The FBI has said it is investigating thefts in the last five years of more than $100 million from small and medium sized businesses that fell victim to spear-phishing attacks which siphoned funds from their bank accounts. There are more of the attacks reported each week, they said.
The attacks typically involved malware sent by email that installed key loggers and targeted someone in the company who could initiate fund transfers. The criminals used the key loggers to capture the victim’s banking log-in information then initiated fund transfers to money mules, generally in amounts below $10,000 – the level that triggers currency transaction reporting. The mules transfer the funds to the criminals via Western Union or other international money transfer systems.
The phishing emails were sent from groups or people known to the victims so they wouldn’t be inclined to consider them fraudulent.
Among other measures, the FBI suggests removing the company organization chart from web sites in order to preclude spear-phishing emails that target company financial personnel.
The report also said:
“Discussions with Federal law enforcement agencies, commercial security intelligence service providers, and commercial incident response companies reveal the effectiveness of existing signature-based anti-virus and intrusion prevention systems is diminishing in the face of the rapidly evolving malicious code environment and the prevalence of custom-designed, signature-defeating malicious code.
“Consequently, an approach not fully dependent on those systems must be considered, with particular emphasis on user privilege reduction, application white listing (only allowing known software and libraries to execute on a system), and heuristic detection.”
VIPRE MX-V technology can cover you on the “heuristic detection” front.
FBI Intelligence Note here.