China wire transfersThe FBI is warning businesses about an ongoing spate of attacks that are stealing millions of dollars from companies through unauthorized bank transfers to Chinese companies. The fraudulent wire transfers are not a new tactic, but the FBI says the current round of attacks is notable in that virtually all of the transfers are going to shell companies based in China and have cost U.S. businesses $11 million.

The FBI on Tuesday issued a detailed warning–an unusual step for the bureau–about the specific type of wire-transfer scam that it’s been seeing for a little more than a year now. The way that the scheme works is pretty simple. An attacker somehow compromises a PC belonging to a user at a given company who has access to the company’s online banking account. The attack often is a drive-by download or a spear-phishing email.

Once the computer is compromised, the attacker installs some malware that harvests the user’s online banking credentials, and then waits for the user to attempt to login to the bank’s site. During the login attempt, the attacker redirects the user to a fake site informing him that the bank’s site is offline or unavailable. The attacker then logs in to the victim’s bank account and sets up a transfer to a holding company that the attacker controls in China.

The FBI said that many of the cases it has seen involve well-known pieces of malware, such as Zeus, Spybot and others. The amount of money the attackers try to transfer varies from $50,000 up to nearly $1 million.

“The FBI has identified multiple companies that were used for more than one unauthorized wire transfer. However, in these cases the transfers were a few days apart and never used again. Generally, the malicious actors use different companies to receive the transfers. The companies used for this fraud include the name of a Chinese port city in their official name. These cities
include: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The official name of the
companies also include the words ‘economic and trade,’ ‘trade,’ and ‘LTD.'” the FBI said in its warning.

“The economic and trade companies appear to be registered as legitimate businesses and typically
hold bank accounts with the Agricultural Bank of China, the Industrial and Commercial Bank of
China, and the Bank of China. At this time, it is unknown who is behind these unauthorized transfers, if the Chinese accounts were the final transfer destination or if the funds were transferred elsewhere, or why the legitimate companies received the unauthorized funds. Money transfers to companies that contain these described characteristics should be closely scrutinized.”

The FBI said that it has been tracking this specific string of attacks since March 2010 and that it has seen attempts to steal more than $20 million, although the actual losses suffered by victims is about $11 million.

Categories: Data Breaches, Malware, SMB Security, Vulnerabilities