Organized cyber crime networks based in Eastern Europe have started attacking small- and medium-sized enterprises in the United States in a crime wave that has caused damages of millions of dollars, causing substantial concern among the major U.S. financial institutions, The Washington Post reported.
A task force representing the financial industry sent out an alert last Friday: "In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses".
The alert was sent to members of the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector. The group is operated and funded by American Express, Bank of America, Citigroup, Fannie Mae and Morgan Stanley.
Because the targets tend to be smaller, the attacks have attracted little notoriety, but the industry group said some companies had suffered hundreds of thousands of dollars or more in losses.
Many have begun to come forward with their cases. In July, a school district near Pittsburgh sued to recover 700,000 USD taken from it. In May, a Texas-based company was defrauded of 1.2 million USD. A company in Baton Rouge, Louisiana, reported the theft of 100,000 USD.
In many cases, the same crime pattern is employed: an email is sent containing malware designed to steal passwors, which are later use to siphon amounts below 10,000 USD.
The cyber criminals enlist the help of middlemen, who open bank accounts and send the stolen money to the masterminds, who are, in most cases, based in Eastern Europe.
"Eastern European organized crime groups are believed to be predominantly responsible for the activities" the alert warns. The FBI said it had started to work on the problem.
The Financial Crimes Enforcement Network, a Treasury Department division that tracks suspected cases of fraud reported by banks, said incidences of wire-transfer fraud had risen by 58% in 2008. But experts say reliable figures about losses from commercial online banking fraud are hard to obtain as and many incidents go unreported.
Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges, but companies have roughly two business days to report fraudulent activity in order to prevent the transfer from being validated.
In April, hackers stole 1.2 million USD from Unique Industrial Product Co., a company registered in Texas. Manager Pankaj Malani, said a forensic analysis had shown that the attackers had used malware planted on the company"s computers to initiate 43 transfers out of the company"s account within 30 minutes. The attackers sent some of the funds directly to Eastern Europe and the rest through people in the United States.
Malani said the FBI was investigating the case, but because the company had reported the fraud quickly, the bank had been able to retrieve all the amount, except for 190,000 USD.