After dinging USA Today for fearmongering multiple times, including yesterday, I'm happy to report that today's feature story by Byron Acohido actually includes solid data and victim stories that support an argument today's online bank robbers are a dangerous ongoing presence.
In one caper recently investigated by SecureWorks, the attacker embedded a banking Trojan in the victim's Web browser by getting the person to click on a corrupted Web link in an instant message. The Trojan watched for when the victim next accessed his online bank account and sent a copy of the user name and password to the attacker. It also automatically injected a spoofed bank form into the legitimate banking Web pages.
The bank form asked for the last four digits of the user's debit card number, ostensibly to complete a security update. The victim complied and filled out the form. The attacker now had a key piece of information necessary to execute large cash transfers.
On a Wednesday shortly before noon, the attacker logged on and began a series of transactions. He changed the e-mail address associated with the account, so notices of any questionable transfers wouldn't reach the account holder. He next accessed a credit card line of credit and transferred the maximum loan amount into checking.
He then emptied the account of more than $20,000, via a series of transfers into a drop account. To execute the transfers, the thief had to answer this question: "What are the last four digits of your debit card account number?" It took four days for the bank to reimburse the victim.
This kind of example is necessary to qualify a type of Internet crime as a real risk as opposed to an annoyance you're only running to be the newspaper equivalent of the local evening news ("Is Your Hairdryer Giving You AIDS, story at 11").
In addition to the proof point, Acohido also provides deep detail on how thieves are becoming more patient and sophisticated, including other ingenious strategies for obtaining and using private bank information.
Comments