European Cybercriminal Gangs Target Middle America SMBs

 Better get your CFO to review UCC Article 4A and realign protocols with your business bank – The clear and present danger to our banking through malware hits at the heart of our economy: the SMB. Stealthy malware-based theft of funds start the clock ticking much quicker than most SMB owners realize and without action within 48 hours, the loss may be the SMB’s.

SMBs are defined as Small to Medium Sized Businesses. These range from Mom and Pop Shops up to 500 employees.

Forget one-off’s like credit card and debit card fraud, imagine all of your company’s payroll transferred out just a few days prior to payday due to malware and targeted spear phishing of a compromised employee’s Facebook account. A Banking Trojan like ZeuS and tactics recently described by FBI top Cybercops can make that come true.

Worst case – if your SMB’s financial team doesn’t catch Automated Clearing House, or ACH theft quickly, your bank may tell you that they’re not liable and you’re on the hook for the amount, overages, and may even tap your previously approved line of credit without your permission. Right now there are lawsuits between businesses and their banks breaking out virtually all over the country because of this.

Start the dialogue – NOW

We at the ThreatBlog will be increasing our coverage of legislature that makes a difference to you in the days and weeks to come. Krebs on Security has been doing a long series in the Washington Post on the impact of banking Trojans to mom-and-pop businesses, particularly regulation by the FDIC which according to one competitor’s recent survey, most Small to Medium Sized Business (SMB) are not aware of.

Brian Krebs has been tracking the issue for the past year and has developed specific sources and reported many case studies through his direct efforts to figure this gap in consumer knowledge of banking as well as ‘fair disclosure practices’ by the banks themselves. According to this Washington Post article written by Krebs in 2009:

• • Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges. [Note: FTC data on the consumer EFT Act is found here. – JET]
  • In contrast, companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.

What you can do TODAY:

1. Best practices that anyone can implement right now are available at no charge to you at Securing Our eCity. See 12 Tips for Reducing Your Attack Surface and Choosing Your Password to help your team beat the bad guys with very little time or cost.
2. Trial downloads of ESET NOD32 are available from ESET. Take this on, we’re the faster lighter solution that effectively works.
3. Educate your workplace on effective and responsible social network posting. Since you can’t realistically regulate someone’s freedom of speech, gaining your employees’ buy-in on self regulation of work related posting is critical in a counter-intelligence effort, which is what all SMBs in the US and globally are in whether they realize it or not. We’ll be posting more about this effective social networking education on Securing Our eCity in the blog section as well as discussing it here in the ThreatBlog. Until then, check out this and this for some quick background you can use to develop your own social network strategies.
4. Talk to your CFO or comptroller about how the UCC Article 4A and recent developments impact your payroll policy and procedure. Point them towards Krebs series on victims (summarized here on the Washington Post and here on his blog) in order to clarify the danger adequately.
5. Urge your decision making team to consider this issue an immediate action item to discuss.

Vision: Enhancing SMB Protection

If I were still back in my legal research and white collar crime investigative days I would be pressing my legal team to explore the culpability for banks under the new 2009 legislature to see whether a case precedent could be made requiring banks. If you’re a consumer victim, here’s where to file complaints about the EFT Act – Check out the dedicated FTC site dealing with consumer protections.

As far as I recall, the FTC does not deal directly with business banking. I’m sure someone will correct me in the comments if it does. IRAC’d out my stipulation for immediate and effective protection would be:

Incident

Banks currently do not display effective disclosure of business inherent risk of ACH and online banking. This can and should be clarified within the UCC through legislature concerning cybersecurity or banking regulation.

Rule of law

Part 1 – Business banking falls under UCC, not consumer based protection such as the EFT Act.

Part 2 – Consumers (business banking decision makers) have not been effectively warned of the differences which may not comply with Federal Trade Commission guidelines set for consumer.

Analysis

1. Millions of dollars and thousands of jobs nationwide are at risk due to this knowledge gap between traditional consumer account protection and actual business account protection.
2. Precedent setting case law is currently in front of judiciaries nationwide, however the businesses and livelihoods of thousands of citizens are currently at risk.
3. As such, immediate action is necessary in order to prevent the looting of our mom and pop businesses (SMB) which are the cornerstone of the nation’s economy.
4. Immediate Executive Branch attention may serve as an emergency measure until legislation can be brought to bear.
5. Judicial guidance would be assisted by Executive Branch action.

Conclusion

Consumer protection should also include business to business consumption of banking products as well as direct consumer protection. Setting the UCC business rule along the lines of the EFT Act in order to effectively protect SMB, which has been identified as the heart and soul of our economy. Additionally, further investigative and intelligence efforts should be undertaken to determine whether this effective cybercriminal initiative has been supported by foreign state action.

Where are our legislators on SMB protection?

Examine the following Senate 773 legislature first discussed in a recent post by Dan Clark and later in another post authored by me. Think of this as a longer term solution in reference to the key issue of the FDIC's hands-off approach to businesses victimized by banking trojan malware such as the ZeuS Banking Trojan. Specific language supporting regional cybersecurity centers includes a focus on SMBs.

Summary: Take action, your job’s on the line

Click here for a map of the incidents Krebs has been reporting on. Examine it. Think about doing something; the job you save by taking action today may be your own.

Securing Our eCity Contributing Writer