Dozens of Israeli businessmen and women have recently been the victims of online fraud, with tens or even hundreds of thousands of dollars stolen from their bank accounts, Israeli information-security experts say.
In recent months, there has been a sharp rise in complaints by businessmen about online fraud. All involve a similar modus operandi: The hacker breaks into the businessman’s Gmail account, searches for correspondence with accountants regarding transfers from overseas bank accounts, and then uses authorization procedures gleaned from this correspondence to transfer funds from these accounts to bank accounts in Switzerland, Dubai, Russia or the Cayman Islands.
The hacking wave was revealed in a blog post on an information security forum by Tal Mozes, the head of Hacktics, an information-security consultancy that is part of the Ernst & Young Israel group. A similar hacking scam targeted one of Israel’s leading businessmen a year or so ago, robbing him of millions of dollars.
The current spate has so far only targeted businessmen with accounts at overseas banks and who have authorized their accounting firms to make transfers from these accounts.
The hackers analyze the businessmen’s email correspondence with both their accountants and the banks, then use this information to send their own fund transfer requests to the banks in a way that replicates the usual authorization process - they email the accountants from the hacked Gmail account to ask them to fill out a transfer request, and that request is then sent on to the bank. The reply from the accountants is diverted to a separate email account owned by the hackers, and all evidence of the correspondence is erased from the Gmail account.
The amount of each fund transfer is calibrated to correspond to a typical sum transferred by that businessman, so it won’t raise any red flags or necessitate any additional authorization procedures. The funds are seemingly initially transferred to the bank accounts of intermediaries who aren’t directly connected to the hackers.
Several sources said the hacked email accounts appeared on lists of hacked accounts that were published on the Internet.
One of the victims was an Israeli woman who had about $100,000 stolen from her Swiss bank account. Another was a high-tech executive who had tens of thousands of dollars removed from his accounts.
Hacktics has been studying the modus operandi of these frauds in recent months. Some of the victims have looked into suing the banks, but it seems the banks can’t be held liable for this particular type of fraud.
“There’s a problem today with protecting the end user,” said Dr. Nimrod Kozlovski, an information-security expert who's a partner at the JVP venture capital fund. “We don’t currently have enough indicators about cases in which somebody misused our account or accessed our account in an unusual manner.”
Companies like Google do warn users if someone tried to enter their account from an unusual IP address, but Kozlovski said such warnings are sent very rarely. “The companies are very careful not to send too many warnings,” he explained. “If they sent a warning about every unusual case, we’d be flooded with warnings every day, and they would become useless.”
Google also gives users various tools with which to try to ensure that nobody else is using their account. At the bottom of every Gmail screen is a place where users can check the IP address from which the account has been accessed, under the header “Last account activity.” In addition, Google offers a service called 2-step verification, under which a one-time password sent to the user’s cellphone by SMS is needed to access their Gmail account.
The free application Google Authenticator enables users to receive the passwords even in places with no cellphone reception.
But Kozlovski noted that the hackers could have entered a victim’s Gmail account from his or her own computer, in which case there would be no sign of a strange IP address. “There are currently no suitable tools for investigating and neutralizing unusual modes of behavior within personal accounts on user services, so there’s plenty of room for suspicion with regard to services like Gmail, Facebook and Dropbox,” he said.