September 1, 2010

Cyber crooks stole just shy of $1 million from a satellite campus of The University of Virginia last week, KrebsOnSecurity.com has learned.

The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia.

Kathy Still, director of news and media relations at UVA Wise, declined to offer specifics on the theft, saying only that the school was investigating a hacking incident.

“All I can say now is we have a possible computer hacking situation under investigation,” Still said. “I can also tell you that as far as we can tell, no student data has been compromised.”

According to several sources familiar with the case, thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

Sources said the FBI is investigating and has possession of the hard drive from the controller’s PC. A spokeswoman at FBI headquarters in Washington, D.C. said that as a matter of policy the FBI does not confirm or deny the existence of investigations.

The attack on UVA Wise is the latest in a string of online bank heists targeting businesses, schools, towns and nonprofits. Last week, cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa.

Update, Sept. 4, 4:27 p.m. ET: Jordan Fifer, a reporter for the Highland Cavalier, the official student newspaper for UVA-Wise, writes that school officials now say they have recovered the stolen money.


33 thoughts on “Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College

  1. H. Carvey

    Brian,

    Do you know if there’s a way for me to share findings from previous cases that may be similar with the folks performing the analysis of this drive?

    1. Neil

      If you have a direct contact with the FBI, as every member of Infragard does, then they (the FBI) will know that you have been vetted and your information can be trusted. However if not then you can call the local office and speak with the onduty Special Agent who can take the info from you and pass it on. Just be aware that because they have no way of verifying accuracy of the material or of the source which is very important in LE.

      1. Nigel Mellish

        Assuming, of course, that the FBI gives a crap, is properly funded, or doesn’t have bigger fish to fry.

  2. wiredog

    “initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. ”

    How the heck does a wire transfer from a US university to a bank in China not send up flares and ring alarm bells?

    1. Mike

      I agree. Even if there is an account set up by the thieves, the bank should be able to see that there has been no transfer history. This should have sent up red flags all over their security systems. I tried to make a purchase of software from a bank overseas with my credit card and the bank stopped it. Why can’t they put safeguards like that in place for funds transfers of this type?

      1. Daya Nidhi Kharel

        if the bank was able to recognize the program, then it would not be ‘virus’. Chinese people can do everything.

    2. Sile

      Universities often purchase supplies/materials from overseas, and in large sums. This from my experience working in a lab at a four-year university. However, I will admit that I was not involved in the purchasing process and do not know what methods they employ.

  3. Gary

    Since the destination of the money is known, is there any prospect based on past case history that the Chinese authorities would return the money?

      1. Konstantin

        Brian,

        Could you please drop me a line, I have some interesting information for you.

  4. Rob

    It would be interesting to know the account security features that were defeated in this attack. The account balance would seem to make it eligible for a host of security measures. Assuming the comptroller was a sophisticated user the attack may have been very elaborate. Elaborate attacks imply some investment in mapping out the target bank system so that users aren’t alerted to any differences in their normal procedures.

    BB&T might be headed for a sneaker-net system in the wire room.

  5. Andre LePlume

    I’m a bit surprised that any one person can move $1 mil, regardless of the payee.

    1. Benjamin

      I agree. It seems odd that there is no dual control on this. I imagine that if more detail was known, we would find there were also no security tokens and that the user’s PC was compromised with a keylogger. I imagine the login also came from the same IP address.

      Chalk one more up for educating Universities, small business, and public institutions about online security.

      We just held a security seminar for some of our ACH and Wire customers, and it was received with huge praise. A lot of customers were amazed at what kind of risk they are running at their business, and how easy and effective using a live CD can be.

      1. KathyB

        Our community-based bank is strongly considering educating both personal and business customers about online banking security and providing a LiveCD to assist them in their endeavors. If and when we move forward I plan a LiveCD demo to display the ease of use. We’ve had a few customers hit with ZeuS and fortunately have caught every transfer request. All it took was a simple phone call from our Ops Dept. to quickly learn that it was fraudulent activity.

        I also read that BofA did some online security education in recent months to their business/commercial customers that was apparently well received. I’d love to see the agenda/curriculum since those of us in banking should be/need to be more proactive.

      2. neo

        Well , I used to work at a small scale company where the finance person was so terrified by all these news of cyber crimes, that he had instructed bank to disable any online transaction facility on company account. Only request and checques signed with 2 authority person would do the transactions. First we used to laugh at him, but now I think he might be right at his own thinking.

  6. Michael

    While BK reports on cybertheft from businesses, individual accounts are no longer safe. El Reg reports M$1 has been stolen by Zeus from 3,000 individual accounts http://www.theregister.co.uk/2010/08/11/zeus_cyberscam_analysis/ and the attack was “ongoing” then. That the trigger level was set at 800 (sorry, no Brit pound key) suggests way more than 3,000 user computers were infected. Seems to me infected user computers must exist for *other* banks and the criminals are just waiting to get sufficient infections/mules to make it worthwhile before launching an attack on a particular bank. If captcha breakers can be farmed, so can Zeus pilots.

    1. Brian Krebs

      Michael — Individual accounts, at least here in the United States — are treated quite differently than business accounts. In the US, consumer accounts are largely insulated from the problem of online account takeover. Yes, they may have the temporary inconvenience and shock of being robbed when a Trojan allows thieves to steal credit or debit card info. But under US laws, the consumer will be reimbursed in almost every case.

      There are no such protections for businesses, which is part of the reason why I have chosen to keep a spotlight on this issue. It’s also clear that too few business owners are aware of the risks they face in banking online.

      1. Michael

        Your reimbursement point is valid but I hadn’t realized that an attack on a bank’s individual accounts could be attractive or efficient enough to mount (low $/account). Security through financial-obscurity is kaput. Perhaps it won’t happened in the US because that might trigger a systematic response from the banks since losses become the banks’ but it may happen if it ever becomes a use-it-or-lose-it situation (like if Zeus ever becomes easily detected). I don’t fancy a Zeus infection regardless of any reimbursement that I wouldn’t want to test.

  7. george

    I’m seeing a different pattern here (no money mules this time). I hope they will be able to reverse the transaction, being a wire transfer between 2 banks and a follow-up will be posted when this will happen.

  8. Guy Pace

    I’ve worked in higher education for a bit over 20 years, mostly state, some federal. I’ve been involved in very large purchases of computer equipment and services. No purchase of that magnitude would pass without proper purchase order paperwork, multiple authorities signing off and all that. Heck, in our state, money going out of _state_ is carefully scrutinized. Money leaving the country from our institutions just isn’t going to happen unless there is only _one_ possible source for whatever is being bought. And, authorization for that would probably have to have the Governor’s signature. I don’t know what Commonwealth of Virginia places on its institutions. But, with that much cash being transferred, I’d put money on someone at the bank being involved. I’m with @wiredog on that. Either collusion, or some very irresponsible financial controls.

    1. Rob

      Guy,

      Don’t you usually see a distinction between the payment authorization process and direct account access?

      I have seen some very sophisticated payment authorization processes that are linked directly to banks so that once payments are authorized the payment is made. However, this, in my limited experience, didn’t prevent some key personnel (like controllers) from direct account access. Also, since these accounts have hundreds of receipts and payments daily they tend to have very high transaction and cumulative daily limits. More restricted direct access could be limited I guess but I am not sure it is widely practical yet.

      In short, these are ideal target victims/accounts from the perpetrator’s perspective.

  9. Grisu

    Sorry to see that US-Banks still do not use strong authentication/authorization even for high risk transactions.
    Most of the European Banks changed to more secure ways 5 years ago.

    1. Alan

      It depends what you mean by strong authenication.

      US Banks (and some of the biggest are actually owned by European banks) also changed about 5 years ago to offer stronger forms of authentication but those changes are no longer effective. Security procedures have to constantly evolve as the type of attacks change to circumvent the last set of security procedures that were put in place.

      Unfortunately I think it is in the nature of things that the criminals tend to adapt faster to changes than financial institutions and businesses.

      1. Bob

        Just as has been described for terrorist-type attacks, the perpetrator only has to be successful a small percentage of the time to be successful, while the bank/customer (in this case), has to be successful 100% of the time.

    2. Matt

      I must concur with Alan, online criminals have been bypassing even the strongest levels of electronic token authentication used in Europe. The following link is regarding Belgium. These were not just the generic OTP tokens many international banks rely on which are themselves routinely bypassed by trojans like Zeus but the most expensive, advanced and time consuming transaction signing devices as used across many Northern European countries. The MITB method took advantage of the complexity of the active transaction signing employed by all these type of devices to coax them through a “your device needs to be resynchronized please enter the following control digits to correct it.” or some similar routine server maintenance alert. Having used these devices I am not surprised users fell into the trap as the authentication process requires a long string of digits back and forth between the device and the terminal often over 40+ in total seemingly random digits including the transaction information which apart from taking a long time and very prone to user error do tend to blur into one another.

      Another problem is that occasionally the time based OTP devices do need to be resynchronized and so the believability is there. When you put complex devices whose methods are beyond the average users comprehension into their hand and ask them to perform long seemingly arcane tasks it is not particularly difficult for an attacker to assume an authority and coach them in a particular direction without arousing suspicion. Apart from Scandinavia and in Asia Indonesia most bank managers refuse to adopt the method on user inconvenience grounds. Much of the electronic token industry has looked to this method as a last line of defence if pushed from the now broken time based OTP however as with software the increased complexity only opens new vulnerabilities. In my opinion many claims made on device manufacturers websites need to be amended in light of this.

      http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians

      I cant help but propose my own passwindow method which performs a more secure passive visual version of transaction authentication not vulnerable to these MITB Trojan attacks, the inherent simplicity drastically reduces the social engineering possibilities as the average user can easily comprehend how and why it works.

      1. slacks

        “Trojan horses that were planted onto the victims’ computers would generate a fake error message and request that the victim re-enter the authorization code. ”

        Tricking a user into giving up their credentials is known as social engineering.

        And successful social engineering is not the same as defeating “even the strongest levels of electronic token authentication.”

        1. Matt

          There is no question online criminal organizations are defeating the online electronic authentication tokens and I don’t disagree social engineering is a component of that as it is with the vast majority of financial electronic fraud methods by strict definition.

          I do respectfully disagree with characterizing this attack purely as social engineering as the social element in this case does not exist on its own and in this case is part of a much more complex electronic attack which could also be characterized as a Man-In-The-Middle, Trojan/Malware/Virus attack, Man-In-The-Browser etc, all of which are components too. I imagine the semantics are lost on the victims.

          I am not proposing to disregard electronic tokens altogether as they do prevent many less sophisticated online criminals however the difference between unsophisticated and sophisticated is simply a matter of them updating their malware code and these guys cooperate better than most security professionals.

          1. slacks

            I see your point; I just respectfully disagree. In my mind — and admitedly, this might be an over-simplification — I only see this as a defeat of the tokens if the fraud could have occurred without social engineering. In this case, it couldn’t have.

            Imagine a bank valult has an eight-inch thick steel wall. Let’s say a fraudster walks up to the bank’s office and tells them that he is a valult maintenance man and needs to get into the vault to make repairs. If he convinces the bank employees to let him in, has the eight-inch steel wall been defeated?

            I would not characterize the role social engineering as merely contributory in this case OR in the one in the article — I say it’s the cause of the compromise.

      2. nl01

        If you follow the Flash presentation of the Belgian bank closely, you’ll see that it’s required to input the total amount of the transaction(s) in your signing gadget (second control number). This does not exclude the possibility that the money is diverted to some other account, but an alert user will never see his account emptied.

  10. Joe 6 pack

    Infraguard and fusion centers are unconstitutional, misguided, brainwashed nazi’s.

    DHS must be deactivated, the only thing which comes from it is unconstitutional cruft. The only people effected are law abiding citizens.

    The United States of America must restore it’s constitution and jail these oath of office breakers.

Comments are closed.