An earlier report carried on InformationWeek highlighted how malware and mobile threats are expected to be key attack vectors against SMBs this year. While the original article was written in January, various developments since have only served to strengthen the argument.
Michael Kaiser, executive director of the National Cyber Security Alliance delivered somber news this week on the malware front:
We've seen many cases now where by stealing the banking credentials of a small business, the cybercrooks have gone in and drained their bank account of $300,000 or $400,000 in one fell swoop.
Kaiser made this remark in reaction to a survey by Visa and the National Cyber Security Alliance that revealed that small business owners believe they are less of a target compared to enterprises.
In a specific case reported by InfoSecurity Magazine, a Kansas car dealership lost $63,000 to the infamous Zeus Trojan, which compromised the Windows PC of the financial controller. Following an initial "recon" where transaction history and account balances were accessed, fake payrolls were generated and money siphoned out in a lightning blitz the very next day. In addition, confirmation e-mails from the bank were also suppressed by the unknown hackers courtesy of their control over the commandeered workstation.
Security researcher Brian Krebs was critical about how transactions in the Kansas case relied on a workstation staying infection-free, placing the onus on the bank for having a more robust set of security measures. Krebs observed that mechanisms that rely on an uninfected system are "trivially vulnerable to compromise" when faced with newer, stealthier banking Trojans.
New Mobile Threats
Yet even as banks and businesses are still grappling with the implementation of more robust measures, some cyber criminals are already moving ahead and targeting two-factor authentication. Underscoring their increasing sophistication, the presence of the ZeuS Mitmo malware was spotted surfacing in Poland recently, which injects fraudulent fields into a Web page to quiz users on the model of their mobile phone and mobile number. A text message is then sent with a link to a customized malware for Symbian or BlackBerry smartphones.
An infected smartphone in this instance essentially allows the hackers to circumvent even two-factor security. As reported on SC Magazine:
This application monitors all incoming SMS messages and sends them to the number operator' of Zeus. The owner of the phone cannot see even notice that he got a new message.
In a nutshell, SMBs need to distance themselves from the fallacious thinking that they are too small or insignificant for "big time" hackers. Given the multiple reported instances in which SMBs are divested of their money via fraudulent electronic transfers, it is clear that the reverse is true and SMBs are really the new targets of cyber criminals.
The appearance of Trojans on mobile platforms to defeat two-factor authentication is also a sign that cyber criminals are continually adopting new and advanced techniques. Given the sophistication of the opposition, SMBs opting to take a backseat on their computer security is like the proverbial child who plays with fire. Kaiser summed up the bottom line when he said: "The greatest threat to a company's cyber security is complacency."