly deployed and customers can be up and running in just a few days with little to no support required from IT. To learn more about how FraudMAP can help you to meet the first, and most important expectation expressed in the Guidance Supplement, visit our website, or for a more detailed look at how FraudMAP has helped our customers, download our case study kit.

At issue in the case is whether financial institutions should be held responsible when commercial accounts are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to their commercial accounts? The magistrate in this case has closely aligned his recommendation with a literal interpretation of the 2005 FFIEC Guidance that states single factor is not enough.

Now that this water is almost under the bridge, we feel the remaining issue is what the FFIEC can do now to offer leadership to the industry and stem the flood of similar losses and resulting lawsuits.  While the courts may feel that the bank was using reasonable security from a legal standpoint, clearly that security isn’t enough from a practical standpoint and should no longer be the standard.  The court even commented that the bank could have done more and could have prevented the loss.

The case must still be reviewed by the presiding judge, but regardless of how it is ultimately decided, it’s a hollow victory for the “winner.” The only winners in this case were the fraudsters that stole the money.  The bank spent time, treasure and good will defending its contractual obligations and its security framework. And PATCO lost over a quarter of a million dollars plus legal costs and productivity losses.   Worse, this isn’t an isolated incident.   There are many more victims – banks and credit unions, commercial and retail accounts – going through the same thing every day.  And unnecessarily so.

The technology and processes to stop this blight exist in the market today. They are affordable for any size institution and have been proven over and over again to be effective at stopping online and mobile fraud. The financial institutions need to adopt them.  The commercial account holders need to insist on them.

But what’s most important in light of this legal precedent is that the FFIEC step off the sidelines and take action by releasing their long-expected updated guidance with more specificity around risk assessments and control expectations. The FFIEC has the chance to lead the way – but they need to act, and act now.

For a nice summary on the recommendation by the magistrate read Bank Info Security’s article: ACH Legal Ruling Favors Bank

This Illinois-based $2.5B bank strives to offer leading online and mobile products competitive with the big national banks AND deliver community bank style service. Expanding their offerings without increased fraud risk required enhancing their fraud prevention capabilities.  Here are some valuable snippets:

Security point of view: You can’t depend on account holders, you can’t secure the endpoint: The bank understood that cyber criminals continue to attack account holders directly and designed their fraud prevention strategy with the notion that all end points have been compromised and you can never truly secure the end point.

The bank wanted a solution that would transparently provide complete coverage across all account holders and not require account holders to do anything or change their processes. They also wanted a solution that had no dependencies on understanding malware or fraud patterns. As the bank states – “You don’t know what your enemy will do, but you always know what your customers have done.”

Business point of view: The risk of fraud is too great to the business not to take action. The bank recognized the strategic value of preventing fraud and that the true cost of fraud goes well beyond any financial losses. Customer churn, reputation issues, and lost staffing time are all risks of a fraud event that the bank was not willing to take.  An executive at the bank explained,  “I’d rather invest a known amount in a proven solution, than risk the unknown costs of a fraud event.”

Benefits beyond fraud losses averted. The bank deployed our solution, FraudMAP, and has experienced a wide range of benefits.  What stands out to me is the impact it has had on their ability to retain current clients and draw in new business. The CISO of the company goes out on sales calls with the account management team,  positioning to their commercial clients that the bank has industry leading security, with FraudMAP as a critical part of their story.

Additionally, every call to a customer about suspicious activity has become a relationship building event.  The bank receives wildly positive feedback – “we’re so glad you have our back!”

Our latest case study provides more background and details. After implementing FraudMAP, the SVP of Deposit Operations summed up the project quite nicely when he said, “It’s the perfect balance of sophistication and affordability.”