Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses. In a typical scenario, the attack vector is a "spear phishing" e-mail which contains either an infected file or a link to an infectious Web site. The e-mail recipient is generally a person within a company who can initiate funds transfers on behalf of the business, or a credential account holder (treasury management platforms typically support both wires and Automated Clearing House (ACH) transfers). Once the user opens the attachment, or navigates to the Web site, malware is installed on the user's computer. The malware contains a key logger, which harvests the user’s corporate online banking credentials. Shortly thereafter, the subject either creates another user account from the stolen credentials or directly initiates a funds transfer masquerading as a legitimate user. These transfers have occurred through both the wire system and the ACH Network; however, this bulletin specifically addresses incidents that have occurred through the ACH Network. In one case, the subjects used a Distributed Denial of Service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out. These ACH transfers ranged from thousands to millions of dollars.
Below is an example of a landing page where receivers of "spear phishing" e-mails were taken after clicking the embedded link within the e-mail. Spear phishing is a phishing attack that targets select groups of people with something in common-they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The emails are ostensibly sent from organizations or individuals the potential victims would normally get emails from, making them even more deceptive.