NEW YORK and MADISON, Wis. (3/28/12)--Cyber thieves have used banking Trojans, such as the infamous Zeus, to compromise log-in credentials for credit unions to third-party electronic funds transfer systems, such as automated clearing houses and wire transfer systems, says a risk alert to bond policyholders of CUNA Mutual Group.
On March 19, CUNA Mutual sent the risk alert, saying the cyber thieves had transferred funds to accounts at other financial institutions, both foreign and domestic, and the losses have been significant, exceeding $1 million in one case, said a report in the New Jersey Credit Union League's newsletter, The Daily Exchange (March 20).
Access was gained at various access points, said the risk alert. In a few cases, the thieves circumvented the dual control requirement that requires a second employee to login to the ACH and/or wire transfer system to approve the transfer.
Among the suggestions made in the risk alert: use a dedicated computer to access third-party ACH and wire transfer systems, and prohibit it from being used for e-mail and Internet browsing. If a dedicated computer isn't possible, use a separate operating system and browser written to a USB flash drive and access the ACH or wire transfer system through the flash drive browser.
CUNA Mutual also suggested prohibiting telecommuters from accessing the ACH and/or wire transfer system using their home computers.
In another security development, several banking Trojans have developed a new type of attack specifically designed to postpone discovery as long as possible, said Trusteer, a security company in PCMagazine (Jan. 4). After the theft, the Trojan manipulates the victim's view of online transactions, hiding the fraudulent activity. Those who haven't gone paperless eventually receive evidence in their mailed statement, but by hiding online evidence the criminals buy more time to siphon off more funds or complete their theft.
Normally a banking Trojan like Zeus or SpyEye will insinuate itself into a victim's browser and take control of the online banking experience using a "man in the browser" attack. Some directly capture the login credentials, some display a false warning page asking the user to enter personal information, and others divert real transactions to criminal payees. By the time the victim notices, it's too late.