Small businesses have a new scam to worry about: criminal job applicants who want to break into online corporate bank accounts. I have written about this before in the past:

http://jet-computing.com/category/banking/

There is a much larger story here and that is, it seems to be a verboten topic that no one calls out. The reason all this stuff is allowed to occur, is due to Windows OS insecurity flaws. If you were to purchase a product, and that product allows someone to steal money from you, wouldn’t you sue the creator of that product? Of course.. However, due to the End-User License Agreement (EULA) that you agreed upon, you gave up your rights, when you bought a computer with Windows. A EULA is a legal contract between the manufacturer and/or the author and the end user of an application.

Companies are STILL permitting users to open email attachments on computers with significantly important capabilities. This is a flagrant violation of basic IT security principles. This is not the result of some brilliant hacker finding a hole and stealing hundreds of thousands of dollars with it. This is merely poor training and poor IT security on the part of the hiring department. Please understand, anyone who reads this, that it is fundamentally important to nullify such a common and ancient attack vector with basic training and obvious security principles.

The U.S. Federal Bureau of Investigation issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud.

With ACH fraud, criminals install malicious software on a small business’ computer and use it to log into the company’s online bank account. They set up bogus fund transfers, adding fake employees or payees, and then move the money offshore. Scammers can move hundreds of thousands of dollars in a matter of hours using this technique. They often target small businesses that use regional banks or credit unions, which often don’t have the resources to identify and block the fraudulent transfers.

In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications.

An unnamed U.S. company recently lost $150,000 in this way, according to the FBI’s Internet Crime Complaint Center. “The malware was embedded in an e-mail response to a job posting the business placed on an employment website,” the FBI said in a press release. The malware, a variant of the Bredolab Trojan, “allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.”

Here is a map of past victims http://www.batchgeo.com/map/483cd995e217a9dc46d4386db15413c5

This scam has been around for years, according to security vendor SonicWall, which reported the Trojan last July.

The typo-filled Trojan that SonicWall spotted looked like a Word document and read: “Hello! I have figured out that you have an available job. I am quiet intrested in it. So I send you my resume, Looking forward to your reply. Thank you.”

In the case reported by the FBI, the Trojan was used to transfer money to Ukraine and two other U.S. bank accounts.

“The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees,” the FBI said.
There are a few things consumers and small businesses can do if they’re unsure about e-mail attachments. The safest is to delete the attachment and write back to the sender asking for a plain text version. Alternatively, they can open the document in Google’s Gmail to see if it appears legitimate or send via Fax.

The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud US businesses.

The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions.

For more information on this type of fraud and prevention tips, please refer to previous Public Service Announcements by clicking the links below:

• http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf
• http://www.ic3.gov/media/2010/WorkAtHome.pdf
• http://www.ic3.gov/media/2009/091103.aspx

Anyone who believes they have been a target this type of attack should immediately contact their financial institutions and local FBI office, and promptly report it to the IC3′s website at www.IC3.gov. The IC3′s complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration. The IC3 also uses complaint information to identify emerging trends and patterns.

Below are two images on how this system plays out and operates:

This entry was posted on Saturday, January 22nd, 2011 at 07:36 by dsmith and is filed under Attack, Banking, Exploit, Flaw, Malware, Vulnerability, Windows. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.