Cybercriminals have found new ways to prey on online brokerage firms. A hacked PC opened the door to a sophisticated criminal attack on E-Trade (New York), contributing to $18 million in identity theft-related costs during the firm's third quarter, company officials said.
One of the techniques used by the thieves was an Internet pump-and-dump scheme in which criminals, using stolen customer accounts acquired from a hacked computer, drove up the prices of low-priced stocks through high-volume purchases and then sold those shares at a profit. The Securities and Exchange Commission, the FBI and other law enforcement agencies are investigating the crime.
In related news, TD Ameritrade (Omaha, Neb.), which has 6 million clients, had to cover $4 million in fraudulent transactions for its most recent quarter. A company spokeswoman says TD Ameritrade also was a victim of a pump-and-dump scheme similar to the one perpetrated on E-Trade, but Ameritrade has "never had a breach or intrusion" via computers, she asserts.
New Phish in the Sea
Online brokerages and their customers are just the latest victims of sophisticated phishing and spyware techniques, which have evolved to include faking the browser chrome around a Web page to make a phishing site look authentic. The chrome contains the elements that make up a page's borders, such as Window frames, menus and toolbars.
While Web surfers may not actively think about a Web page's chrome, a fake chrome includes details that can make a bogus site look so authentic that users are more likely to be duped. The security community began tracking the new technique less than a month ago, according to Sioux Fleming, director of product management for CA (Islandia, N.Y.).
Only a few states, including Arkansas, California, New York, Utah and Virginia, have anti-phishing laws. A federal law is unlikely to be passed because lawmakers "can't agree on whether to make businesses liable for losses, in addition to the phishers," according to Jeffrey Neuburger, a partner with the law firm Brown Raysman Millstein Felder & Steiner in New York.
But why aren't businesses working harder to develop sites that can't be spoofed? As E-Trade and TD Ameritrade show, businesses often are compelled to cover their customers' losses to cybercrooks, particularly when the firm's own systems are involved.
E-Trade already offers clients additional security options. The broker offers customers secure ID tokens that automatically change their account passwords every 60 seconds, making the accounts "virtually hack-proof," says an E-Trade spokeswoman.
Law enforcement agencies, meanwhile, are encouraging businesses hit by cybercrime to come forward. "There's a huge issue with the underreporting of cyberattacks in the corporate world," says Mark Mershon, assistant director of the FBI's New York office.
More than 30 states have laws that compel businesses to report when data is lost or stolen, but until law enforcement gets full cooperation from corporate victims, it will continue to operate in reactive mode. "Greed and the thirst for money always outpace the ability to stop it," says FBI agent Milan Patel. <<<
Courtesy of InformationWeek, a CMP Media property.
1. Criminals hacked into a computer owned by an E-Trade customer and stole information, including account passwords.
2. Next, they invested in low-cost stocks, then used E-Trade customers' identities to buy shares of those stocks, driving up the price.
3. Finally, the criminals sold the inflated stocks at a profit, leaving their victims holding the shares of overpriced stocks.