By LARRY MARGASAK, Associated Press
WASHINGTON (AP) -- Remember all those phony emails that purport to be from your bank, asking you to click on a link and turn over your account information?
Cyber experts say criminals have moved on and are using new methods.
A cybersecurity banking official told a House Financial Services panel Friday that criminals are now sending emails claiming to be from someone other than your bank. Newer scams use the National Automatic Clearing House Association, the Electronic Federal Tax Payment System, the U.S. Postal Service, private delivery firms, telecommunications companies and social media providers. One thing hasn't changed. Once an unsuspecting user clicks on a link, he or she is redirected to a server that downloads malicious software onto the victim's computer. The software captures the user's online banking credentials as they are typed.
Called "phishing," this tactic involves sending an email that falsely claims to be an established legitimate enterprise in an attempt to trick the user into turning over information.
Michele Cantley, testifying on behalf of the Financial Services Information Sharing & Analysis Center, said that phishing "remains the most popular attack method that criminals use to infect victims' machines." The center is a nonprofit organization funded by financial services companies, commercial banks, credit unions, brokerage firms, insurance companies, exchanges and clearing houses, and payment processors.
She said criminals are also using malicious advertisements, which appear on search engines and prominent news sites. When a user clicks on the link, malware gets downloaded onto his or her computer.
"A more recent method involves fraudulent messages sent from social media sites," she said. "These may include bogus friend requests, for example, that include links to malicious sites."
Cantley's organization, along with the Microsoft and the Electronic Payments Association, has gone on the offensive against phishing scams. They used a creative legal strategy as part of a civil lawsuit filed earlier this year to disrupt a major cybercrime operation that used malicious software to allegedly steal $100 million from consumers over the last five years.
The lawsuit targeted a global network of computers under the remote control of a criminal group that stole personal information, financial credentials and money, according to court records. The network, known as Zeus, has not been eliminated, but the action has made it much more difficult and expensive for the criminals to operate.
Mark Graff, vice president of the NASDAQ OMX Group, told the panel that his organization is not only concerned about rogue hackers or organized crime but also attacks backed by national governments.
"It is not reasonable to expect individual companies, no matter how large or sophisticated, to independently stave off cyberattacks coordinated and backed by a foreign government," he said. "If our headquarters or our physical infrastructure were under attack from foreign missiles, the U.S. government would work with us to defend our company.
"The same needs to be true for cyberattacks, especially since the U.S. government is equally under attack from these foreign entities."
NASDAQ OMX Group owns and operates 24 markets, three clearing houses and five central securities depositories, spanning six continents.
Associated Press writer Richard Lardner contributed to this report.