verso la Cina.

Questa è la conclusione che si potrebbe trarre leggendo l'avviso pubblicato da importanti autorità americane.

Anche il DHS avvisa che sono in aumento le frodi, perpetrate a danno di piccole e medie aziende, tramite la cattura delle credenziali di accesso ad Internet .

La tecnica generalmente adottata appare quella del Phishing.   Colpevoli anche tre virus: Zeus, Backdoor.bot, Spybot.

Nell'allegato stralcio di un avviso dell'FBI, FS_ISAC e IC3, sono indicate le destinazioni dei fondi trafugati agli ignari clienti.

Il suggerimento è quindi quello di aggiungere, ai previsti controlli del sistema di monitoraggio, anche i trasferimenti verso quelle citate destinazioni cinesi, in modo da cercare di far verificare ai clienti la correttezza della disposizione: ciò prima di eseguirla.

Questo suggerimento, oltre ad essere un costo aggiuntivo non indifferente per le banche, dà per scontato che i dipendenti delle aziende clienti non possano non fare a meno di essere vittime del Phishing,! Oppure, come accade in molti casi, perchè non riescono a resistere ad accedere a siti porno (XXX) dal computer di ufficio (e prendersi così il virus!)!

Stupisce quindi questo suggerimento che perviene da autorità indiscusse quali l'FBI.

Vanno invece avvertite le aziende clienti di questi rischi che,   costati negli USA cifre enormi, potrebbero verificarsi anche in Italia a breve.

Devono pertanto suggerire, specialmente alle piccole aziende, di rafforzare i controlli al loro interno e proteggere in modo adeguato i computer dai quali partono le disposizioni di bonifico.

Chiaramente siamo a disposizione per assistere nella stesura dei suggerimenti.

Riportiamo stralcio dell'avviso.

(...) 

The FBI has identified multiple companies that were used for more than one unauthorized wire transfer. However, in these cases the transfers were a few days apart and never used again. Generally, the malicious actors use different companies to receive the transfers. The companies used for this fraud include the name of a Chinese port city in their official name. These cities include: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The official name of the companies also include the words "economic and trade," "trade," and "LTD."

The economic and trade companies appear to be registered as legitimate businesses and typically hold bank accounts with the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

At this time, it is unknown who is behind these unauthorized transfers, if the Chinese accounts were the final transfer destination or if the funds were transferred elsewhere, or why the legitimate companies received the unauthorized funds. Money transfers to companies that contain these described characteristics should be closely scrutinized.

The unauthorized wire transfers range from $50,000 to $985,000. In most cases, they tend to be above $900,000, but the malicious actors have been more successful in receiving the funds when the unauthorized wire transfers were under $500,000. When the transfers went through successfully, the money was immediately withdrawn from or transferred out of the recipients’ accounts.

In addition to the large wire transfers, the malicious actors also sent domestic ACH and wire transfers to money mules in the United States within minutes of conducting the overseas transfers. The domestic wire transfers range from $200 to $200,000. The intended recipients are money mules, individuals who the victim company has done business with in the past, and in one instance, a utility company located in another U.S. state. The additional ACH transfers initiated using compromised accounts range from $222,500 to $1,275,000.

The type of malware has not been determined in every case but some of the cases involve ZeuS, Backdoor.bot, and Spybot. In addition, one victim reported that the hard drive of the compromised computer that was infected was erased remotely before the IT department could investigate.

 ZeuS — malware that has the capability to steal multifactor authentication tokens, allowing the criminal(s) to log in to victims’ bank accounts with the user name, password, and token ID. This can occur during a legitimate user log-in session.

 Backdoor.bot — malware that has worm, downloader, keylogger, and spy ability. The malware allows for the criminal(s) to access the infected computer remotely and further infect computers by downloading additional threats from a remote server.

 Spybot — an IRC backdoor Trojan which runs in the background as a service process and allows unauthorized remote access to the victim computer.

 Wire activity destined for the Chinese cities of Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning should be heavily scrutinized, especially for clients that have no prior transaction history with companies in the Heilongjiang province.

(extracted from an advice published today by:

This product was created as part of a joint effort between the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3).