Commentary - Phishing attacks on small and medium-sized businesses are on the
rise with thousands of organizations falling victim. If a cybercriminal
gets on to a computer with access to your business' financial accounts they
can withdraw funds and your business is out of the money. That's it. Gone.
See ya. Have a nice day.
Unlike consumer accounts that are subject to Federal Reserve Regulations E
which require banks to provide reimbursement for certain losses, business accounts are not covered by this statute and therefore not assured repayment
for certain losses. So don't bank on getting your money back.
And it's not just big business being targeted any longer. According to the
FBI, cybercriminals now have their sights set on the financial accounts of
small and medium-sized businesses, leading to significant disruption and
substantial monetary loss due to fraudulent transfers from these accounts.
Online job postings could cost you more than you planned
Just last month, the FBI reported that cybercriminals had stolen more than $150,000 from a US business via an unauthorized wire transfer resulting from
a malware infected email. In the latest phishing scams cyberthieves are
embedding malware in email responses to job postings placed on employment
websites with the aim of obtaining the credentials of an employee authorized
to conduct financial transactions within the company. They then easily can
change account settings to send wire transfers -- which is just what they
did in the latest attack reported by the FBI.
In its "New E-Scams & Warnings" the FBI identified the malware as a
Bredolab variant, svrwsc.exe, which is a malware connected to the ZeuS/Zbot
Trojan and commonly used by cybercriminals to defraud US businesses.
If the cybercriminal can get a company employee to open an infected
attachment or click on a link that contains hidden malware they are in the
door. The malware logs the key strokes and allows the thief to "see" and
track the employee's activities across the business' internal network and on
the Internet - be it visits to a financial institution, and/or online
banking credentials. Using this information the thief can and does conduct
unauthorized transactions that appear to be legitimate.
What you don't know can cost you
While you read about the latest malware or Trojan what you may not be
hearing about are the financial losses that are hitting local businesses -
like the NY marketing firm Little & King, LLC that reportedly faced
bankruptcy last year, but apparently recovered, after $164,000 was drained
from its account.
While privacy laws may require a business to notify its customers of a
database breach, a business checking account that gets robbed in cyberspace,
does not necessarily require notification. After all it is the cash of the
business and not directly associated with customers. So the local business
gets robbed, their money wired to who knows where -- lost and never to be
recovered -- and no one outside the business is the wiser.
This is an issue for the FBI which is hamstrung to deal with the matter
because the money moves offshore without a trace as increments of less than
$10,000 are not reported.
And with more small to medium-sized businesses conducting online banking
and with employees using the same computer they surf the net to check or
store business financial information things look set to only increase.
And if you assume that the credit card protection policies apply to your
business checking account, they do not. This problem is ugly for the banks
because the money is withdrawn from them but with your credentials captured
by the key-logger, so they avoid the liability.
This could change, but so far has not.
So what can you do?
1. Mind the cookie jar, because no one else is. Protect your business'
computers that have access to financial accounts or information. After all,
in addition to protecting your customers' privacy, without money to fund
your business you have no business.
2. Know your bank's policy on fraudulent business wire transfers
before you are hit.
3. Don't rely on traditional reactive anti-virus solutions as they
clearly are not enough. Once you've been hit there is no turning back.
4. Implement proactive technologies like application whitelisting
which stops these attacks.
5. Enforce business policies, if possible, to only allow dedicated
computers access to financial accounts (although for the small to
medium-sized business entrepreneur on the go this is often impractical).
6. Insist that your endpoint protection vendor deal with the problem.
Symantec and McAfee are making billions on your annual subscription
payments, but are not providing protection from these threats. As a business
you may be required to use these anti-virus vendors for PCI DSS and other
regulations and standards. They must be laughing all the way to their bank.
While many businesses have spent the past few years achieving compliance,
overall small to medium-sized businesses have lost ground in keeping up with
the evolving malware and endpoint security threats. If something isn't done
quickly your business may not only lose business you may lose the business.
You can take that to the bank.
biography Paul Paget is CEO of Savant Protection, an application whitelisting
provider for SMEs and MSPs. Based in Hudson, NH, Savant Protection's
automated application whitelisting is being used by SMEs, including regional
banks, credit unions and local governments, as well as MSPs to proactively
and easily stop malware and safeguard endpoints. You can contact Paul at