Let’s say you’re a cyberthief who just compromised hundreds of bank accounts worth millions of dollars. Congratulations! You’re now the scourge of the global community. Now, all you need to do is get your hands on that money. How do you do that? You don’t just walk into a bank and stroll out with bags of cash – do you? Or do you?
Last week, two security firms announced that tens of millions of dollars had likely been stolen from bank accounts all around the world through new, sophisticated variants of malware called Zeus and SpyEye.
The days of dramatic bank heists have been over for years. In 2011, street crime was down 20% globally, says Tom Kellermann, vice president of cyber security for Trend Micro. Instead, ambitious criminals are embracing cybercrime, and thieves and the software they use are getting smarter, harder to combat and easier to access online.
“Now anyone can download a cyber Kalashnikov, a cyber getaway car and a cyber grenade from a myriad of sites,” says Kellermann.
The newest cyber grenades have fully automated capabilities that eliminate the need for hackers to manually transfer funds from one account to another. That allows the thief to stay much more hidden than in the past. Hackers also now use entire servers that are customized to target individual banks. But the scarier part is that most users who are hacked won’t even know their account has been compromised until long after their money has disappeared.
Malware plug-ins called “webinjects” are now sold among criminals that can make it appear that everything’s on the up-and-up with your account. It can include a feature called “balance replacer” that sends the compromised account false information that will hide any fraudulent activity. Others can capture one-time passwords and balance information.
This level of sophistication was found in Operation High Roller, a cyber attack that targeted both individuals and businesses and likely stole about $78 million across Europe, Latin America and the United States. The amount of attempted fraud was well over a billion dollars, says Dave Marcus, director of advanced research and threat intelligence at security company McAfee.
But once thieves are able to transfer money out of an account, how do they then actually get their hands on it? Anonymously shifting a bunch of ones and zeros around cyber space is one thing, after all — actually walking out of a bank with a wad of cash seems like it’d be a much riskier endeavor. But, that actually turns out to be the easy part.
There are basically a couple ways criminals go about it. First, they can use an existing hijacked account, in which they can transfer money in and out, all outside of normal banking hours so it goes undetected by the actual accountholder. Or they can use a money mule, which is someone who knows that their account is being used for illegal purposes but gets a small chunk of the money.
Second, thieves can use alternative payment channels — essentially less legitimate versions of PayPal. Kellermann says there are about 200 of these sorts of services out there, of basically two types: systems that don’t require any personal information, and systems that require very little information that can be easily falsified. Cyber criminals can transfer funds to those channels, and debit cards can often be linked to the accounts. And they can create an unlimited number of accounts, so if one is compromised by law enforcement, they simply switch to another.
As mobile payments become more common, cyber criminals are increasingly using hacked phones as payment devices. And because transactions are made in real time, those payments can’t be undone. Because of the false information that is fed to the financial institution and the accountholder, the money is often in the hands of cyberthieves before either of them realize it.
So is there anything consumers can do to protect themselves? “I’m terribly sorry to tell you this, but until the financial services industry provides more security, this kind of attack cannot be thwarted,” says Kellermann.
Ok – so that’s depressing. However, McAfee’s Marcus suggests (not surprisingly) that some software (read: McAfee software) can help protect consumers’ accounts as long as they stay current on downloading all of the security updates.
Joe DeMarco, a New York attorney who has worked on cybercrime issues for years, suggests changing passwords frequently and staying away from questionable websites, which could put your computer at risk of being compromised. Also, he recommends conducting a mini audit of your statement every month. Yes – all little things, but that’s about the best any of us can do.