The arrests of dozens of suspects in New York last week for the theft of at least $3 million from banking accounts across America was both good news and a wakeup call for the credit union industry.

The suspects-37 were charged in federal court and a couple dozen more in other jurisdictions, according to media reports-are primarily citizens of Russia, Belarus, Ukraine and other Eastern European countries where the attacks allegedly originated.

They are accused of using variants of the Zeus Trojan malware to steal passwords, account numbers and other data used to access accounts and transfer money. The investigation began when local authorities began investigating a suspicious $44,000 withdrawal from a New York City bank.

“The fact that there was a bust of this magnitude is encouraging. It shows the risk is significantly increasing for criminals,” said Jon Ramsey, chief technology officer at SecureWorks, an Atlanta-based provider of online protection services to 622 credit unions.

Ramsey, whose company first began reporting on the banking variant of the Zeus virus in 2007, also warned, “There are probably 10 top-level Zeus gangs operating around the world today, and a lot of others below that.”

The credential-stealing Trojan is available through professionally produced and supported kits sold on the black market. Thieves are now moving away from well-secured online banking sites to other victims, planting the malware through poorly secured consumer and other websites and netting millions of dollars so far in heists reported across the country.

“They're going after customers and members, infecting business computers, those that do payroll and account receivables. Municipalities, schools and churches are popular targets, too, because they can have a lot of money in their accounts and not a lot of security surrounding the computers they're using,” said Elizabeth Clarke, SecureWorks' vice president of corporate communications.

The victims in the New York bust, according to the U.S. Attorney's Office, included an unnamed Massachusetts city and California hospital. Financial institutions mentioned as accountholders in the announcement included TD Bank, Chase Bank, Bank of America, Wachovia, E*TRADE and TD Ameritrade.

An FBI spokesman in New York declined to identify any other institutions or say whether credit unions were involved, but if they were, it wouldn't surprise Kelly Dowell.

“Zeus attacks have absolutely impacted credit unions,” said the executive director of the Credit Union Information Security Professionals Association in Austin, Texas. “I know of quite a few that have been hit by that attack, and they're not just against consumer-level PCs. They're going where the money is, and that's business accounts.”

Dowell said the New York arrests help shed light on the problem, and “it's a good sign, because there hasn't been a lot of action against this. That's in part because the Zeus attacks are very difficult to address. There are dozens and dozens of variants of it and they're very good at going undetected by anti-virus software.”

Dowell said his organization is working on one possible defense against credential-stealing malware: using a hard-token technique that involves a thumb drive that carries the secured online credentials for accessing accounts.

Another technique is to use a dedicated computer to access accounts online and for no other purpose. That's SecureWorks' advice, whether the computer is at work or home.

“Given the prevalence and seriousness of these credential-stealing Trojans, it's recommended that businesses isolate workstations where [online banking] activities are carried out from possible data-stealing Trojan infections,” the company's counter threat unit advises.

The company also “recommends that home users use a computer dedicated only to doing their online banking and bill pay. They should not use that computer to surf the Web and send and receive e-mail, since Web exploits and malicious e-mail are two of the key malware infection vectors.”

Other organizations in the credit union industry are addressing the problem, including the CUNA Technology Council, according to Rudy Pereira, chair of the council's executive committee and senior vice president of operations and technology at the $7.3 billion Alliant Credit Union in Chicago.

He said the council will be focusing more on security in the days ahead but that, even with the help of capable vendors providing a layered security program, there's only so much credit unions can do.

“Biggest lesson, we can't control the security measures our members take to protect themselves,” Pereira said. “There really is no one solution, but a layered security solution does need to be incorporated into a credit union's information security program.”

That includes distributing desktop-hardening software, the veteran technologist said, along with credit unions deploying behavioral and rules-based algorithmic detection systems that track member behavior, once past authentication, and block transactions and send alarms when things don't add up.

That may have been what tipped off the bank in New York in the latest case.

Pereira said he was pleased to hear of the arrests but said the $3 million figure seemed low, “considering what it could have been.”

He added, “I believe that law enforcement sees the potential these attacks have. It's good to see that cyber crime will be taken seriously and dealt with seriously.”

–[email protected]