A spate of attacks on US financial institutions has seen criminals obtaining bank employee login details through phishing and keylogging and using the information to wire themselves hundreds of thousands of dollars, the FBI is warning.
In a fraud alert, the bureau says criminals have been duping financial institution employees with phishing and spam e-mails before installing keystroke loggers and remote access Trojans on their computers.
The thieves then manage to get complete access to internal networks and logins to third party systems, in some instances taking multiple credentials to circumvent authentication methods.
The crooks then use the information to log in to accounts outside of normal business hours and find out details that can help them steal money, such as transaction history and bank wire transfer settings.
In some of the incidents, before and after unauthorised transactions occurred, the victim suffered a DDoS attack against their public Web sites or Internet banking URLs as a distraction tactic. One botnet used, 'Dirtjumper', is a commercial crimeware kit that can be bought on criminal forums for $200.
Most of the victims to date have been small-to-medium sized banks and credit unions, although a few big players have also been hit, with between $400,000 and $900,000 wired overseas.