Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned.
In most of the e-banking robberies I’ve written about to date, the victims have been small to mid-sized businesses that had their online bank accounts cleaned out after cyber thieves compromised the organization’s computers. This incident is notable because the entity that was both compromised and robbed was a bank.
The attack began Thursday, May 20, when the unidentified perpetrators started transferring funds out of an internal account at Treasury Credit Union, a financial institution that primarily serves employees of the U.S. Treasury Department in the state of Utah and their families. Treasury Credit Union President Steve Melgar said the thieves made at least 70 transfers before the fraud was stopped.
Melgar declined to say how much money was stolen, stating only that the total amount was likely to be in the “low six-figures.”
“We’re still trying to find out what net [loss] is, because some of the money came back or for whatever reason the transfers were rejected by the recipient bank,” Melgar said, adding that the FBI also is currently investigating the case. A spokeswoman for the Salt Lake City field office of the FBI declined to comment, saying the agency does not confirm or deny investigations.
Many of the transfers were in the sub-$5,000 range and went to so-called “money mules,” willing or unwitting individuals recruited over the Internet through work-at-home job schemes. Melgar said other, larger, transfers appear to have been sent to commercial bank accounts tied to various small businesses.
Melgar said some of the money mules apparently had a change of heart, but only after they’d withdrawn the stolen cash from their bank accounts and wired the money overseas to Ukraine as instructed.
“Some of the money mules went back to their banks after they’d Western Unioned the money, went back and talk to their branch manager or whoever and say they felt they may have committed fraud,” he said. “I guess something must have clicked in their head at that point.”
Melgar said it wasn’t clear whether any of the mules who reported the fraud to their banks had returned the “commissions” they make for helping thieves launder the money. In previous attacks I have written about, the mules were permitted to keep roughly 8 percent of the transfer amount, with any wire fees to be taken out of the commission. Earlier this month, the FBI said it is planning a law enforcement action against money mules in a bid to raise public awareness about the damage from these types of work-at-home employment schemes.
According to Melgar, the perpetrators who set up the bogus transactions had previously stolen a bank employee’s online login credentials after infecting the employee’s Microsoft Windows computer with a Trojan horse program. Melgar said investigators have not yet determined which particular strain of malware had infected the PC, adding that the bank’s installation of Symantec‘s Norton Antivirus failed to detect the infection prior to the unauthorized transfers.
“That’s all part of our investigation, and we’re going to try to see how it was that this PC got infected,” Melgar said. “The truth is if you invite malicious software in, there’s probably not a lot at that point that’s going to stop it.”
Last July, organized thieves used money mules to steal tens of thousands of dollars from Huntington, W.V. based First Sentry Bank.