How Your Business Can Be Hacked into Bankruptcy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.mainstreet.com/article/small-business/how-your-business-can-be-hacked-bankruptcy

Recent cyber heists of consumer credit information, while costly to banks
and retailers, are usually more inconvenience than catastrophe for
cardholders. With prompt notification to the issuer, consumers are
protected from significant losses from fraudulent transactions. However,
small businesses have little protection from seeing their livelihoods
fleeced by fraud.

Take the example of a California escrow firm. In late 2012, three bogus
international wire transfers exceeding $1.5 million drained the account of
Efficient Services Escrow in Huntington Beach. The wires, bound for Russia
and China without authorization from Efficient Services, crippled the
firm's cash flow. With only three days allowed by the state to recover the
stolen funds, and with the bank that processed the transfers denying
responsibility in the matter, the firm was shut down and the entire staff
of nine employees laid off.

Brian Krebs, the security industry journalist who first reported on the
Target data hack, says small businesses are most at-risk in transacting
their bank business online.

"If a banking Trojan infection results in cyber thieves emptying the bank
accounts of a small business, that organization is essentially at the mercy
of their financial institution, which very often in these situations
disavows any responsibility for the breach, and may in fact stonewall the
victim company as a result," Krebs writes on his blog. "That can leave
victim organizations in a quandary: they can swallow their pride and chalk
it up to a learning experience, or opt to sue the bank to recover their
losses."

The FBI says most account takeover fraud schemes involve small-to-medium
sized businesses with accounts at local community banks and credit unions.
Many of these financial institutions use third-party service providers for
online banking services, including wire transfers.

Unauthorized wire transfers tend to average $900,000 -- but have ranged
from $50,000 to $985,000. In 2011, the FBI reported about $20 million had
been bilked from small and medium sized business through fraudulent wire
transfers.

A new twist to the wire scam involves telephone calls from individuals
claiming to be with a wire transfer company's technical support team.

"One complainant reported that the wire transfer company's name was
displayed on their caller ID," an FBI Internet Crime Complaint Center
report says. "The callers instructed the victims to go to a particular
website to run an application which allows the caller to remotely access
the victim's computer. Once remote access was established, the victims were
instructed to open their wire transfer program and log-in to their
accounts, so the callers could update the system."

Victims were then told to turn off their computer monitors in order to
"avoid interference with the update." Unauthorized wire transfers were then
processed.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.