Why go to the trouble of taking money out of people’s accounts if you can get them to just give it to you?
That, apparently, is the logic behind hackers who use stolen passwords and information from breaches to send fake wire transfer requests to trick recipients into approving funds transfers.
Take, for example, the Ashley Madison breach where email addresses were obtained. While at first glance a bank may see no immediate fraud issue with such a breach, let’s look at an example of what can be done with this type of data.
Very recently, a mid-size bank with assets over $5 billion received a wire request using a seemingly legitimate email address and password, and the transfer was sent through. Even though the contents of the email are unknown, it’s apparent the employee was disinclined to call and question a request from a board director. Upon discovering this, the wire department suspended email requests for the remainder of the day
Another example: at a small business, the accountant received what appeared to be an email from the CEO requesting approval of a wire transfer. At first glance, it absolutely appeared to be a legitimate request. The “CEO” said he was unreachable at a client meeting and instructed the accountant to complete the transfer. At the time the email was sent, the CEO really was out of town in a client meeting. However, thanks to a keen eye, a small discrepancy came to light and the transfer was questioned.
I was unable to confirm the details of the group(s) who sent these specific fraudulent wire transfers, and we are not saying Ashley Madison data was in fact used for fraudulent wire activities. Rather, these are examples of how your institution could be hit at any time. And, despite your efforts to safeguard your customers’ passwords and IDs and to establish security procedures to prevent unauthorized access to accounts, your customers may be willingly giving their money to hackers – and using your wire departments as pawns in the game.
A breach such as Ashley Madison burns twice and any bank with a wire department is at risk.
***
Three key pieces of information were publically disclosed by hackers for each Ashley Madison account: email address, the amount spent on the service, and the customer’s physical address. But hackers have a fourth piece of critical information that was not disclosed publicly: Password hashes.Using the password hashes, the hackers are able to determine a user’s password to the site. When you consider that the majority of people – one estimate puts it at 70 percent – re-use their passwords across sites, you realize that getting into their email and banking accounts becomes a relatively easy task.
With access to an email account, the hackers check the sent mail folder to see if the rightful owner ever transferred funds via an email request. They then forward an old wire request and ask for a new destination for the funds.
***
Gonzo bankers should take three steps to prevent any further Ashley Madison burns:
***
What’s ahead? Cornerstone believes that there will be surges in activity as the fraudsters discover new ways of utilizing the gold mine of information obtained from Ashley Madison. After the current wire transfer surge, expect a few weeks (or even months) of silence.
But don’t get comfortable—this will be just a brief pause before the next wave of attacks. Look for things to pick up again around the holiday shopping season when people are taking vacation and the night shift is on watch at the helm. We may see a new mobile device virus spread by email to the address books of the current victims.
-TS
Cornerstone Advisors’ Cybersecurity Services are designed to proactively discover your vulnerable areas and strengthen your institution’s overall security posture.
We can help you:
Contact Cornerstone Advisors today to learn more.