The FBI published a press release on November 3, warning businesses to be on the lookout for suspicious bank account activity thanks to a scam that has been gaining much steam recently. In fact, this scam was featured at the Oklahoma InfraGard Quarterly Meeting in October, which I attended, the topic of which was information security.

To summarize, the scam involves a few relatively simple elements, but according to the comments of FBI personnel back in October, what makes this a potent attack is its coordination and organization. The attackers begin by compromising business online bank account login access. That turns out to be fairly easy, actually. It usually involves a virus, trojan or keylogger installed on a victim business’ PC through some simple social engineering or other methods, which convince an employee to click on a link to a malicious website or open an infected attachment. It was personally noted that the attack can actually get past two-factor authentication in some cases.

Once the attacker’s have access to the bank account online, they do not simply drain it. That would be fairly obvious, wouldn’t it? It would set off plenty of red flags.

Instead, the attackers wait.

They recruit a network of “work-at-home” accomplices. Most of these individuals are completely unaware that they are serving as pack mules for fraud. They have answered “work-at-home” ads online, or have posted their resumes on sites like Monster, and believe they are just handling some funds transfer “busy work.” It often does not take a very detailed story to convince the work-at-home victim-accomplices that there’s a good reason for them to offer their bank accounts as conduits.

Once the network of work-at-homers is well-coordinated and in place, the attackers initiate a flood of relatively small ACH transactions into all of the bank accounts. Because the transactions appear to be about the size of regular payroll transactions, rather than $50,000-at-a-time bursts, they are much less likely to set off any red flags. (Derek Jeter’s payroll transactions wouldn’t work here). What’s more, the funds have been dispersed into many bank accounts, thereby making recovery even more difficult.

Next, all of the work-at-homers follow their instructions: they transfer the funds overseas using Western Union, Moneygram, etc., and keep a cut for themselves.

The money is gone, and very difficult to recover.

Read the FBI press release here, and a more detailed description of the scheme here. Thanks to bMighty’s Keith Ferrell for a recent article about it.

Besides patching their systems, and the usual warnings against untrusted attachments, virus protection, and so on, businesses must keep a very close watch on their bank account activity. And even that may not help much.