Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.
Last Friday, The Wenatchatee World broke the news of the heist, which struck Chelan County Public Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.
On Wednesday of last week, I began alerting the hospital that it had apparently been breached. Neither the hospital nor the staff at Cascade Medical returned repeated calls. I reached out to the two entities because I’d spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $14,000 siphoned from the hospital’s accounts.
Jesus Contreras, a 31-year-old from San Bernadino, Calif., had been out of work for more than two months when he received an email from a company calling itself Best Inc. and supposedly located in Melbourne, Australia. Best Inc. presented itself as a software development firm, and told Contreras it’d found his resume on Careerbuilders.com. Contreras said the firm told him that he’d qualified for a work-at-home job that involved forwarding payments to software developers who worked for the company’s overseas partners.
Could he start right away? All he needed was a home computer. He could keep eight percent of any transfers he made on behalf of the company. Contreras said he was desperate to find work since he got laid off in February from his previous job, which was doing inventory for an airplane parts company.
His boss at Best Inc., a woman with a European accent who went by the name Erin Foster, called Contreras and conducted a phone interview in which she asked about his prior experience and work-life balance expectations. In short order, he was hired. His first assignment: To produce a report on the commercial real estate market in Southern California. Contreras said Ms. Foster told him that their employer was thinking of opening up an office in the area.
On Monday, Apr. 22 — shortly after he turned in his research assignment — Contreras received his first (and last) task from his employer: Take the $9,180 just deposited into his account and send nearly equal parts via Western Union and Moneygram to four individuals, two who were located in Russia and the other pair in Ukraine. After the wire fees — which were to come out of his commission — Contreras said he had about $100 left over.
“I’m asking myself how I fell for this because the money seemed too good to be true,” Contreras said. “But we’ve got bills piling up, and my dad has hospital bills. I didn’t have much money in my account, so I figured what did I have to lose? I had no idea I would be a part of something like this.”
A small, but significant part, as it happens. Contreras never got to use any of his meager earnings: His financial institution, Bank of America, froze his account and seized what little funds he had in it.
Meanwhile, the Chelan County treasurer’s office is struggling to claw back the fraudulent transfers. According to press reports, roughly $133,000 of the lost funds have been recovered so far, and it may take at least 30 days to learn how much was actually lost.
Some observations about this crime:
-It could have been far worse of a loss. The Chelan County bank accounts that were hacked also are used to administer 54 other junior taxing districts in the county. My guess is this attack would have been worse, but that the fraudsters simply exhausted their supply of money mules.
-Just as real-life bank robbers are restricted in what they can steal by the amount of loot that they can physically haul away from the scene of the crime, the crooks behind these cyberheists are limited in how much they can steal to how many money mules they can recruit to help launder the fraudulent transfers. That’s because unless the mules have access to business accounts that can receive and forward much larger wire transfers, the amounts sent to mules typically range from just below $5,000 to slightly less than $10,000. Edwin Walker of Alpharetta, Ga. – another mule who unwittingly helped launder money for Best Inc. — received and processed a $4,970 transfer on April 20. And while available mules may be a bottleneck for this type of crime, this group appears to have a well-oiled mule-recruitment machine going 24/7.
-Mr. Contreras’ erstwhile employer, Best Inc., is part of a transnational organized cybercriminal gang operating in Russia and Ukraine. Its distinguishing feature is that it operates its own money mule recruitment division. This eliminates the middle man and increases the gang’s overall haul from any cyberheist. “Cashing out” hacked accounts is a complex, time-consuming process that is normally contracted out to third party criminal operations, which can take anywhere from 40-60 percent of the haul for their trouble.
-This gang uses several telltale signatures in its operations, and has been hitting small to mid-sized organizations for the past five years at least. They’ve stolen many, many times more than the millions taken from Chelan County, from hundreds of victim organizations. In fact, this gang appears to have been involved in nearly every cyberheist I have written about for the past four years.
-Mr. Contreras is something of an oddity: A West Coast money mule. The mule recruitment gangs generally prefer to hire mules that are on the East Coast or in the Midwest. That’s because mules on the West Coast are not particularly attractive for cashing out accounts from victim banks and businesses that open several hours before the banks on the West Coast; time is money, and in this business, the more time that elapses before the mules can withdraw and move the stolen funds, the more likely the victim and its bank will be able to claw back the fraudulent transfers.
-The reporting so far includes no information about the victim’s bank, or what kinds of security procedures they may have required of Chelan County for moving large sums of money. But my guess is it was a small to regional bank, and there were few security hurdles for the bad guys to overcome, aside from maybe a one-time token and a password. But that is just speculation based on lots of experience reporting on these crimes.
Broken record alert: If you are running a small business and managing your accounts online, you’d be wise to expect a similar attack on your own accounts and prepare accordingly. That means taking your business to a bank that offers more than just usernames, passwords and tokens for security. Shop around for a bank that lets you secure your transfers with some sort of out-of-band authentication (a text message sent to a mobile device, for example). These security methods can be defeated of course, but they present an extra hurdle for the bad guys, who probably are more likely to go after the lower-hanging fruit at thousands of other financial institutions that don’t offer more modern security approaches.
But if you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.