May 17, 2011 at 6:15 AM ET
One moment of weakness -- a single click on a bogus e-mail link or website -- has cost many U.S. companies nearly $1 million apiece, the FBI said. And it has transported them into a world of international intrigue worthy of a spy novel, connecting them to a crime ring linked to six Chinese port cities near the Russian border.
In a sternly worded warning that included a remarkable level of detail for an FBI press release, the agency is warning U.S. businesses and banks to be wary of wire transfers headed to Chinese cities of Raohe, Fuyuan, Jixi City, Xunke, Tongjiang and Dongning.
It's unclear if the stolen funds remained in China or were transported elsewhere, and U.S. security firms are currently debating the significance of the notice. But the high-dollar value of the thefts, combined with their high-profile destination -- any government cybercrime warning that involves China raises eyebrows -- has attracted unusual attention in the banking community.
Transactions headed to those Chinese cities should be "heavily scrutinized, especially for clients that have no prior transaction history with companies in the Heilongjiang province," the FBI said.
Wire transfers -- often in the $900,000 range -- were repeatedly sent from U.S. firms to legitimate Chinese trading companies in Heilongjiang. Sending the money through international trade firms -- which are believed to be victims, also -- helped minimize suspicion. In a release dated April 26, the FBI said criminals had recently attempted to steal $20 million and got away with $11 million, a staggering success rate.
Online criminals have shifted their focus away from consumer accounts and onto larger business accounts, experts say. Commercial accounts have larger balances, involve more frequent transactions and the destinations for payment are much more varied, making hacker theft much harder to detect.
"These are small- and medium-sized businesses at the heart of the economic recovery who are devastated by this. In many cases banks do chose to share in losses, but it's still devastating," said Terry Austin, CEO of Guardian Analytics, which provides security to banks. He said his firm detected several attempted transactions that fit the scenario laid out by the FBI, including the Chinese destination cities. "This notion that banks and credit unions are under relentless attack -- this is just one more example of the size and boldness of attacks -- is a story that needs to keep getting told."
Even if China is merely an intermediary step in the heists, it's significant that the FBI chose to call out Chinese cities in its release, said Avivah Litan, a bank security analyst for Gartner.
"I have never seen a fraud alert with this much specificity," Litan said. "It makes you think. There is definitely a Chinese connection, though we don’t really know what it is.”
She speculated that the criminals could be behind other well-publicized computer break-ins that have been blamed on Chinese hackers.
“You would think it could be the same spies for the Chinese government who have been wreaking havoc, and they need to pay for their efforts. Usually bad guys rob accounts to fund other activities. But that's just speculation,” she said. “It also strikes a familiar chord since perpetrators originating in China are rumored to be behind the recent spate of (advanced persistent threat) attacks against security companies like RSA Security and others, some of which I hear have not been publicly disclosed. It makes you wonder if our intelligence and law enforcement agencies are closing in on loosely organized criminal Chinese rings that perpetrate various types of fraud for financial and political gain, and if the same rings are involved in multiple activities.
The highly-skilled hackers in the FBI warning managed to control computers on both ends of the transactions -- hijacking computers than can access small business accounts on the U.S. side, and also computers in China that can access accounts belonging to legitimate trading firms there. That helped them cleverly cloak their activities. It also might be the reason the FBI called out Chinese cities by name, said Mickey Boodaei, CEO of Israel-based Trusteer, a security firm.
"The main reason the FBI issued a release was because they had actionable intelligence about how to ID these transactions and block them and wanted to reach a wide audience of banks and online bankers and let them know they should be really careful," he said.
The criminals were smart enough to rotate destinations for the money quickly in an effort to further evade suspicion, the FBI said. So there's no reason to believe hackers haven't already moved on to other cities. All experts interviewed for this story said they thought the $11 million value of this specific heist represented just the tip of the iceberg. Litan said she believed it's a $1 billion global problem.
"This is just a very common occurrence now at banks, with criminals robbing small business accounts and moving the money offshore," she said.
In each case, the FBI said, the money was sent to one of three Chinese banks: “Agricultural Bank of China, the Industrial and Commercial Bank of China, (or) the Bank of China.”
Guardian Analytics’ monitoring software, which Austin says spotted and stopped fraudulent transactions headed to those six Chinese cities, offer a rare detailed glimpse into how the criminals operated.
The target "could be a construction company, a real estate company, a school, a church. Any business that has a commercial account that it uses that to pay suppliers and vendors," he said.
An employee inside the firm who has the ability to wire funds through those accounts is targeted with an attack. Once he or she takes the bait -- perhaps laid through a booby-trapped e-mail, or an infected website -- the criminals gain access to a computer and an account at the firm authorized to wire money.
In some cases, the theft involves simply logging into an online merchant account and initiating a wire transfer. But even companies with far more sophisticated security protections have been victimized, Austin said. Some firms require dual authorization for a financial transfer, or at least a phone call for verification. The criminals are smart enough to arrange for a bypass approval, or to reroute the approval phone calls to numbers they control, he said. They even spent weeks observing an account to find out when the balance is highest and watch transaction patterns so criminal wire transfers won't raise alarm bells, Austin said.
"They often go through a multi-step setup before the crime," he said.
If the bank requires two-factor authentication – perhaps the entering of a code from a token along with a password -- the criminals lie in wait until the employee logs in to the bank account, and then make their move by "hijacking the session," Austin said.
The criminals go to impressive lengths to hide their tracks. After a session is hijacked, according to the FBI, they send the legitimate user to a fake webpage saying the bank website is under maintenance.
"While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account," the FBI said.
Even after the transaction, the criminals continue to cover their tracks -- sometimes, doing the virtual equivalent of swapping out a security camera video, said Boodaei, the Trusteer executive. They have the ability to temporarily intercept all communication between the customer and the bank, and make the stolen funds undetectable.
"One feature we've seen is that they can show the target firm their what looks like the correct balance, before the theft, so unless you have another way of checking your balance you won't be able to identify that something suspicious has happened," he said. "It's part of the way they fly under the radar. ... They are studying victims very carefully, and adjust their attacks based on each firm."
In one case, according to the FBI, the criminals wiped the hard drive of the computer used in the attack to prevent the firm’s technology department from investigating.
Behind many of the attacks, according to the FBI, is a notorious Trojan horse program called Zeus, which could be the most lucrative piece of malware ever created. The software, designed specifically for stealing money from banks, is so powerful that its author was once able to command $3,000 to $4,000 for its sale, according to security firm SecureWorks.
The anonymous author even baked piracy protection into the software, to ensure that criminal users paid up.
Zeus now comes in many forms, but its widespread infection rate makes it a powerful tool for cyber-criminals. Security firm RSA recently claimed that 88 percent of Fortune 500 companies have at least one workstation infected with Zeus; Boodaei said that 1 in 200 computers on the Internet are infected.
"The infection rate is usually lower with enterprises than with consumers, but I would guess that any firm with more than 1,000 desktops should expect at least one Zeus infection, if not many more," he said.
To show how creative criminals have become with Zeus -- and how powerful the software is -- Trusteer recently described an elaborate Zeus attack that tricks consumers into buying fake investments from a make-believe investment house. Zeus-infected PCs will substitute banner ads on real news Web sites, including Forbes.com, CNN.com, and ESPN.com, with ads for their investment vehicle, which promise large returns. Clicking on the ad reveals a webpage named URSInvestment.com, in which the news site appears to legitimize the investment. Ultimately, consumers are asked to wire minimum investments of $1,000, $5,000, or $10,000 to the firm to open an account.
"With attack code already developed to the point where it can convincingly mimic real websites and trusted brands, it appears criminal groups are bulking up investments in marketing communications to make their scams harder to differentiate from legitimate business offers presented to web users," wrote Trusteer's Amit Klein in a blog post describing the attack.
Whether the criminals are in China, or simply using Chinese firms to help wring money out of the banking system, Austin said it's important for companies to know how common these kinds of attacks have become.
"Remember this is one event being reported on with one specific set of circumstances," said Austin. "There is very little risk if they fail. There is no retribution, none of the typical risks associated with robbing a bank. We're seeing that play out with more and more frequency."
Comments begin below. Comment anonymously by sending an e-mail to BobSullivan@feedback.msnbc.com