888-448-5451 [email protected]

NCX Newsletter Banner

If your Internet provider filters incoming e-mail, please add ncxgroup.com to your list of approved senders to make sure you receive NCX Group Security Updates.
Businesses that bank online need to be aware of the increase in fraudulent bank transfers happening around the country. The impact to businesses can be devastating because unlike consumers that are covered by their bank for any losses, businesses rarely recoup the funds lost by fraud.

This trend has become so extensive that an alert was issued by the Financial Services Information Sharing and Analysis Center, an industry group established to share information about critical threats to the financial sector. It warned of “a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses.”

These cyber bank robbers use very sophisticated malware designed to steal a company’s online banking credentials. Once they have acquired the login credentials, such as names and passwords, they take over the commercial account and siphon money away through a series of wire transfers using electronic payment networks.

The FDIC warned that some types of malicious code lie dormant until the online banking session login is initiated, which then alerts the crooks into action. Because of how the code is packaged and installed, these banking Trojans are able to get through antivirus filters and go undetected until it’s too late. The planted banking malware tools also make it difficult for the banks’ security measures to detect the theft because it appears the crooks are using the computer associated with the credentials.

Employees can unknowingly infect their computer by browsing an infected Web site, opening a fraudulent email message or email attachment that looks legitimate, downloading files via peer-to-peer file sharing, or through other infected computers within the company’s internal network.

Few businesses have come forth to admit they were victimized, but the number is growing. The Security Fix blog in the Washington Post has been reporting on every intrusion discovered and learned that this new threat to smaller companies appears to have started with Bullitt Country, in Kentucky, when cyber criminals based in Ukraine stole $415,000 after planting malicious software on the county treasurer’s PC.

ISSUE: September 2009

Subscribe to
Security Update
Envelope Graphic
2009 Reported Data Breaches
Keep yourself updated on the latest security breach disclosures
Network Attack Map
NCX Vision
See What You’ve Been Missing

Learn more here >>
Picture of SOC
Looking forManaged Security Services?

Call us at 888-448-5451 or contact us below

Follow NCX on Twitter at

To have an NCX Group Representative Contact You
Email us here

Sign Designs, Inc. in Modesto, CA, lost nearly $100,000 when cyber thieves used the company’s credentials to log into its online banking account and initiate a series of transfers to 17 accomplices around the country. Ferma Corp., a Santa Maria demolition company, discovered in July that $447,000 was taken from their bank account. Security Fix reported that it wasn’t their bank that notified them, it was a financial institution at which several of the mules (accomplices) had recently opened accounts. Ferma was able to work with that bank and stop at least $232,000 worth of bogus transfers. Reports of this incident state that Ferma’s bank is holding back money it recovered until Ferma agrees to sign a document stating they won’t sue for the remaining losses. It turns out that the two-factor authentication used by Ferma’s bank wasn’t able to stop the thieves. More victims of this scheme are stating they are in the process of suing their banks for not stopping the transfers. It’s easy to understand why banks and their business customers are at odds in determining the culpability of these thefts.

One of the largest thefts identified so far was reported by Unique Industrial Product Co., a Sugar Land, Texas-based plumbing equipment supply company. Cyber thieves stole $1.2 million when attackers used malware planted on its computers to initiate 43 transfers out of the company’s account within 30 minutes. They were lucky because the company spotted the fraud quickly and their bank was able to retrieve all but $190,000 of the stolen money.

Businesses aren’t the only targets. These cyber crooks are also targeting public and private schools. The Western Beaver School District outside of Pittsburg, PA, had $704,610 transferred from the school’s account at ESB Bank in 74 separate transactions. It was reported that malware installed on the superintendent’s computer tricked the bank’s system into authorizing the series of money transfers. It is alleged that the bank processed the last 19 transfer requests three days after they knew of the scheme and was told by district’s superintendent to stop. The school district is suing ESB to recover their loss. In August, hackers also broke into the Sanford School District in Colorado and set in motion a series of $10,000 withdrawals from the school’s payroll account totaling $117,000 before an employee noticed the phony payments. Sand Springs Oklahoma School District also had a series of bogus payroll payments totaling more than $150,000. And at Marian University, a Catholic university in WI, the thieves stole more than $189,000 disguised as payroll transfers.

Unfortunately, the list of victims is growing because these supposedly Eastern European cyber criminals are finding it easy to get their hands on your money. Ask yourself if your security architecture is protecting your company’s critical business processes.

Besides adopting strong authentication, NCX highly recommends segregating computers used for online banking transactions. Using a dedicated, stand-alone system isolated from your local network and day to day use will greatly reduce the influence of Trojans. It is also recommended that an alternative operating system be used for financial account access. Minimize your exposure to vulnerabilities by keeping your software current and update your antivirus daily. This alleviates the opportunity for malware to take hold when an update currently exists. Role-based access control and data classification rules also play a key role in securing high risk transactional workstations and servers.

If users sense a lag in the business financial banking site or the site indicates it is down for maintenance, notify your bank immediately. Keylogging software may be active and a forensic search of the bank Trojan “Clampi” or its variants should be conducted on the machine. A Trojan horse program known as “Zeus” may also be the cause, which allows the attackers to change the display of a bank’s login page as a user is entering their credentials. The page usually goes to a duplicate, non-authentic site that gives an explanation of the downed site and suggests they try again in 15 minutes. When the user tries again, the crooks have already intercepted the credentials and “raided” the bank account.

Advise your users to be cautious and alert them to this most dangerous trend. NCX is ready to assist you in any forensic discovery.

For a free consultation on how our experts can help you secure your data at a price that will fit your budget, `call us at 888-448-5451 or request a representative to call you.

NCX Group, Inc. is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today’s technologies and business processes.

NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
Copyright ©2009 NCX Group, Inc. All rights reserved.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
If you do not wish to receive future NCX Group Security Updates, please email us here