How to Earn $175K in One Day

In my previous post How Hacker Targets Become Victims, I examined a common Man-In-The-Middle attack that hacker organizations are using today to steal from various types of organizations. An "Attacker" gains control of a target computer system, and then hijacks the web browser once the target logs into the account, without alerting the target to the problem. It's an amazing attack because it completely bypasses most of the controls that the banks put in place to protect business accounts. The attack vector renders standard and multifactor authentication controls irrelevant and makes bank efforts to authenticate the computer system useless. What would happen if all of the sudden your organization were unable to make payroll because a hacker wiped the bank account clean the night before? As many of these organizations found out, the organization would likely be left to cover the loss themselves.

The impact that the attacks have on small businesses, non-profits, and public organizations is extraordinary. While the industry is still working on collecting clean data and defining statistical measurements, InfusionPoints conducted a study that sampled electronic theft incidents in the United States that matched this scenario from 18 organizations from 2008 through 2010. The targets included small businesses, public school districts, non-profits, and local governments, and attempted theft amounts that ranged from $22,000 to $700,000, totaling nearly $9M. When examining the reports, we found that the targeted organizations failed to recover any loot (how the FBI defines the losses) in nearly 50% of the cases, with all but one experiencing some loss. Of the $9M in potential losses, the total actual losses totaled nearly $4M.

Breaking down the numbers a bit more, we began to see some trends. High value targets, those with potential losses of around $1M or more that generally included public sector accounts, recovered more loss (about 85%) than lower value targets recovered (about 18%). Based on our analysis of the reports, this difference is likely due to the fact that larger organizations have more controls in place to rapidly detect problems than their smaller counterparts, and banks are more willing to cover the losses of their larger customers.

We believe that our admittedly non-academic study just barely scratches the surface of what we figure is a very substantial problem for businesses. In November 2009, the National Cyber Forensics and Training Alliance submitted that reported losses of theft due to this type of attack were on the order of $1M - $1.5M per week, or nearly half a billion dollars in actual losses in one year. Then, in Operation Trident BreACH, the FBI reported that one hacker organization had caused $70M in actual losses, by itself, in an 18-month period ending October 2010. With about 400 incidents included in the investigation and a total attempted theft of $220M, the resulting actual average loss is $175,000 per day, or about 30% actual over potential loss.

Protecting against these attacks is not complicated and we're helping clients better understand how to do so. There are a few things that organizations can do to quickly take control of their bank accounts:

1. Acknowledge the Risk. Users in privileged positions need to understand their roles in protecting the organization's assets and that they are targets of this type of attack. They should receive special training in phishing attacks and adhere to some simple rules, including: only use a personal, non-organization email address for social networking sites; do not read personal email on the same computer that they use to conduct banking or payroll operations; avoid opening attachments or performing general web browsing activities on the same computer that they use to conduct banking or payroll operations. These three simple steps will go a long way towards preventing hackers from making the organization their next victim.
2. Provide Dedicated Banking/Payroll Systems. One of the best and easiest ways to prevent the Man-in-the-Middle attack is to provide separate computer systems that are only used to conduct financial operations. IT staff can configure these machines to focus only on those operations and disallow general web browsing and email activities. Some users may complain about having two computers, but that would be better for the organization and less invasive than many of the alternatives that information security practitioners would typically recommend.
3. Call the Bank. Most people don't know that banks do not provide the same level of fraud protection to corporate accounts that they provide for individual consumer accounts. The primary way that hackers are able to leverage this Man-in-the-Middle attack is to take advantage of minimal controls over ACH bank-to-bank transfers. Banks have the ability to restrict and block the use of ACH transfers to prevent theft. Also, check with the bank to determine the level of liability the organization will have should it be the victim of this type of attack. Most organizations will be dismayed to hear the response, but knowledge is better than ignorance.
4. Get Help When Needed. Organizations don't have to do it alone and simply trust that their service providers are doing everything that needs to be done. We specialize in solving the hard problems, such as providing secure environments for conducting banking and payroll operations, navigating the complex world of information security, and training users on their role in protecting the organization.

If you would like to comment on this or any other posting, you may look for me on Google+ or on LinkedIn.