Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/1/2010
04:44 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

U.S. Businesses Could Lose Up To $1 Billion In Online Banking Fraud This Year

Small to midsize businesses taking the biggest hit, experts say, but consumer banking customers could be next in the bull's eye

Criminals who bilk businesses' online banking accounts have gotten bolder and greedier in their heists over the past year, which could ultimately result in some $1 billion in losses for U.S. companies in 2010.

So says David Jevans, chairman of the Anti-Phishing Working Group and CEO of IronKey: "Trend-wise, we've been looking at reports of losses since the beginning of last year at $100,000 per incident, and as we got to the latter of last year, we saw losses in the $400,000 to $500,000 range, and now we're seeing losses in the [millions range]," Jevans says. "Looking at those trend factors and also correlating FBI reports on how losses are growing and extrapolating that, you end up somewhere around $1 billion for this year."

That number is based on the cases that actually get reported, experts say. The main targets are small to midsize businesses that don't have the security resources to defend themselves against Zeus Trojan infections or social networking-borne attacks duping their users. Still, large corporations are also getting hit by this form of ecrime, although these cases typically don't reach the public because the banks will cover the losses of their bigger clients since there are more lucrative customers. Smaller businesses often must take legal action to recoup their losses.

"The majority of successful heists in cybercrime seem to be against smaller companies that tend to bank with small to midsized banks or credit unions. These banks don't have the security expertise that top banks [do] -- they have the IT guy, whose also responsible for security," Jevans says. "And many are outsourcing their banking systems to third parties, so they don't have a frontline security posture."

Smaller firms also may have one person designated to handle online financial transactions, which leaves them wide open fraud once that user's machine gets compromised, according to Jevans.

Avivah Litan, vice president and distinguished analyst at Gartner, says $1 billion in losses from ebanking fraud for SMBs is possible for this year, but that figure may be more applicable to losses over the past year and a half. "I think the $1 billion in SMB losses from ebanking fraud is on the high end, but not out of the realm of possibility," says Avivah Litan, Gartner. "My guesstimate is that the number may be $1 billion in the past 18 months if we include all Trojan-based [for example, Zeus] ebanking fraud."

It's difficult to put hard numbers on ebanking losses to SMBs and banks, she says. "That's one serious issue: there are no formal and authoritative numbers in this area and the only ones who can provide them are the SMBs or the banks. Banks are not obligated by law to report their fraud losses at this level, even though they should be in order to enable better informed legislation and regulations in this area," she says. "Additionally, SMBs are currently not organized enough in this country to report aggregate losses from ebanking fraud against them."

Not only is it highly profitable, but this type of crime is also easy to execute -- and to get away with. "I don't see any letup on these attacks in sight," Gartner's Litan says. "They are simply too easy to pull off and the risk/reward ratio is overwhelmingly in the fraudsters' favor."

Do-it-yourself Zeus and other Trojan toolkits are easily accessible and for a couple of thousand dollars, you get everything you need to pull it off, she says. Getting caught or prosecuted isn't likely, mainly because many of the bad guys behind these crimes operate in countries that protect them from international law enforcement. "The chance of getting arrested for committing one of these crimes is almost nil today," Litan says. "In the extreme, the fraudsters are known to grease these government officials' pockets, making their chances of being arrested even more remote."

IronKey's Jevans says these attacks are only limited by the number of money mules the fraudsters must recruit to launder the money. "It's not how many computers are infected or how many [stolen] passwords ... It's how many money mules [you can get] to move money out of the country in a way that the bad guy can't be detected," Jevans says.

But they are also now limited somewhat by the lag time with transactions in the U.S., says Mickey Boodaei, CEO of Trusteer. "In the U.S., it's not just about being able to find and operate mule accounts. It's mainly about the time it takes for money to actually leave the bank. It usually takes a few days, which leaves time both for the bank and the customer to identify suspicious transactions and block them," Boodaei says. "[So] The problem is going to get worse as the processing time for payment systems becomes shorter."

Page 2: Consumer banking customers are also at risk Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24288
PUBLISHED: 2021-05-17
When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
CVE-2021-24289
PUBLISHED: 2021-05-17
There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
CVE-2021-24290
PUBLISHED: 2021-05-17
There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.
CVE-2021-24292
PUBLISHED: 2021-05-17
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The â€&oe...
CVE-2021-24295
PUBLISHED: 2021-05-17
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via...