Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
Banking Trojans targeted third-party EFT systems
NEW YORK and MADISON, Wis. (3/28/12)--Cyber thieves have used banking Trojans, such as the infamous Zeus,  to compromise log-in credentials for credit unions  to third-party electronic funds transfer systems, such as automated clearing houses and wire transfer systems, says a risk alert to bond policyholders of CUNA Mutual Group.

On March 19, CUNA Mutual sent the risk alert, saying the cyber thieves had transferred funds to accounts at other financial institutions, both foreign  and domestic, and the losses have been significant, exceeding $1 million in one case, said a report in the New Jersey Credit Union League's newsletter, The Daily Exchange (March 20).

Access was gained at various access points, said the risk alert. In a few cases, the thieves circumvented the dual control requirement that requires a second employee to login to the ACH and/or wire transfer system to approve the transfer.

Among the suggestions made in the risk alert:  use a dedicated computer to access third-party ACH and wire transfer systems, and prohibit it from being used for e-mail and Internet browsing.  If a dedicated computer isn't possible, use a separate operating system and browser written to a USB flash drive and access the ACH or wire transfer system through the flash drive browser.

CUNA Mutual also suggested prohibiting telecommuters from accessing the ACH and/or wire transfer system using their home computers.

In another security development, several banking Trojans have developed a new type of attack specifically designed to postpone discovery as long as possible, said Trusteer, a security company in PCMagazine (Jan. 4).  After the theft, the Trojan manipulates the victim's view of online transactions, hiding the fraudulent activity. Those who haven't gone paperless eventually receive evidence in their mailed statement, but by hiding online evidence the criminals buy more time to siphon off more funds or complete their theft.

Normally a banking Trojan like Zeus or SpyEye will insinuate itself into a victim's browser and take control of the online banking experience using a "man in the browser" attack. Some directly capture the login credentials, some display a false warning page asking the user to enter personal information, and others divert real transactions to criminal payees. By the time the victim notices, it's too late.
Other Resources


News Now LiveWire
.@NACHAOnline report: ACH volume increases to 23B payments in 2014
1 day ago
.@CUNA's @HampelBill in @washingtonpost on options for wary mortgage borrowers:
1 day ago
Housing starts thaw, mortgage rates stand pat #Market #NewsNow
1 day ago
.@CUNA files #RBC2 comment, urges #CU system to be heard #NewsNow
1 day ago
#NewsNow Youth Month attracts 100,000th member for Mich. CU
1 day ago