Excerpt from the SAR Activity Review
 Computer Intrusion Violations within
Depository Institutions
In a world of ever-evolving technology, computer intrusion is an important
topic for individuals and especially businesses such as financial institutions
that manage and harbor a great deal of personal information. For the
purpose of this study, computer intrusion is defined using instruction #2
from the “When to Make a Report” section on the Suspicious Activity Report
instruction sheet(s):
Computer Intrusion is defined as “gaining access to a computer system of a
financial institution to:
a. Remove, steal, procure, or otherwise affect funds of the institution or the
institution’s customers;
b. Remove, steal, procure or otherwise affect critical information of the institution
including customer account information; or
c. Damage, disable or otherwise affect critical systems of the institution.”
Our goal in examining filings reporting “Computer Intrusion” was to provide
a baseline of activity observed within the population of depository
institutions’ Suspicious Activity Reports. The examination established a
general profile of activities identified in sampled narratives as well as
meaningful associations between violating activity and other frauds.
Background
The timeframe for this study was from June 19, 2000 through June 30, 2005;
June 19, 2000 was the date “Computer Intrusion” appeared as a type of violation
on the Suspicious Activity Report form used by depository
institutions (TD F 90-22.47). The cumulative yield of all queries for this
period was 10,155 Suspicious Activity Reports.
For this study, the targeted population was limited to depository institutions
reporting computer intrusion. Only filings submitted by depository
institutions using the Suspicious Activity Report form (TD F 90-22.47)
effective June 19, 2000 and thereafter were considered. It is important to
note that The SAR Activity Review - By the Numbers, Issue 2
(June 2001) indicated that suspicious activity reporting of computer intrusions was more
than 7,000, but this figure included filings by both depository institutions
and money services businesses during that examination period. While it
might appear that reports of computer intrusion declined rapidly from 2003
through the first half of 2005, this would be an incorrect characterization.
During the period, money services businesses became subject to a separate
suspicious activity reporting requirement (effective January 1, 2002).
Because there was no reporting form specifically designed to capture money
services business data on the effective date, money services businesses filed
reports on form TD F 90-22.47. Use of the Suspicious Activity Report by
Money Services Business form (TD F 90-22.56) began in October 2002 and
mandatory reporting began in February 2003, with a six-month grace period.
All suspicious activity reported by money services businesses subsequent to
August 2003 was filed on the Suspicious Activity Report by Money Services
Business form. From January 2002 through August 2003, money services
businesses could and did use form TD F 90-22.47 (now almost exclusively
used by depository institutions) to report suspicious activity. Therefore, the
number of suspicious activity reports citing computer intrusion as a violation
filed by depository institutions during this period seems “inflated.”
Another concern regarding data in the population is that filing institutions
tended to overuse the “Other” category when characterizing a violation;
therefore, the “Other” category was not included. However, filers have the
ability to use the “Other” category and notate a suspected activity; those
responses were reviewed for activity relating to computer intrusion.
Analysis
Between June 2000 and June 2005, 3,726 Suspicious Activity Reports
identifying computer intrusion were filed. Almost 70% (1,861) of those filings
occurred in 2003 and 2004. The last eight quarters show an unsteady pace in
2003 followed by an extraordinary increase (up 272% from the first quarter of
2004) in the filing rate for the second quarter of 2004. The filing rate slowed
during the first half of 2005 but growth is still the prevailing trend.
In summary, accelerated growth in computer intrusion filings could be seen
clearly in August 2004 when the volume of Suspicious Activity Reports filed
reached 1,417. The 2004 volume exceeded cumulative total filings for all
previous years (1,251), and the filing volume increased more than 200% from
the first quarter of 2004 to the second quarter of 2004; however, in 2005 the
volume declined slightly, with only 521 filings in the first half of the year.
Suspicious Activity – Frequency of Occurrence
There were significant fluctuations between filings relating to computer
intrusion in 2000 and the first quarter of 2001. A possible explanation is
that this period marked the beginning of the filing requirement and therefore
represents an institutional learning curve as filers became familiar with the
filing requirements. Consistent with this learning curve theory is that
computer intrusion filings in the first quarter of 2001 may have been
categorized “Defalcation/embezzlement,” or “Misuse of Position or
Self-Dealing.” The first quarter of 2001 seemed to reflect a misapplication of
the “Computer Intrusion” violation to describe the use of the bank
computing function to embezzle funds or to self-deal by altering accounting
functions in personal employee accounts. This learning curve persisted until
the first quarter of 2002, after which time the filing volume decreased.
The volume of Suspicious Activity Reports identifying “Computer Intrusion”
remained light in the second quarter of 2002. However, overall, there was a
shift in other types of suspicious activity reported, specifically, the “Misuse of
Position or Self-Dealing” violation which exceeded the “Check Fraud”
violation during this period. In prior quarters, the “Misuse of Position or
Self-Dealing” was not reported as frequently. Further review identified at
least one institution that reported the fraudulent negotiation of unsolicited
loan checks using this category. Even though this activity did not meet the
definition of computer intrusion, this institution continued to report
fraudulent check negotiations as instances of computer intrusion well into
2003. Financial institutions returned to the previous mode of reporting
“Misuse of Position or Self-Dealing” in the third quarter of 2002 and that
mode of reporting continued through the second quarter of 2005.
A dramatic change in the population occurred in the second quarter of 2004
as overall filing volume increased and the “Identity Theft” violation type
appeared on the Suspicious Activity Report form. Reports using the “Identity
Theft” violation type began with 216 filings in the second quarter of 2004,
possibly indicating an association between computer intrusion and identity
theft. This positive association between computer intrusion and identity
theft continued into the first half of 2005. The addition of “Identity Theft” to
the violation type field appeared to help better define computer intrusion as a
violation. This adjustment also eliminated filings related to employee
misconduct and fraudulently negotiated checks as computer intrusions. The
drop in filings, coupled with important changes in observed activity, signifies
a pivotal development driving the filing volume in 2004.
Violation Amounts
Generally, institutional filers were most likely to indicate that violation
amounts involved in each occurrence equaled zero ($0); however, in the fourth
quarter of 2003 and throughout the first two quarters of 2005, filers indicated
violation amounts within the range of $1 to $9,999 more commonly than
violation amounts equal to zero ($0). This clearly indicates an emerging trend
in actual losses reported by institutional filers. Interestingly, the timing of
this trend in violation amounts corresponded to the emergence of identity
theft and debit card fraud as leading violations in early 2004. Further review
of these violations indicated they typically occurred in the presence of
spoofing/phishing attacks.13 The emergence of filers reporting financial loss
and the emergence of identity theft and debit card fraud may support the
theory that a new pattern of vulnerability involving spoofing/phishing attacks
was on the rise throughout 2004 and into 2005.
Institutions Reporting
According to the Anti-Phishing Working Group14 (APWG)--Phishing Activity
Trends Report of October 2004, financial institutions have historically been
the most targeted industry sector in the number of spoofing and phishing
attacks.15 The report also indicated that increased suspicious activity reporting
of computer intrusion was probably influenced by the number of people
opting for online banking services. The phishing/spoofing attacks on institutions
reported by the Anti-Phishing Working Group was compared to Suspicious
Activity Reports identifying computer intrusion in order to recognize
possible meaningful associations. Almost immediately, the phishing/spoofing
attacks identified by the Anti-Phishing Working Group on one financial
institution in particular could be associated with suspicious activity reporting
patterns. The Suspicious Activity Reports filed by this institution were
detailed and provided actual dates and language of the spoofed email. When
compared with filing specifics reported by the Anti-Phishing Working Group
archive of the alleged emails, a positive correlation between FinCEN data
and Anti-Phishing Working Group open source data for at least this institution
could be identified.
The strong association between the FinCEN data and Anti-Phishing Working
Group open source data allowed a model of activity to be developed for this
institution based on the launch of the phishing email and the time of detection.
This model identified that the average filing lead time for an incident of
phishing/spoofing normally exceeded 60 days. The incident of phishing/spoofing
typically:
- was identified after a customer reported an account as compromised;
- exceeded 25 days from date of the phishing/spoofing email; and
- occurred within either one week before or after the first of each month
(i.e., August 24 through September 7).16
While the 2004 phishing/spoofing attacks reported by the Anti-Phishing
Working Group identified attacks against large banking organizations, only
a few were filers of computer intrusion-related Suspicious Activity Reports.
Narrative analysis revealed that only two of the large banks actively and consistently
reported phishing/spoofing attacks. The other large banking
organizations reported an assortment of activities which often involved
employee misconduct.
Geographic Analysis
Fluctuations in state frequency of Suspicious Activity Report filings were
compared to fluctuations in the Federal Deposit Insurance Corporation’s
“Regional Economic Conditions” report to identify possible influences. For
example, the number of suspects having a reported state residency of
Michigan was 89, or 8.15% (Table 5) of the target population that listed a
suspect’s state of residence. Michigan, however, represented only 3.53% of
the overall population, according to the 2000 U.S. Census. Further review of
Michigan’s Suspicious Activity Report filings revealed that one filer routinely
reported employee misconduct involving bank computers as computer
intrusions, while another filer (mentioned previously) inappropriately
categorized fraudulently negotiated, unsolicited loan checks using email as
computer intrusion.
An examination of national averages for unemployment rate, payroll
employment growth rate, and personal bankruptcy filings was performed to
determine if there were measurable associations between these economic
indicators and Suspicious Activity Report filings reporting computer
intrusion.17 The number of households participating in online banking
services from 2000 to 2004, as reported by Forrester Research, was also
examined. An extended review of economic activity in Michigan between
the third quarter of 2003 and the second quarter of 2004 indicated that total
payroll employment growth in Michigan lagged behind the U.S. national
average, while personal bankruptcy filings outpaced the U.S. national
average. This provided a model of activity related to unexpected increases in
the number of suspects identified in Suspicious Activity Reports reviewed.
At least two other states examined in the same period fit this model:
Colorado, with a suspect frequency of 4.30% and a census percentage rank of
1.53%; and Alabama, with a suspect state frequency of 3.04% and a
census percentage rank of 1.58%. This observation did not prove to be a
causal relation, but there was strong evidence supporting a hypothesis that
regional economic squeeze may have been, in part, a causal factor for the violations
reported in Suspicious Activity Reports from some regions.
Generally, however, the influence of economic conditions proved inconclusive
for the remaining regions.
(Put table graphic here)
A troubling characteristic of the computer intrusion-related Suspicious
Activity Reports was that there was a high number of suspects for whom
locations were unknown (more than 1,800) to the financial institution. This
was consistent with account compromise by unknown suspects and suggested
a lack of geographic affinity between suspects and financial institutions.
This finding was also consistent with the second quarter of 2004 shift to the
“Identity Theft” violation as it became obvious that computer intrusion was a
remote and anonymous offense.
Occupation Analysis
Occupational data reported by depository institutions on the Suspicious
Activity Report form (TD F 90-22.47) was collected in two ways: (1) filers
indicated a suspect’s affiliation with the filer in a pre-coded response; or (2)
filers indicated a suspect’s occupation in a free-form response, which was
post-coded for quality control.18 While post-coded responses were always
mutually exclusive, the pre-coded responses were not and, therefore,
suspects were identified by multiple codes.
In general, responses to the question on the Suspicious Activity Report form,
“Is individual/business associated/affiliated with the reporting institution?”
identified 1,466 suspects without a customer affiliation with the filing
institution, while 2,132 filings identified suspects with a customer or
borrower relationship with the filing institution. This finding is difficult to
reconcile because associations were not mutually exclusive; for example,
filing institutions regularly listed employees as both employee and customer.
There were also 2,369 filings that indicated “Suspect Information
Unavailable” that did not identify a suspect or an occupation.
Examination of bank personnel reported as suspects revealed that at least 15
had high-level access to bank computing infrastructures (i.e., bank network
administrators). There were also occasional reports that identified the names
of malicious codes (i.e., viruses,19 worms,20 and Trojans21 ) introduced to bank
servers. In each instance of malicious code, the infection occurred in systems
deemed non-critical to bank operations, e.g., the Internet security systems,
email, or servers (email and networking systems). While data
corruption of non-critical systems did not meet the strict definition of computer
intrusion, it may have imposed a significant burden on bank operations.
Some of the malicious codes identified included:
- Lovesans worm;
- W95@mm virus;
- W32.Bugbear.B@mm virus; and
- W32.Bugbear.B.dam virus
In the case reporting the Lovesans worm, an Internet security systems
server enabling web-based production was infected and quarantined; all
other reports related to quarantined email attachments.
Narrative Analysis
Narratives of 140 Suspicious Activity Reports were reviewed and coded for
16 causal behaviors and 23 resultant behaviors. Causal targeting focused on
methods compromising both bank systems and customer information files,
while resultant targeting focused on the types of accounts compromised and
losses occurring after compromise.
Anomalies appeared sporadically throughout the narrative sample, some
previously discussed, including cases of advanced fee frauds, fraudulent
negotiation of loan starter checks, employee misappropriation of customer
information files prior to separation from the filing institution, and employee
misconduct involving the use of bank systems to alter personal account
terms. The anomalies did not meet the definition of computer intrusion and
therefore were not evaluated extensively.
The narrative content exhibited a change consistent with changes in the
nominal data identified in the second quarter of 2004. Before exploring these
changes further, it is important to note that the current best practices for
online banking require public key access to a vaulted site (sites using session
cookies only), which means that the examination did not expect to encounter
instances of man-in-the-middle eavesdropping. In addition, public encryption
keys for most online banking services is now 128-bit encryption and the
examination did not expect to encounter instances of session hijacking. In
fact, the compromise of bank-hosted servers containing customer information
files was not a common occurrence in the sampled narratives. Of the
narratives reviewed, seven suspicious activity reports indicated a compromise
to customer information files maintained on bank-hosted servers. All seven
filings, in 2002 or earlier, reported no further indications that customer
information “had been accessed or otherwise abused.” Targeted analysis
of reported attempts to breach non-customer information file bank-hosted
server(s) indicated that attacks on bank-hosted servers (e.g., Internet
security systems, web, proxy)22 first appeared in the population in the second
quarter of 2001 but disappeared by the third quarter of 2003.
Account Types Compromised
The most commonly compromised account type was the demand deposit
account,23 with either a compromise of the principal account and the personal
identification numbers or a compromise of a debit card number and the
personal identification number. Filings reporting the compromise of a
principal account and the personal identification numbers were more likely
to report that a victim’s identity was assumed by someone known to the
victim, including bank personnel. Unauthorized transaction activity
associated with this type of account compromise included use of the account
and personal identification numbers to initiate Automated Clearing House
payments through online bill payment services and/or to make
check requests.
Compromise of branded debit cards to access demand deposit accounts were
more likely to be associated with filings that listed a suspect as unknown.
It should be noted that breaches of this nature were far more common than
compromises of the principal account and personal identification number.
Unauthorized transactions associated with this type of account
compromise included debit card usage resulting in unauthorized charges and
card clones24 used to withdraw funds via automated teller machines.
The second most commonly compromised accounts were credit card lines of
credit, where the credit card number was compromised. This type was
reported by several unrelated financial institutions and was associated with a
single event in which bank identifier codes for a large brand credit processor
were compromised.
Other types of deposit, revolving and installment accounts, such as first and
second mortgages, overdraft protection accounts, and one instance of a purser
account, appeared in the narrative sample. Most of these occurrences were
associated with bank employee misconduct, including the use of the
computing function to alter balances, refund or retard fees collected, and
change due dates.
Methods of Account Compromise
To better explain the nature of security and how accounts can be
compromised, a general review of the meaning of “hacking” and the
typology associated with “hacking” is required as follows:
Overview of Hacking
In the original sense of the term, a hacker is an expert programmer. Over
the years, the term “hacker” has lost its original meaning and has become a
term associated with malicious programmers. The hacker’s prize is the
satisfaction of cracking the defenses of another programmer while
misappropriation of funds or data is the trophy of a successful hack. Each
time a new product or service is rolled out with the intent to capture more
broadband users, a new set of vulnerabilities awaits discovery by hackers.
Ultimately, firewalls are the last defense between proprietary information
and hackers. Quite possibly, every program may be cracked, which means
that network administrations (banking or otherwise) are barely one step
ahead of the hackers and should consider all areas of vulnerability when
designing secure websites.
Types of Hacker Attack
In general, there are only two methods of attack, direct and indirect. A direct
attack attempts to deliver scripts25 directly to targeted devices. Even when
direct attacks are initiated in stealth mode, hackers generally regard direct
attacks as the riskiest because active pinging26 increases chances of
detection. On the other hand, an indirect attack delivers scripts to
component programs (e.g., electronic mail) of the target server that will eventually
become integrated into the root directories of the target device. Once
these scripts are delivered, a trigger (e.g., time, logic or other devices) will
drop additional malicious codes (i.e., trojans, viruses, worms) into the
legitimate command scripts of a targeted device. The downloaded malicious
codes can result in a wide variety of attacks and/or damage, including
flooding, overflows, phishing/spoofing, denial of service, data diddling
(corruption), and altered/hijacked URLs27 (web defacement). For this study,
if a narrative indicated a compromised server, it was assumed a direct attack
on the server had occurred. Direct attacks, by definition, require that
rootkits with backdoor scripting have either been installed or that there was
an attempt to install these scripts.
Findings within Computer Intrusion-Related Suspicious
Activity Reports
In the last eight quarters covered by the analysis, there were five filings
included in the narrative sample that indicated hacking attempts on the
customer information file server(s) had occurred (none were successful), and
no filings indicated a third party processor had been compromised. This was
in stark contrast to filings in 2000 to 2002 that indicated at least 11
hacking attempts on customer information file servers, and, as previously
stated, seven probable hacks of customer information file servers. At least 22
filings indicated successful compromise of third party processors. Changes
in computer intrusion activity may support financial institutions’ claims that
bank-hosted servers are secure.
Compromise Of Third Party Processors
As previously stated, activity observed between 2000 and 2002 was quite
different from activity observed from 2003 through the second quarter of
2005. One of the most obvious differences was that third party processors
were finding it difficult to secure customer information files in the period of
2000 to 2002. There were four third party processors identified in 22
Suspicious Activity Report narratives, and all four were contract hosts for
online banking and/or online bill payment services for different banks. In all
cases, a direct hack of database servers was identified as the probable point of
compromise and in at least one high profile case, arrests and convictions
followed. In at least seven narratives filed between 2000 and 2002, filers
hosting critical files for non-core banking activities indicated hosting
servers were compromised. In three of the seven narratives, filers indicated
a suspect contacted them to demand funds in exchange for the return of
critical information. At least one overseas extortionist was wired $10,000 at
the direction of the Federal Bureau of Investigation Internet Crimes
Complaint Center (IC3)28 task force agents. Literally thousands of accounts
were compromised during these attacks.
Since the fourth quarter of 2004, there were no additional reports identifying
compromised third party processors. As mentioned previously, the four
third-party processors that experienced a direct hack to their servers claimed
to have increased servicing volumes, which may indicate the computing
infrastructure for bank-contracted servicers has been strengthened.
Compromise of Customer Information Files
In contrast, the compromise of customer information files for branded credit
card processors appeared only twice between 2000 and 2002, although
thousands of accounts were compromised in each instance. However, card
processors appeared five times in the last eight quarters of the analysis and
several filings indicated that damages could not be estimated because not all
unauthorized activity had been reported by legitimate customers. At least
two filings indicated a direct hack of servers which occurred at a firm contracted
out by a credit card processor.29
Spoofing’ and ‘Phishing’
There were several reports of denial of service attacks, both distributed and
single-source, on non-critical bank servers by spoofing the Uniform Resource
Locator (URL) of the target financial institution.30 To “spoof” is a hacker term
that means “to forge an identity.” Spoofing has been used to describe many
different types of malicious activities that involve forging an identity. For
instance, in the previously mentioned reports, hackers launched a denial of
service attack by initiating a Transmission Control Protocol (TCP) ping to
millions of devices using the spoofed Internet Protocol address of the targeted
device as a reply address.
There is another type of spoofing, however, that should be a larger cause of
concern because it occurs with far more frequency than instances of direct
hack attacks on bank-hosted servers in the sample. This variety of
spoofing involves the creation of emails that appear to be legitimate emails
from banks and/or bank regulators. These emails, through social
engineering, encourage recipients to compromise their account information
through illegitimate forged Uniform Resource Locators (spoofs). This
collective activity is known as “phishing,” and it was the most pervasive
activity reported in the sample when a suspect was unknown to the victim.
Published industry reports indicate that as many as 20 email recipients out
of 1,00031 will respond to phishing, while other industry experts have
recently argued that the ratio may be closer to 1 in 8.32
Causal Targeting
In the period from 2000 through the first quarter of 2002, Suspicious Activity
Reports were coded to identify compromised online banking or bill payment
services hosted by a third party processor. This targeted analysis revealed
that at least four major third party processors were compromised during this
period, exposing thousands of principle account numbers and personal
identification numbers of retail banking customers and branded debit and
credit card customers of multiple banks to hackers. Two processors
accounted for over 70% (22) of the filings. One of the compromised
processors determined that one of their contractors, a demographic
marketing firm, was hacked and its data misappropriated by a former
employee, who subsequently conspired to provide the compromised data to
others. No additional compromises of third party processors were reported
after the first quarter of 2002.
Causal targeting identified three types of transactions where a customer’s
response to phishing was suspected: unauthorized Automated Clearing
House transfers; cloned debit card usage;33 and unauthorized bill pay/check
requests. The most common transaction was an attempted Automated
Clearing House transfer of funds from demand deposit accounts to accounts
in the name of straw entities. Suspects typically transferred a small sum
initially, but increased to larger transfers until the Automated Clearing
House requests were rejected for insufficient funds or through
administrative rejections for fraud. In the narratives sampled, the
Automated Clearing House transactions were the most vulnerable to
detection and exception reporting due to batch processing. Unauthorized
Automated Clearing House activity was often halted before significant
losses could occur.
Cloned debit card transactions, however, were more difficult to prevent
because Automated Teller Machines provide perpetrators with immediate
access to cash as a result of the automated (and many times continuous)
reconciliation of Automated Teller Machine networks. Customers whose
accounts were compromised through cloned debit cards usually detected the
unauthorized use through account statements or failed attempts to access
their accounts. Unfortunately, delayed detection enabled suspects to
withdraw larger amounts without fearing interception. Cloned debit card
usage was reported at automated teller machines located throughout the
world, including New York City, NY; Hialeah, FL; Cosa Mesa, CA; Tucson,
AZ; Bucharest, Romania; Madrid, Spain; Vilnius, Lithuania; Moscow, Russia;
Kiev and Zaporizhzhya, Ukraine; and Sharjah, United Arab Emirates. There
were a few remarkable patterns of activity identified, including a suspect(s)
operating in the Southwest, who always used Automated Teller Machines,
frequently within a few blocks of a golf course and always within a few miles
from the main gate of a United States military instillation. Automated Teller
Machines in these stores lacked mounted cameras, but a comparison of dates
and times revealed that the withdrawals from unrelated accounts literally
occurred within minutes of one another.
Overview of Narrative Analysis
The narrative analysis of Suspicious Activity Reports overwhelmingly
identified phishing as the most pervasive and most effective manner of
account compromise. This does not mean this was the only activity reported;
in fact, miscellaneous activities were reported, including cases where the filing
institutions failed to establish that computer intrusion had occurred. For
example, filings reported web page defacement, which was specifically
excluded from the definition of computer intrusion. Of greater concern was
that some filers, through a routine review of available domain names
discovered forged websites that could easily be mistaken for their website.
In one case, the filing bank contacted the ‘whois’34 to determine why he had
designed his web site to look like its web site. The contact advised the bank
that he had broken no laws, refused to disable the site, and threatened a civil
suit if the bank contacted him again. In another case, an angry bank
customer engaged in a campaign of targeted spam on a bank customer
support mailbox. Apparently, the customer was angry over a failed
transaction, which he claimed lost him considerable amounts of money. In
addition to threats and libel in the emails, the filer reported the email attack
rendered the bank’s exchange server useless for 24 hours.
Analyst’s Conclusions
In conclusion, phishing compromise was the most prevalent activity in the
last eight quarters covered by this study, while hosted third party service
compromise, which was prevalent in the first eight quarters, disappeared
during the last eight quarters. Nothing in the last eight quarters indicated
bank-hosted servers were particularly vulnerable to hacking attempts.
Evidence suggested bank customers are increasingly seeking online services,
but this need to be ‘connected’ may expose customers to scam artists seeking
account information. All large banks covered by this analysis have
published online banking policies. In addition, the Federal Financial
Institutions Examination Committee (FFIEC) issued a brochure that
explains Internet “phishing” and steps that consumers can take to protect
themselves against scams.35 Most of these policies warn that emails
requesting sensitive account or other personal information are never
initiated by the financial institution.
13 According to the Federal Bureau of Investigation, “Spoofing or phishing frauds attempt to make
Internet users believe that they are receiving email from a specific, trusted source, or that they are securely
connected to a trusted web site, when that is not the case. Spoofing is generally used as a means
to convince individuals to provide personal or financial information that enables the perpetrators to
commit credit card/bank fraud or other forms of identity theft. Spoofing also often involves trademark
and other intellectual property violations.”
(http://www.fbi.gov/pressrel/pressrel03/spoofing072103.htm)
14 “The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association
focused on eliminating the fraud and identity theft that result from phishing, pharming and
email spoofing of all types.” (http://www.antiphishing.org/index.html)
15 Anti-Phishing Working Group, “Phishing Activity Report”, http://www.antiphishing.org/APWG_
Phishing_Activity_Report-Oct2004.pdf.
16 Attackers may target this period around the first of each month given the typical monthly
statement cycles of depository institutions.
17 National averages were identified by the Federal Deposit Insurance Corporation Regional Economic
Conditions (FDIC RECON) Quick Link for Analysts, http://www2.fdic.gov/recon/index.asp.
18 Question #30 on the Suspicious Activity Report form asks the filer to identify the suspect’s
“Relationship to Financial Institution” (i.e., A-Accountant, B-Agent, C-Appraiser, D-Attorney).
Responses A-K are considered pre-coded responses, and response “L-Other” allows the filer to write
in a response (post-coded).
19 In computer security technology, a virus is a self-replicating program that spreads by inserting
copies of itself into other executable code or documents (for a complete definition, see below). Thus, a
computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into
living cells. Extending the analogy, the insertion of the virus into a program is termed infection, and
the infected file (or executable code that is not part of a file) is called a host. (en.wikipedia.org/wiki/Virus_(
computing))
20 A computer worm is a self-replicating computer program, similar to a computer virus. A virus
attaches itself to, and becomes part of, another executable program; however, a worm is self-contained
and does not need to be part of another program to propagate itself. They are often designed to exploit
the file transmission capabilities found on many computers. (en.wikipedia.org/wiki/Worm_(computing))
21 A Trojan is a computer program that disguises itself as a useful software application that is
actually used to gain access to a computer. Trojans are named after the Trojan horse used by the
rescuers of Helen of Troy. (www.tecc.com.au/tecc/guide/glossary.asp)
22 Proxy is a server that manages the hypertext transfer protocol (HTTP) for the World Wide Web.
23 A demand deposit account (or DDA) is an account, usually a checking account, which permits the
account owner to withdraw funds from the account on demand.
24 A cloned credit or debit card is a counterfeit card created using the real customer’s account number
and other identifiers found on the face (and sometimes, the back) of the card. It is also referenced as
“white plastic.”
25 Scripts are computer programming code written in relatively simple programming languages.
(www.c-latitude.com/glossary.asp)
26 “Ping is a basic Internet program that lets you verify that a particular Internet address exists and
can accept requests. The verb ping means the act of using the ping utility or command. Ping is used
diagnostically to ensure that a host computer you are trying to reach is actually operating.” (www.
indrum.com/planet/glossary.htm)
27 URL is an acronym for Uniform Resource Locator, which is “a string of characters that represents
the location or address of a resource on the Internet and how that resource should be accessed. World
Wide Web pages are assigned a unique URL.” Source: www.iarchive.com/_library/terminology/u.htm.
28 Federal Bureau of Investigation: Internet Crimes Complaint Center (IC3) is the joint task force led
by the FBI and the National White Collar Crime Center with the primary mission being the
investigation of Internet crimes. This task force, formerly known as the Internet Fraud Complaint
Center (IFCC), is a primary source for confidential leads, which are provided directly to the task force
by victims of Internet frauds.
29 A credit card processor is “a company that performs authorization and settlement of credit card
payments, usually handling several types of credit and payment cards (such as Visa, MasterCard, and
American Express). If merchants wish to sell their products to cardholders, they retain the services of
one or more processors who handle the credit cards that the merchant wishes to accept. When a merchant
retains the services of a credit card processor, it is issued a merchant ID.”
Source: http://www.secpay.com/glossary.html.
30 Uniform Resource Locator (URL) is the unique address, which identifies a resource on the Internet
for routing purposes, such as http://www.fincen.gov.
31 Various; David Jevans, Testimony in front of the U.S. Senate,
http://aging.senate.gov/_files/hr120dj.pdf
Greg Keizer, “Gartner sees surge in Phishing Expeditions,” Information Week, http://www.informationweek.
com/story/showArticle.jhtml?articleID=19900043.
32 Various; Dr. Dale Pletcher, “Identity Theft: The Aftermath 2003—A comprehensive study to understand
the impact of identity theft on known victims,” http://www.idtheftcenter.org/idaftermath.pdf;
Market Wire, “28% of U.S. Adults Continue to Inaccurately Identify Phishing Email Scams,” http://
www.marketwire.com/mw/release_html_b1?release_id=70388.
33 Please reference footnote 24 for the definition of cloned debit card.
34 ‘Whois’ is a term referring to a domain name search or look-up feature for a database - typically
for Top-Level Domain name registries. Information such as name availability can be found through a
query or search using a ‘whois’ protocol (standard). Most Top-Level Domain registries maintain their
own ‘whois’ database containing domain name contact information. (Definition obtained from http://domain.
rshweb.com/glossary.html.)
35 This brochure, “Internet Pirates are Trying to Steal Your Information,” was distributed to
financial institutions in a format that could be used as a statement insert to educate their
customers and is available on the following federal banking agencies websites:
http://www.federalreserve.gov/consumers.htm (Board of Governors of the Federal Reserve System);
http://www.fdic.gov/consumers/consumer/fighttheft/ (Federal Deposit Insurance Corporation);
http://www.ncua.gov/Publications/brochures/IdentityTheft/PhishBrochure-Print.pdf (National Credit
Union Association); http://www.occ.gov/consumer/phishing.htm (Office of the Comptroller of the
Currency); http://www.ots.treas.gov/docs/4/48950.pdf (Office of Thrift Supervision).
Excerpted from SAR Activity Review Issue 9, page 15
Privacy Policy Disclaimer Recommend This Site ! Contact Us
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
|
Print Friendly!
Email This Article!
Discuss NOW!