Dark Reading

Cybercriminals are increasingly working hand-in-hand with traditional criminals to steal identity and bank account information.

"This isn't Johnny Hacker from Romania stealing money from a bank," says Ralph Logan, partner with The Logan Group, which helps corporate clients with their computer forensics investigations. "These are criminal gangs working with 'electronic' gangs and getting that banking information and translating it into the real world."

If you didn't take the insider threat seriously before, you should now: Forensics experts say this new breed of cyberattackers typically uses an insider -- a "plant" bank teller, or a disgruntled employee -- to gather customer banking information they then subsequently use to open lines of credit and fake bank accounts.

Many of the cybercrime forensics cases that Cybertrust has investigated in the last quarter were instigated by an insider providing the cyberattacker with sensitive information. "Some were at banks or retailers who had privileged access to personal information or financial data," says Chris Novak, principal consultant for Cybertrust's investigative response team.

Sometimes a disgruntled employee seeks out hackers himself and sells them usernames and passwords for a fee -- and perhaps even a cut of their profits, Novak says.

In one popular attack scenario, the malicious teller or thief sells stolen account and PIN numbers to a cybercriminal, who can then open a line of credit using legitimate, pilfered account information. "They're not then electronically moving that money, but opening lines of credit with a bank based on the credentials of that [stolen] account," Logan says.

The criminals typically open a separate bank account and move the line-of-credit money into it, set up P.O. boxes, and use the bogus account's ATM card to draw on the money. They typically do their damage quickly, within the 30-day window before the illegal activity would show up on a credit report.

"They use the ATM card to withdraw cash and buy goods that are resellable. We are seeing this over and over again," Logan says.

The team effort between traditional crooks and cybercriminals, often members of organized crime organizations, is more efficient and less risky for both types of bad guys. Take the old-fashioned bank heist: "It's less risky and safer if you don't have to stand at the teller window and wave a gun, kidnap the bank manager," says Richard Stiennon, chief marketing officer for Fortinet.

And the insider -- the cleaning staff, a security guard, or a teller -- does the legwork for the cybercriminal by grabbing the account information, Stiennon says.

One of Cybertrust's clients was flagged on an identity theft attack after Circuit City and Best Buy noticed an unusually large wave of online applications for credit lines, mostly from "customers" that worked for their (the client's) company. "We found that it was actually an insider in the organization that was taking HR information and selling it," Cybertrust's Novak says.

The cybercriminals that purchased the company's employee data then used that information to secure lines of credit for thousands -- or tens of thousands -- of dollars. "They purchased computers and TVs and then would go on eBay and Craigslist and sell it, for example."

Novak says about 70 percent of the organized crime rings Cybertrust sees originate in Eastern Europe. But the insiders are typically based in the U.S., where most of the victims live as well.

Shane Coursen, senior technical consultant for Kaspersky Lab, says these bad-guy combos rarely stay the same. "We've been seeing this kind of active collusion of expertise between the guys who write malware and those willing to commit a [physical] crime. But it's not always the same [people working together], or in a business relationship."

Either way, it's a dangerous combination of insider access and organized crime resources, experts say. "The cyber and physical criminals are coming together," Logan says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading