|Home » Security
Buried Warning Signs
Online banking is too profitable.
'In a year marked by record bank failures and Wall Street swindlers walking away with tens of billions of investor dollars, it's perhaps not surprising that the activities of organised cyber gangs looting at least $100 million dollars from small to mid-sized businesses went largely unheralded.'
So writes Brian Krebs in a piece from 4 January. And anyone following Brian's chronicles at the Washington Post saw what was happening. It's nothing new but Brian's way of highlighting it was.
Each and every single exploit involved malware attacking Microsoft Windows.
But this isn't a story about what people are already aware of. This is a story about what nobody is supposed to know. It's a story about how authorities - including the FBI - try to cover up the dirty details. To protect online banking and - at least inadvertently - Microsoft.
'Law enforcement and the banking industry appear to have been at odds over how and how much to communicate with the public about the seriousness and impact of these crimes', writes Brian who goes on to relate a few sordid anedotes previously undisclosed.
√ 21 August 2009: Brian's finishing a story about a confidential alert distributed to members of the US banking organisation FSISAC (Financial Services Information Sharing and Analysis Centre). The alert revealed the FBI are tracking a major upswing in organised attacks on compromised Windows machines resulting in tens and hundreds of thousands disappearing from business accounts. The monies are transferred by 'mules' to overseas accounts in Russia, the Ukraine, and Moldova through MoneyGram and Western Union.
But Brian needed confirmation that the alert had in fact gone out and he needed confirmation of the details he'd seen in his preliminary copy. He and his editor waited over the weekend for a callback from the FBI which finally came on Monday. But by then the information has been watered down.
The original statement had been:
Total economic impact of these activities, if they continue unabated, is likely to be in the hundreds of millions of dollars.
The above statement was completely removed. As was mention of specific destinations for the millions stolen. As was mention of Western Union and MoneyGram. And this wasn't done for the sake of diplomacy or anything of the kind. Brian explains.
This was an alert that was not intended for public distribution but merely to be sent to a small group of banks and law enforcement folks.
So why was it removed? A fraud analyst at Gartner that Brian's been in contact with says it's fear on the part of banks of their customers losing confidence in online banking.
Almost all savvy netizens know online banking is not really worth it. And it doesn't only depend on one's own local security - not running Windows and so forth: it's got to do with how good the banks' security is. Which generally is piss poor. They don't really have a clue and most people know it.
But the banks can't afford to let Joe and Josephine Six Pack learn this. Automated online banking is just too cheap and the rewards are too great. Says the Gartner fraud analyst:
The banks realise such huge savings from having people bank online that they just can't afford to go back.
Go back to manning branch offices that is. Staff cost; dusty decks don't.
√ 23 October 2009: There's a new spike in activities and a high ranking official from the FBI is quoted as having told a banking industry conference that $40 million have disappeared in 2009 alone. Time for another corroboration from the FBI.
The callback finally came towards the end of the workday but things were already changing again. Yes it was 'as of August 2009' but now they were claiming the $40 million concerned cases going back to 2004. This was indeed a shocker.
I was flabbergasted and indignant: none of my sources could recall a single case of the kind I was writing about going back further than the latter half of 2008.
Indeed. This type of sophisticated attack (with the specific malware strain being used) probably didn't even exist in 2004.
And wonder of wonders: it's only been Brian himself, Byron Acohido of USA Today and IDG's Bob McMillan who've dared cover the story. Even the Wall Street Journal tried to play it down.
This type of financial drain isn't going to stop. Not until Windows is gone. And Windows isn't gone. The banks will continue to hide the details and play down all the scary parts and the FBI, it would seem, will play right into their - and Microsoft's - hands.
'We're hackers from eastern Europe and Windows might as well have been our idea.'
Krebs on Security: Buried Warning Signs
Security Fix Archive: Small Business Victims