Digital Transactions Authoritative, insightful and timely information for payments professionals
n
Malware, or malicious software, is just that, and getting worse, according to a new Aite Group LLC report about cyber-crime and its effects on banks and businesses. Malware already has caused problems for online banking and threatens mobile devices as payments using smart phones begin their predicted boom.
n
Citing research from three Aite studies as well as interviews with 40 fraud-control vendors, Aite predicts that the amount of malware and losses from it are in for their own boom. Based on data from Panda Security, Aite senior analyst Julie Conroy McNelley estimates that 25 million new, unique strains of malware will be released this year and that number will grow to 87 million strains in 2015.
n
Meanwhile, Aite is estimating losses from corporate account takeovers at $210 million this year, losses that will escalate to $371 million by 2015. Many such takeovers happen after malware is installed on a computer through the opening of an e-mail attachment or a user visiting an infected Web site. Cybercriminals also are now using social networks to plant malware by luring corporate employees and consumers with invitations or other messages.
n
Some 67% of 110 controllers of mid-sized and small businesses interviewed by Aite in June said their companies had not been targets of online fraud, while 23% reported there had been an unsuccessful attempt against them. Six percent said there was a successful attempt but no loss, while 4% reported sustaining a loss after a successful attempt.
n
McNelley tells Digital Transactions News that despite law enforcement’s best efforts, the developers of malware have the upper hand. “There’s very little in the way of deterrent, there’s not much to stop these guys,” she says. “That’s not to say law enforcement is doing a bad job.” She notes that all a malware developer has to do is be successful merely one time in 100 attempts to reap a tidy return on his efforts. And most malware developers are based outside the U.S. and do not target domestic companies and computers, thereby avoiding the attention of local authorities.
n
The report summarizes a number of successful, high-profile corporate account takeovers, some of which have led to lawsuits. In one 2009 attack that resulted a $560,000 loss, the online-banking credentials of Experi-Metal, a Michigan auto-parts maker, were compromised through a so-called “phishing” attack. Thieves stole $600,000 from the Catholic Diocese of Des Moines, Iowa, in 2010 after obtaining online-banking credentials and transferring funds to mule accounts via the automated clearing house.
n
Malware comes in many different varieties, some of them closely related. Many malware programs are so-called Trojans that disguise themselves as applications and are the source most corporate account takeovers. A “man-in-the-middle browser” can bypass most forms of strong authentication and covertly modify pages or transaction content, or insert transactions, according to Aite. The ZeuS program, which cyber-criminals have used to compromise online-banking sites, is probably the most famous Trojan, though some cyber-criminals now use newer variants.
n
Other types of malware include man-in-the middle applications that can capture data in digital communications between a user and Web site; viruses; worms that replicate themselves and damage host systems, and rootkits, which are programs intended to hide evidence of an attack. Botnets, meanwhile, are groups of malware-infected computers under control of cyber-criminals.
n
While malware typically causes its biggest losses through corporate account takeovers, consumer computers are frequently compromised with the programs. Executives with 26 North American financial institutions interviewed by Aite are trying to simultaneously protect their corporate and consumer-facing systems. Forty-six percent said their commercial online systems had the highest priority for fraud-prevention technology investment, followed by online and mobile systems at 29%. The rest cited check and credit and debit card systems. “Just because the corporate account-takeover attacks are causing the banks the most pain, that doesn’t mean they’re not targeting consumers, too,” says McNelley.
n
Security experts have been saying with increasing frequency over the past year that mobile phones represent a growing source of potential data theft. McNelley notes that variants of ZeuS have already successfully attacked mobile-banking applications, and a version of the SpyEye malware has emerged that can intercept short message service (SMS) data on mobile phones.
n
Banks and businesses, while under computerized attack, are getting better at defending themselves by improving authentication procedures and taking other steps, the report notes. Part of the greater attention on better defenses is the result of new guidelines published earlier this year by the Federal Financial Institutions Examination Council, the consortium of federal banking regulators.
n
n
n
nn
