Dozens of Israeli businessmen and women have recently been
the victims of online fraud, with tens or even hundreds of thousands of dollars
stolen from their bank accounts, Israeli information-security experts say.
In recent months, there has been a sharp rise in complaints
by businessmen about online fraud. All involve a similar modus operandi: The
hacker breaks into the businessman’s Gmail account, searches for correspondence
with accountants regarding transfers from overseas bank accounts, and then uses
authorization procedures gleaned from this correspondence to transfer funds
from these accounts to bank accounts in Switzerland, Dubai, Russia or the
Cayman Islands.
The hacking wave was revealed in a blog post on an
information security forum by Tal Mozes, the head of Hacktics, an
information-security consultancy that is part of the Ernst & Young Israel
group. A similar hacking scam targeted one of Israel’s leading businessmen a
year or so ago, robbing him of millions of dollars.
The current spate has so far only targeted businessmen with
accounts at overseas banks and who have authorized their accounting firms to
make transfers from these accounts.
The hackers analyze the businessmen’s email correspondence
with both their accountants and the banks, then use this information to send
their own fund transfer requests to the banks in a way that replicates the
usual authorization process - they email the accountants from the hacked Gmail
account to ask them to fill out a transfer request, and that request is then
sent on to the bank. The reply from the accountants is diverted to a separate
email account owned by the hackers, and all evidence of the correspondence is
erased from the Gmail account.
The amount of each fund transfer is calibrated to correspond
to a typical sum transferred by that businessman, so it won’t raise any red
flags or necessitate any additional authorization procedures. The funds are
seemingly initially transferred to the bank accounts of intermediaries who
aren’t directly connected to the hackers.
Several sources said the hacked email accounts appeared on
lists of hacked accounts that were published on the Internet.
One of the victims was an Israeli woman who had about
$100,000 stolen from her Swiss bank account. Another was a high-tech executive
who had tens of thousands of dollars removed from his accounts.
Hacktics has been studying the modus operandi of these
frauds in recent months. Some of the victims have looked into suing the banks,
but it seems the banks can’t be held liable for this particular type of fraud.
“There’s a problem today with protecting the end user,” said
Dr. Nimrod Kozlovski, an information-security expert who's a partner at the JVP
venture capital fund. “We don’t currently have enough indicators about cases in
which somebody misused our account or accessed our account in an unusual
manner.”
Companies like Google do warn users if someone tried to
enter their account from an unusual IP address, but Kozlovski said such
warnings are sent very rarely. “The companies are very careful not to send too
many warnings,” he explained. “If they sent a warning about every unusual case,
we’d be flooded with warnings every day, and they would become useless.”
Google also gives users various tools with which to try to
ensure that nobody else is using their account. At the bottom of every Gmail
screen is a place where users can check the IP address from which the account
has been accessed, under the header “Last account activity.” In addition,
Google offers a service called 2-step verification, under which a one-time
password sent to the user’s cellphone by SMS is needed to access their Gmail
account.
The free application Google Authenticator enables users to
receive the passwords even in places with no cellphone reception.
But Kozlovski noted that the hackers could have entered a
victim’s Gmail account from his or her own computer, in which case there would
be no sign of a strange IP address. “There are currently no suitable tools for
investigating and neutralizing unusual modes of behavior within personal
accounts on user services, so there’s plenty of room for suspicion with regard
to services like Gmail, Facebook and Dropbox,” he said.
No comments:
Post a Comment