Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
Banking Trojans targeted third-party EFT systems
NEW YORK and MADISON, Wis. (3/28/12)--Cyber thieves have used banking Trojans, such as the infamous Zeus,  to compromise log-in credentials for credit unions  to third-party electronic funds transfer systems, such as automated clearing houses and wire transfer systems, says a risk alert to bond policyholders of CUNA Mutual Group.

On March 19, CUNA Mutual sent the risk alert, saying the cyber thieves had transferred funds to accounts at other financial institutions, both foreign  and domestic, and the losses have been significant, exceeding $1 million in one case, said a report in the New Jersey Credit Union League's newsletter, The Daily Exchange (March 20).

Access was gained at various access points, said the risk alert. In a few cases, the thieves circumvented the dual control requirement that requires a second employee to login to the ACH and/or wire transfer system to approve the transfer.

Among the suggestions made in the risk alert:  use a dedicated computer to access third-party ACH and wire transfer systems, and prohibit it from being used for e-mail and Internet browsing.  If a dedicated computer isn't possible, use a separate operating system and browser written to a USB flash drive and access the ACH or wire transfer system through the flash drive browser.

CUNA Mutual also suggested prohibiting telecommuters from accessing the ACH and/or wire transfer system using their home computers.

In another security development, several banking Trojans have developed a new type of attack specifically designed to postpone discovery as long as possible, said Trusteer, a security company in PCMagazine (Jan. 4).  After the theft, the Trojan manipulates the victim's view of online transactions, hiding the fraudulent activity. Those who haven't gone paperless eventually receive evidence in their mailed statement, but by hiding online evidence the criminals buy more time to siphon off more funds or complete their theft.

Normally a banking Trojan like Zeus or SpyEye will insinuate itself into a victim's browser and take control of the online banking experience using a "man in the browser" attack. Some directly capture the login credentials, some display a false warning page asking the user to enter personal information, and others divert real transactions to criminal payees. By the time the victim notices, it's too late.
Other Resources

RSS print
News Now LiveWire
Breaking at #NewsNow: Matz to request revised RBC proposal, new comment period http://t.co/eLtYmzXRWn
14 hours ago
#NewsNow: Oct. 22 webinar will explore role of CDFI #creditunions. http://t.co/op1GV4mrYM
17 hours ago
CFPB announces $10M fine,$27.5M restitution v. Mich.-based Flagstar Bank for allegedly illegally blocking borrowers’ attempts to save homes.
17 hours ago
#NewsNow: Proposed MLA changes could restrict CU payday alternative loans. http://t.co/eKqtyMHD0P
17 hours ago
44 #creditunion professionals earn Development Educators designation #NewsNow http://t.co/GG551ofq31
18 hours ago