Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses.
In a typical scenario, the attack vector is a “spear phishing” e-mail which contains either an infected file or a link to an infectious Web site. The e-mail recipient is generally a person within a company who can initiate funds transfers on behalf of the business, or a credential account holder (treasury management platforms typically support both wires and Automated Clearing House (ACH) transfers). Once the user opens the attachment, or navigates to the Web site, malware is installed on the user’s computer.
The malware contains a key logger, which harvests the user’s corporate online banking credentials. Shortly thereafter, the subject either creates another user account from the stolen credentials or directly initiates a funds transfer masquerading as a legitimate user. These transfers have occurred through both the wire system and the ACH Network; however, this bulletin specifically addresses incidents that have occurred through the ACH Network.
In one case, the subjects used a Distributed Denial of Service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out. These ACH transfers ranged from thousands to millions of dollars.
FBI interviews revealed that the threat stems not only from the malware involved in these cases, but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider level. For instance, in several cases banks did not have proper firewalls installed, nor anti-virus software on their servers or their desktop computers. The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system.