The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. It’s too bad the committee has already finalized its witness list: It likely would be shocked to hear the story of Tennessee Electric Company Inc., a firm that lost $328,000 earlier this month in an account takeover that defeated multiple security measures commonly used by commercial banks to stop cyber thieves.
Executives at the Kingsport, Tenn. based construction and maintenance contractor thought that the security procedures employed by their bank — one-time tokens and verbal approval for all transactions — would deter attackers. But they recently discovered how deftly today’s e-thieves can bypass such defenses.
The attack began sometime before May 9, when thieves stole the online banking credentials for Tennessee Electric, presumably with some type of malicious software such as the ZeuS Trojan. That morning, the company’s controller Jenni Smith logged into the firm’s account at the Web site of Tri-Summit Bank, entering her password and a one-time password generated by a key fob supplied by the bank. After Smith entered the information, however, her browser was redirected to a Web page stating that the bank’s site was down for maintenance and would be offline for about an hour.
But the thieves lurking on Smith’s PC intercepted that one-time password, used her connection to log on to the bank’s site, and redirected her browser to the fake maintenance page. Meanwhile, the attackers used that browser session to put through a batch of fraudulent payroll payments to at least 50 “money mules,” willing or unwitting individuals scattered throughout the United States who were recruited to help the crooks funnel the funds out of the country.