NACHA Attacks Rising Again

Symantec reports an unprecedented jump in spam volumes containing “polymorphic malware,” malicious software that constantly changes to evade anti-virus software.  One of the most successful lures used in these attacks is spoofed NACHA email.  NACHA is a not-for-profit group that develops operating rules for organizations that handle electronic payments.

Victims of these scams soon find new employees, money mules, added to their payroll to move their ill-gotten funds out.  The thieves use the victim’s online banking credentials to push unauthorized payroll payments to the mules, who are instructed to take out the cash, take a cut for themselves, and wire the rest overseas.

  • In September, attackers stole about $120,000 from Oncology Services of North Alabama.  The organization’s accounting firm was the apparent source of the compromise, indicating that other clients may also have been victimized.  The bank was able to block some of the fraudulent transfers, but it remains unclear how much they got away with.
  • Thieves also robbed the North Putnam Community School Corporation, serving 6 northern townships in Indiana.  They made off about $100,000, sending the money to several people who had no prior business with the school district.  Luckily, all of the fraudulent transfers were returned shortly after the attack.
  • Hackers also struck the City of Oakdale, Calif, stealing $118,000 from a city bank account. Oakdale city officials are confident that its insurance carrier would reimburse the loss, minus a $2,500 deductible.  Officials from Oak Valley Community Bank wrongly layed blame for the incident on a lack of technology and security.

Blocking these attacks has little to do with bleeding edge systems or scanning files with anti-virus.  It’s not clear what malware family was used in any of these attacks, although the first involved a gang that uses the ZeuS Trojan.  Most victims of modern malware will actually have anti-virus software installed.  What they won’t have is a definition file that detects the specific characteristics of the malware that is attacking them.  Anti-virus firms and users are constantly playing catch up.  Someone has to suspect a file as malicious and send a copy in for analysis before a signature can be developed and pushed out to users.

Preventing theft of your online banking credentials is a critical first step in dealing with this threat. Consumers, small and mid-sized businesses should use a dedicated computer for online banking.  Access bank accounts only from a PC that is locked-down, regularly updated, and used for no other purpose than online banking.  It’s a few hundred dollars, compared to your entire business and reputation.