Nothing Personal, It’s Just Business

March 5, 2012

While the Security 500 may have CSOs, CISOs and CIOs leveraging state-of-the art-technology to prevent cybercrime, the real arms race is upon the Security 50,000 (small and medium business or SMBs). And while the large organizations, if impacted, will have sway with their banks and made whole, the SMBs are more likely to end up the victim of crime, often without recourse.

While this may sound like an IT issue (which is the reason cybercrime is so rampant and ill defended), it is truly a business issue that requires solutions at the corporate risk and security levels. From an economic view, America is losing money, intellectual property and jobs.

During testimony at a recent Congressional hearing titled, “Cybercrime and the Private Sector,” Entrust President and CEO Bill Conner discussed what is actually happening to US businesses that do not have adequate protections against advanced cyber criminals. It was fascinating and frightful, all at once.

The most critical risk SMBs face is known as “man in the browser” software and it is the leading cause of theft today. This is cloaked software that your desktop antivirus software or operating system will not detect or disable. Typical SMBs are not protected.

Conner noted these key points:

Both countries and organized crime are involved, namely in Ukraine and Russia.
There is no legislation or regulation directly addressing this issue.
There is no clear case law regarding this issue.
This is not a threat; thefts are occurring daily to U.S. SMBs.
Cybercriminals are operating large, sophisticated businesses.
A significant public/private partnership is required to mitigate this risk.

The original “man in the browser” spyware, Zeus merged (yes, like a corporate merger) with SpyEye in 2010 (the Zeus investors took their money and got out like any typical venture capital firm). In February 2011 SpyEye and Zeus were developed into a new product that can be purchased with 24/7 support. The criminals no longer have to be great programmers or hackers; they simply need to be criminals. Once purchased, SpyEye will help the criminals vector their attacks on specific businesses, banks or geographies. If you haven’t guessed this by now, SpyEye is a major, criminal enterprise with next generation software.

Byron Acohido wrote in USA Today last August (when SpyEye was first released) that Damballa Corporation research identified within the first week of it being available, 14 cyber-rings took advantage by sending commands to tens of thousands of infected PCs in the U.S. and Europe.

And it is widely available. The article noted, “SpyEye normally sells for up to $10,000. But, as of last week, the latest, most powerful version of SpyEye could be acquired for just $95.”

“How it works is real simple and very complicated,” Conner said in his testimony. He explains: “A controller at an SMB goes online to their financial institution and moves $10,000 to a supplier through their online bill pay. Once entered, the Man in the Browser software wakes up and changes the payees from the one supplier to six mules. And changes the $10,000 to $100,000. The bank sees the request to pay $100,000 to six different payees and it sees good security. The user name and password are correct. The account information is correct. The IP address is correct. The bank sends a confirmation to the business using a 30-year-old security technology, including a one-time use password that is valid for 30 seconds. The software wakes up again and changes the payment request from six payees back to one and from $100,000 to $10,000. The controller sees the request as accurate and hits the confirmation button. The $100,000 is gone. The bank loses it, the business loses it, the supplier has not been paid and the six mules funnel that money back into organized crime.”

Unlike personal banking where individuals are protected by the FDIC, the SMB is protected by NOTHING.

As an example, Conner shared the story of an SMB that had only done four transactions within the last year and had a $500,000 limit on its account. Its account experienced 20 transactions within six hours totaling $2,000,000. The bank claimed they did not do anything improper and the Court sided with the bank.

SMBs are not educated on the business risk or the technology available and banks are not taking appropriate measures. While Conner’s testimony ended with the realization that a very serious private/public partnership must be launched to combat this cyber arms race, it is clearly upon you in the Security 50,000 to recognize this as a business risk, not an IT problem. The “man in the browser” is a criminal, but a businessman first. Stealing your money is their business.

Mark McCourt was once the publisher of Security magazine.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.