October 04, 2010, 10:18 AM — The indictments unveiled last week against dozens of people who allegedly helped loot millions of dollars from U.S. businesses via online corporate account takeovers highlights the struggle by financial firms to fight fraud.
Over the past two years, corporate account takeovers by cybercriminals have cost U.S. businesses more than $100 million, according to FBI estimates.
In most cases, the thefts have been perpetrated by gangs in Eastern Europe who used the Zeus banking Trojan to break into computers belonging mainly to small businesses and small municipalities in the U.S. The malware has been used to steal online banking credentials and access corporate accounts so the thieves could transfer money into fraudulent accounts set up by hundreds of U.S.-based accomplices, often called "money mules."
Most of the illegal transfers were unauthorized Automated Clearing House (ACH) transactions from the victim's account to the money mule.
The U.S Attorney's Office in New York City said Thursday it had indicted 37 such money mules for helping crooks based in Russia and several East European countries siphon off more than $3 million in stolen funds. In a joint announcement, Manhattan's District Attorney Cyrus Vance announced indictments against another 36 people for their participation in a similar operation.
The charges in the U.S. followed similar arrests in the UK, where authorities on Tuesday charged 11 Eastern European citizens in connection with the same scam.
The arrests mark a small, but significant, victory for law enforcement officials and financial industry representatives, analysts said. But they do little to ameliorate the urgent need for better protection against future scams.
"It is tremendous news," said Dennis Simmons, president and CEO of SWACHA, a Texas-based financial trade association that counts many financial institutions as its members. SWACHA is also part of a new Corporate Account Takeover Working Group that was established by the Financial Services Information Sharing and Analysis Center (FS-ISAC) earlier this year.
"One of the frustrations we have had with these account takeovers is the lack of jurisdiction" U.S. authorities face when pursuing the East European criminal gangs behind the thefts, he said. But going after the money mules will send a strong signal and should deter some illegal activity. Even so, "it's like that old joke: 'What would you say you have when you round up three hackers? A start,'" he said.