Home > Alerts > Customer Awareness > Understanding Corporate Takeover

Understanding Corporate Takeover

There has been a shift in the online criminal world from primarily targeting of individuals to increased targeting of corporations. Financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses. Eastern European organized crimes groups are believed to be predominantly responsible for the activities that are also employing witting and unwitting accomplices in the United States (money mules) to receive, cash and forward payments from thousands to millions of dollars to overseas locations via popular money and wire transfer services.

How it Works

Typically compromise of the customer is carried out via a "spear phishing" e-mail which directly names the recipient correctly and contains either an infected file or a link to an infectious Web site. The e-mail recipient is
generally a person within a company who can initiate funds transfers or payments on behalf of the business. Once the user opens the attachment, or clicks the link to open the Web site, malware is installed on the user's
computer which usually consists of a Trojan keystroke logger, which harvests the user's corporate online banking credentials. Many types of spear-phishing have been used by criminal groups including messages impersonating the Better Business Bureau, US Court System, Microsoft Update, and UPS to name a few.

The customer's online credentials are either uploaded to a website from where the fraudster can later download them, or, if the bank and customer are using two factor authentication system, the Trojan keystroke logger may detect this and immediately send an instant message to the fraudster alerting them of the secure web activity. The fraudster then accesses the financial institution through use of the captured username and password or through hijacking the secure web session.

The fraud is carried out when the fraudster creates another user account from the stolen credentials or directly initiates a funds transfer masquerading as the legitimate user. These transfers have occurred through wire or ACH that are directed to the bank accounts of willing or unwitting individuals. Often within a couple days, or even hours of recruiting money mules and opening accounts, money is deposited and the mule is directed to immediately forward a portion of the money to subjects in Eastern Europe by various means.

How to Protect, Detect and Respond

It is recommended that businesses utilizing Online Banking for high risk transactions conduct a risk assessment of their individual risks and controls.