Cyberthieves loot SMBs, transfer millions to firms in China, FBI warns

More than $11M stolen from 20 businesses in past month

Some U.S. companies may unwittingly be funding businesses in China to the tune of millions of dollars.

An alert ( pdf format ) from the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) this week warned U.S. small and medium businesses (SMBs) to be on the lookout for online account takeovers and fraudulent Automated Clearing House (ACH) transactions.

The warning stems from a rash of recent incidents in which online bank accounts belonging to SMBs were hijacked and money from them was stolen and transferred to accounts apparently held by several legitimate businesses in China's Heilongjiang province along the Russian border.

Between March and April, the FBI identified at least 20 incidents in which cybercriminals compromised the SMBs' banking credentials of SMBs, such as usernames, passwords, or authentication tokens, and used them to electronically wire money to accounts held by "Chinese economic and trade companies," the alert said.

The illegal wire transfers have ranged from $50,000 to $985,000, with the majority being involving sums or more than $900,000.

Many of the companies that have received the money are registered in port cities such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The companies appear to be legitimately registered businesses and typically have accounts at the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China, the alert said.

So far, the break-ins have siphoned $11 million out of SMB accounts. In all, the crooks have attempted to steal $20 million in the past month from SMBs, the alert warned.

Such online account takeovers are not new. The FBI, the FS-ISAC, and NACHA, the body that oversees the ACH network, issued a similar warning in the fall of 2009.

At that time, the FBI said several new cases were reported weekly. In most instances, the crooks used sophisticated keystroke logging and Trojan horse programs to steal login credentials from company employees authorized to initiate funds transfers on behalf of the business, the FBI had noted in that alert.

The same warnings were repeated in this week's alert. The alert noted that the malware used in the recent attacks had not been identified in all cases, but at least some instances involved the ZeuS banking Trojan, keylogger, and Spybot, an IRC backdoor Trojan.

In addition, one victim reported being hit with a malware program that allowed the hackers to completely erase the hard disk of the infected computer before any investigations could be done, the alert said.

The FBI alerts urged banks to notify customers if they notice any wire transfers destined for Raohe, Fuyuan, Jixi City, Xunke, Tongjiang and Dongning.

Avivah Litan, an analyst with Gartner, said that banks need to do more to mitigate such attacks, especially since they are in a better position to tackle the problem.

"These attacks are using the same techniques that have been used for a couple of years against business bank accounts and more recently against enterprise systems and security companies," Litan said. "The attacks keep coming, because most banks have yet to build up sufficient defenses," she said.

There has been speculation that the Federal Financial Institutions Examination Council (FFIEC), a standards-setting body for financial institutions, could soon require banks to implement stronger forms of user authentication, but no action has been taken.

A Gartner survey conducted in February found that many banks continue to rely on "crude" security measures, such as cookies and secret questions, to protect online accounts, Litan said.

"Nearly two-thirds of the surveyed banks manage their fraud detection and customer authentication projects by committee, which means 'it's always someone else's responsibility.' It should come as no surprise, then, that the attacks are succeeding."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

Read more about financial services in Computerworld's Financial Services Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT Governance and CompliancesecurityfinanceMalware and Vulnerabilitiesindustry verticalsFinancial Services

More about CHAetworkFBIFinancial InstitutionsGartnerTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts