$479,000 heist from small business bank account lends weight to calls for online banking 'lock-down'

$479,000 heist from small business bank account lends weight to calls for online banking 'lock-down'

Criminals have stolen more than $479,000 from a Pennsylvania housing development authority after infecting its computer system with the notorious Clampi Trojan. The crime is the latest in a rash of heists from small business banking users in the US that has led some industry bodies to suggest radical lock-down procedures for companies banking online.

According to local press reports, the Trojan was installed through a fake Web site purporting to belong to Cumberland County Redevelopment Authority's bank, M&T.

Once installed, Clampi stole passcodes which were used to transfer the money to bank accounts set up by the hackers at 11 different financial institutions. About $109,000 has been recovered since the money was taken on 22 September.

The incident is just the tip of the iceberg, if Bryan Krebs of the Washington Post's SecurityFix blog is to be believed. He reports multiple cases of small business and non-profit organisations failling victim to similar sophisticated Trjoan attacks.

Concern over the upsurge in crybercrime has moved the bank-backed Financial Services Information Sharing and Analysis Centre to issue a confidential alert to members about the dangers posed to small businesses when banking online.

The note recommends that commercial banking customers should be induced to "carry out all online activity from a standalone, hardened and locked-down computer from which e-mail and Web browsing is not possible".

Separately, four members of a London-based cyber gang have pleaded guilty to charges relating to the theft of £600,000 from bank customers, reports the Press Association.

The gang infected victim PCs with a Trojan and waited until they logged in to bank accounts. The software then checked the accounts contained enough money before insinuating itself into online cash transfer procedures.

Victims were presented with a page containing a fake Natwest logo and asked to type in passwords, PIN numbers and telephone numbers. Money was then siphoned off to mule accounts and eventually Eastern Europe.

In total, 138 customers were conned with £600,000 stolen, although Natwest has recovered about £140,000.

Azamet Rahmanov and three co-defendants, who have variously pleaded guilty to the conspiracy and money laundering counts at Southwark Crown Court, will be sentenced next month.

Hacker takes almost $480,000 from authority - The Sentinel

Internet fraud gang faces jail - PA

Comments: (0)