Web-savvy criminals are preying on consumers' financial information more and more often, security experts say.
CHICAGO — The famously discreet Citadel Investment Group draws many of the shrewdest minds from Wall Street to Chicago. Shanghai too.
Unknown people in that Chinese city cloned Citadel's website, set up a link for investor passwords and exposed the $17 billion hedge fund to a "grave risk of theft of confidential information," according to a federal lawsuit that shut down the fake site.
These kinds of nefarious schemes have become shockingly routine for financial institutions, security experts say, and exhibit an increasing level of brashness by people using search engines and customer identities to hijack sensitive data.
"It's not that they're heading in through the back door," said David Fisher, chief executive of the Chicago-based online brokerage OptionsXpress. "It's people coming in through the front door with a user name and password."
Even if companies defuse scams without suffering any losses, as Citadel did, the culprits usually vanish like phantoms. The vast majority escape investigation and prosecution due to an inadequate framework of domestic and international laws.
"Over the next few years, these issues are going to come so far to the forefront that there are going to be more efforts by lawmakers to provide specific laws to remedy these harms," said lawyer Scott Kamber, who represents customers of the brokerage TD Ameritrade in a class-action lawsuit. "It's incumbent on corporate America to get religion on fortifying their security. If they don't, it's going to get very expensive for them."
Investment bank Sandler O'Neill and Partners is trying to determine who penetrated its website, forcing it to shut down for four days last week.
The bank hosted a conference about electronic trading, streaming live video of presentations by 35 companies, including the CME Group, parent company of the Chicago Mercantile Group and Chicago Board of Trade.
Hackers linked some to an overseas website that secretly downloaded a malicious program onto their computers, said someone who reviewed the incident for the bank. While the program was not harmful, the bank instantly notified clients about the incident.
TD Ameritrade is awaiting the settlement of a class-action lawsuit after hackers accessed the accounts of some 6.3 million customers.
The hackers then sent spam to the customers in a scheme to pump up the prices of certain stocks that would then be dumped on unsuspecting buyers.
Kamber compared defending a financial company from these scams to stopping a submarine from sinking: The water can rush into the smallest of cracks.
Dangerous programs infect about 6,000 sites each day, almost one every 14 seconds, according to research by Sophos, an anti-spam and antivirus software company.
Companies such as OptionsXpress take precautions to defend against more complex attacks. One involved keystroke programs downloaded onto hotel computer kiosks in Thailand that capture the passwords of tourists checking their accounts.
A Colombian citizen, Mario Simbaqueba Bonilla, was convicted in April for a similar three-year scam that stole $1.4 million by lifting information from computers at hotels and Internet lounges worldwide, according to the Justice Department.
Federal agents caught and arrested him last year when he flew to the U.S. His baggage included a laptop containing the names, passwords and other financial information of 600 people.
In Citadel's case, the thieves probably wanted to "phish" for investor passwords that would help them access data from the real site. The fake site might also have served as a front to cheat naive investors eager to entrust their money with Citadel.
Citadel said the bogus site produced no unusual activity on its own website.
What distinguished the scam was its apparent reliance on search engines. If you typed "Citadel," "hedge" and "fund" into Google in December, a curious site called "cita del-group.net" popped up.
It bore the hedge fund's turreted logo, but the site contained some unique alterations, such as contact information written in Chinese.
The real Citadel is headquartered in a Chicago skyscraper. A replica of an ancient Greek sculpture and alert security guards watch over its ground floor.
"No writing is allowed here," a guard barked as a visitor with a notebook approached the statue last week.
By Joshua Boak
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment