Of course, when we speak of sharks, we're referring to Trojans. The news, from the latest Black Hat security conference, is that there's a Trojan in circulation that's designed to extract actionable information from corporate web sites. Known as Clampi, it may have infected half a million machines since March, mostly via drive-by downloads from infected web sites.

 

Once established in a PC, the Trojan waits for the machine to be used to log on as an administrator to any of a list of about 4,600 sites, mostly those of financial institutions. Once it detects such a log-on, it invades the system and sets it up for wire transfers through mules. An auto-parts dealer in Georgia lost $75,000 in June to the Clampi Trojan.

 

But logging in as a Windows administrator should not give someone or something access to encrypted databases. That's a separate security level that ought to defeat a Trojan—but is presumably absent in those cases that make the news. Clampi is hardly all-powerful—in the case of the Georgia parts dealer, it succeeded in making six payments, but eight other attempts failed. An extra barrier would probably have defeated it entirely.

 

Incidentally, the use of infections and mules is not new. A school district in New York State with the unlikely name of Western Beaver has sued its bank about the disappearance of $704,610.35 from its account last autumn, having been siphoned off in 74 wire transfers to 42 different people. A Trojan in the district's computer system convinced it that the superintendent had authorized the transfers. The basis for the lawsuit is that the bank was only supposed to perform transfers from the payroll account, but the funds were sent from the tax and general fund accounts. The bank was able to reverse some of the transfers, but $441,197.01 remained outstanding.

 

The Trojan should never have been able to find those accounts or even the name of the superintendent—encryption should have cloaked all that. But Western Beaver is actually lucky in that it has grounds for a lawsuit. Most enterprises that are hit by wire fraud—be it triggered by a Trojan or a human—are out of luck. The harsh reality of wire fraud is that while consumers have legal protection and under US law can get most of their lost money refunded by the bank, enterprises have no such protection. They must protect themselves because, in the final analysis, no one else will.

 

Incidentally, those mules are real people, who are recruited by a constantly shifting constellation of web sites whose marginal English ought to give away their Eastern European origins. The sites imply that there are people willing to pay a 15 percent commission to third parties who will move their money, and so anyone willing to help them can make a lot of cash. Mule recruiting scams are followed here. Why anyone would believe that legitimate businesses would be willing to pay significant commissions just to move money is a mystery: I've done business with clients from Hong Kong to Belgium and never had to pay more than $20 for a transfer.

 

As for dealing with Clampi, experts advise against ever using the same machine for browsing and for money transfers. With that cybernetic segregation of duties, the machine that watches the money can't get infected.

 

But both browsing and money transfers involve going online, so it's like telling someone to swim, just not with the sharks. As it is with people, security has to be broader than segregation of duties. There must be intrusion detection to prevent infections, updated anti-virus software to detect infections, and encryption to make infections (or dishonest users) largely irrelevant. There must also be safeguards so that, if money starts walking away, someone will at least notice and ask questions.

Because the mules are out there, the Trojans are out there, and the scam artists never rest.