Brian Krebs, an investigative journalist who has put the spotlight on the cyberheist epidemic in his online column KrebsOnSecurity, comments, "My mantra on this continues to be that any commercial banking technology that does not begin with the premise that the customer's machine may be and probably is already compromised with malicious software doesn't stand a chance of defeating today's cyber crooks."
"The criminals appear to be limited not by law enforcement or bank security, but mainly by the number of money mules they can harness at any one time to help them haul the loot from the accounts they've compromised," Krebs says, adding he's investigating whether one group is actually "contracting that process out to several different mule recruitment and cashout gangs" in order to find enough money mules.
According to an FBI report from last November about cyberheists and the role of the money mule, cybercrooks' fraudulent ACH transfers are often directed to the bank accounts of willing or unwitting individuals within the United States.
These people are often recruited through "work from home" advertisements or contacted by recruiters after placing resumes on popular employment sites. These mules are directed to open personal or business bank accounts to receive the fraudulent money transfer, and within a couple of days, or even hours, the money is deposited and the mule is directed to immediately forward a portion of the money to recipients overseas, typically in Eastern Europe, via wire-service transfers such as Western Union or Moneygram.
Compromised computers used in online banking have gotten the attention of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a group whose mission is to provide a forum where its members, which include Citigroup, Bank of America, Goldman Sachs and Merrill Lynch among others, can discretely share security concerns and keep direct contact with federal officials.
FS-ISAC has gone so far as to send out a notice telling its membership to only interact with business customers via computers without browser and email capability. It was an awkwardly worded recommendation that was later clarified to mean a "PC dedicated to online banking," Litan says. But she regards this as inadequate.
Other recent activity in the federal government sector includes a symposium organised by the Federal Deposit Insurance Corp last month on the threat of hijacked computers and cybercrime to business.
"The user workstation is the weak point," says Joe Stewart, director of malware analysis at SecureWorks, who has done extensive work looking at sophisticated botnet-based Trojans such as ZeuS and Clampi designed to hijack the victim's computer and execute unauthorised financial transactions by stealing online credentials and account information.
The basic architecture of online banking was designed without the idea that the user would encounter this type of malicious Trojan, he notes, adding, "In that sense, this paradigm of banking is broken."
Since the known banking Trojan malware is Windows-based — "there are no Mac banking Trojans yet," Stewart says — he views the situation today as largely one centering on Windows-based machines. "I wouldn't recommend banking online with Windows."