Target: Small Businesses

Global Payments Breach Fueled Prepaid Card Fraud

Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud.

At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer.

That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc.

According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

“Higgins said, ‘You have a problem,’” Fuller recalled, of a phone conversation the bank had with Higgins in early March. “He said he had a slew of these people going through their Vons and Safeway stores exchanging cards. He had them on surveillance tape, knew where they were from and everything.”

Continue reading →

Thieves Replacing Money Mules With Prepaid Cards?

Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Mules traditionally have played a key role in helping thieves cash out hacked accounts and launder money. They are recruited through email-based work-at-home job scams, and are told they will be helping companies process payments. In a typical scheme, the mule provides her banking details to the recruiter, who eventually sends a fraudulent transfer and tells the mule to withdraw the funds in cash, keep a small percentage, and wire the remainder to co-conspirators abroad.

Some of the mule gangs I've identified.

But mules are hardly the most expedient method of extracting funds. To avoid arousing suspicion (and triggering anti-money laundering reporting requirements by the banks), cyber crooks usually send less than $10,000 to each mule. In other words, for every $100,000 that the thieves want to steal, they need to have at least 10 money mules at the ready.

In reality, though, that number is quite often closer to 15 mules per $100,000. That’s because the thieves may send much lower amounts to mules that bank at institutions which have low transfer limit triggers. For instance, they almost always limit transfers to less than $5,000 when dealing with Bank of America mules, because they know transfers for more than that amount to consumer accounts will raise fraud flags at BofA.

Thus, the average mule is worth up to $10,000 to a cybercrook. Unsurprisingly, there is much competition and demand for available money mules in the cybercriminal underground. I’ve identified close to two dozen distinct money mule recruitment networks, most of which demand between 40-50 percent of the fraudulent transfer amounts for their trouble. Not only are mule expensive to acquire, they often take weeks to groom before they’re trusted with transfers.

But these mules also come with their own, well, baggage. I’ve interviewed now more than 200 money mules, and it’s hard to escape the conclusion that many mules simply are not the sharpest crayons in the box. They often have trouble following simple instructions, and frequently screw up important details when it comes time to cash out (there are probably good reasons that a lot of these folks are unemployed). Common goofs include transposing digits in account and routing numbers, or failing to get to the bank to withdraw the cash shortly after the fraudulent transfer, giving the victim’s bank precious time to reverse the transaction. In isolated cases, the mules simply disappear with the money and stiff the cyber thieves.

In several recent ebanking heists, however, thieves appear to have sent at least half of the transfers to prepaid cards, potentially sidestepping the expense and hassle of hiring and using money mules. For example, last month cyber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.

Prepaid cards are ideal because they can be purchased anonymously for small amounts ($25-$100 values) from supermarkets and other stores. A majority of these low-value cards are not reloadable, unless the cardholder goes online and provides identity information that the prepaid card issuer can tie to a legitimate credit holder. After that card is activated, it can be reloaded remotely by transferring or depositing funds into the account, and it can be used like a debit, ATM or credit card.

“The information we gather in opening it is the same information you’d be asked if you were opening a credit card account online,” said Brad Hanson, president of Metabank’s payment systems division. “We do checks against different public resources like Experian and LexisNexis to verify that all the information matches and is accurate, and that we have a reasonable belief that you are the person applying for the card.”

The trouble is, the thieves pulling these ebanking heists have access to massive amounts of stolen data that can be used to fraudulently open up prepaid cards in the names of people whose identities and computers have already been hijacked. Once those cards are approved, the crooks can simply transfer funds to them from cyberheist victims, and extract the cash at ATMs. Alternatively, wire transfer locations like Western Union even allow senders to use their debit cards to execute a “debit spend,” thereby sending money overseas directly from the card.

Continue reading →

Latest Warnings / Target: Small Businesses / Web Fraud 2.0 — 8 Comments
13
Mar 12

Hacked Inboxes Lead to Bank Fraud

Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.

Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.

The attackers then crafted the following email, sending it to personnel at each victim’s respective local WNB bank branch.

Good Morning,

Can you please update me with the the available balance in my account and also the information needed to complete an outgoing wire transfer for me today,i am on my way to my nephew funeral service but i will check my mail often for your response.

Thanks.

Wade Kuehler, an executive vice president at WNB, said bank personnel followed up on two of the requests, ignoring the request not to contact the customer via phone. In both cases, the customers were grateful for the contact, saying they had not sent such a request.

But the thieves struck paydirt with the third attempt, when a sympathetic associate at the bank responded to the message with the requested balance information. The follow-up email from the thieves included instructions to wire money to an account at another bank, and the assistant helpfully processed the transfer.

Continue reading →

A Little Sunshine / Latest Warnings / Target: Small Businesses / Web Fraud 2.0 — 23 Comments
30
Nov 11

DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists

The FBI is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to prevent victims from noticing simultaneous high-dollar cyber heists.

The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves who are using a modified version of the ZeuS Trojan called “Gameover.” The rash of thefts come after a series of heavy spam campaigns aimed at deploying the malware, which arrives disguised as an email from the National Automated Clearing House Association (NACHA), a not-for-profit group that develops operating rules for organizations that handle electronic payments. The ZeuS variant steals passwords and gives attackers direct access to the victim’s PC and network.

In several recent attacks, as soon as thieves wired money out of a victim organization’s account, the victim’s public-facing Internet address was targeted by a network attack, leaving employees at the organization unable to browse the Web.

A few of the attacks have included an odd twist that appears to indicate the perpetrators are using money mules in the United States for at least a portion of the heists. According to an FBI advisory, some of the unauthorized wire transfers from victim organizations have been transmitted directly to high-end jewelry stores, “wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).”

The advisory continues:

“Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as ‘pending’ and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.”

The attackers also have sought to take out the Web sites of victim banks. Jose Nazario, manager of security research at Arbor Networks, a company that specializes in helping organizations weather large cyber attacks, said that although many of the bank sites hit belong to small to mid-sized financial institutions, the thieves also have taken out some of the larger banks in the course of recent e-heists.

“It’s a disturbing trend,” Nazario said.

Nazario said the handful of attacks he’s aware of in the past two weeks have involved distributed denial-of-service (DDoS) assaults launched with the help of “Dirt Jumper” or “Russkill” botnets. Dirt Jumper is a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground, and is made to be surreptitiously installed on hacked PCs. The code makes it easy for the botnet owner to use those infected systems to overwhelm targeted sites with junk traffic (KrebsOnSecurity.com was the victim of a Dirt Jumper botnet attack earlier this month).

Security experts aren’t certain about the strategy behind the DDoS attacks, which are noisy and noticeable to both victims and their banks. One theory is that the perpetrators are hoping the outages will distract the banks and victims.

“The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found),” the FBI said.

Continue reading →

Target: Small Businesses — 20 Comments
14
Nov 11

Title Firm Sues Bank Over $207k Cyberheist

A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.

Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.

The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.

When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.

Capital One declined to comment for this story, citing the ongoing litigation.

Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.

Continue reading →

Target: Small Businesses — 5 Comments
4
Oct 11

ZeuS Trojan Gang Faces Justice

Authorities in the United Kingdom have convicted the 13th and final defendant from a group arrested last year and accused of running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ZeuS banking Trojan. The news comes days after U.S. authorities announced the guilty plea of the 27th and final individual arrested last year in New York in a related international money-laundering scheme.

Yevhen Kulibaba

According to the Metropolitan Police, the U.K. courts have convicted 13 members of the gang, including four who were profiled last year by KrebsOnSecurity shortly after their initial arrest and charging. The gang is thought to have used the ZeuS Trojan to steal nearly £3 million (USD $4.6M) from banks in the U.K.. They are believed to be responsible for aiding in the theft of at least USD $3 million from U.S. banks and businesses in the past two years.

Karina Kostromina

Among those convicted were the husband-and-wife ringleaders of the gang, 33-year-old Ukrainian property developer Yevhen Kulibaba, and his wife, Karina Kostromina, 34. According to British prosecutors, the two lived a “jet set” lifestyle and spent money on holidays, cars and property. Kostromina was cleared of conspiracy charges but convicted of money laundering, and sentenced this week to two years in prison. Kulibaba is awaiting sentencing on charges of conspiracy to defraud.

Continue reading →

Target: Small Businesses — 27 Comments
3
Oct 11

Monster Spam Campaigns Lead to Cyberheists

Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heists in the past two weeks, many small to medium sized organizations took the bait.

These fake NACHA lures were mailed the week of Sept. 19, even though the sent date on the message says Aug. 3. Source: Commtouch.

Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Using NACHA’s name as bait is doubly insulting because victims soon find new employees — money mules — added to their payroll. After adding the mules, the thieves use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds (minus a commission) overseas.

On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama. John Ziak, director of information technology at the center, said he suspects the organization’s accounting firm was the apparent source of the compromise. That means other clients may also have been victimized. He declined to name the accounting firm.

Continue reading →

Target: Small Businesses — 18 Comments
29
Aug 11

Experienced Money Mule, Will Travel

I’ve written a great deal about “money mules,” people looking for part-time employment who unwittingly or willingly help organized cyber thieves launder stolen funds. The most common question I get about money mules is: “Do any of them ever get prosecuted?” The answer is generally “no” because it’s hard to prove that these mules weren’t scammed. But recently, I encountered a mule who made it abundantly clear that he understood exactly what he was doing.

A complicit mule negotiating a new deal.

In June 2011, I was investigating an online banking heist against a company called Jackson Properties. Thieves had broken into Jackson’s computers and stolen the firm’s online banking credentials. They added a half dozen money mules to the company’s payroll account, using mules they’d acquired from a gang I call the Back Office group. This mule gang uses multiple bogus corporate names, and the Back Office front company that supplied the mules in this attack was called AMR Company.

Reginald, a 45-year-0ld Texas resident, was among the mules hired by AMR Company. Reggie communicated with the mule recruiters by logging into a Web site set up by the fake company, and checking for new messages. A source who had figured out how to view the administrator’s account (and hence, all messages on the server) sent me some choice screenshots from several mule communications.

On June 7, the mule recruiters sent Reginald a transfer of $4,910, claiming that Jackson Properties was its client. Reginald was to withdraw the money in cash and wire it overseas, minus a small commission. The payment never landed in his account; it was blocked when Jackson detected the fraudulent transactions and worked with its bank to get them reversed.

But that apparently did not deter our Reginald, who told his recruiter and manager at AMR Company that he understood the whole thing was a scam, and that he had done this sort of thing before. He said he was ready and willing to open additional bank accounts to help with future fraud schemes.

On June 8, Reggie signed into his account at AMR Company and wrote the following to Sarah, his erstwhile boss:

“Let me say from the start. I knew what this was about. I’ve had success working with others like yourself in the past, especially comrades from Russia. I know this game well. If you want to have an ally in the US, I’m your guy. I have more accounts. I’d like us to try again, with another account…Listen Sarah, I am all for making some money. I couldn’t care less about our banking system, anything we can get out [sic] it. Lets [sic] do it. I cant do this without you. I can open up accounts in different names, that’s easy for me. But I have no way of funding them like you do. Think it over and see if there’s a way we can make some money. Even if we only succeed one time…we will still succeeded. I have another account ready to go. Respond to me and I will send you the name, routing, account num, etc.”

Continue reading →

Target: Small Businesses — 40 Comments
16
Aug 11

eThieves Steal $217k from Arena Firm

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

Lea French, MECA’s chief financial officer, said the trouble began when an employee with access to the organization’s online accounts opened a booby-trapped email attachment containing password-stealing malware.

The attackers used MECA’s online banking credentials to add at least six people to the payroll who had no prior business with the organization. Those individuals, known as “money mules,” received fraudulent transfers from MECA’s bank account and willingly or unwittingly helped the fraudsters launder the money.

French said the attackers appeared to be familiar with the payroll system, and wasted no time setting up a batch of fraudulent transfers.

“They knew exactly what they were doing, knew how to create a batch, enter it in, release it,” she said. “They appear to be very good at what they do.”

Prior to the heist, MECA refused many of the security options offered by its financial institution, First National Bank of Omaha, including a requirement that two employees sign off on every transfer.

“We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,” French said. “We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.”

MECA was able to reverse an unauthorized wire transfer for $147,000 that was destined for a company called Utopia Funding U.S.A. The organization was not as lucky with the remaining transfers.

The funds stolen from MECA were sent to money mules recruited through fraudulent work-at-home job offers from a mule recruitment gang that I call the “Back Office Group.” This gang is one of several money mule recruitment outfits, and they appear to be among the most active. Like many other mule gangs, they tend to re-use the same format and content for their Web sites, but change their company names whenever the major search engines start to index them with enough negative comments to make mule recruitment difficult.

The mules used in the MECA heist were recruited through a Back Office Group front company named AV Company. Mules were told they were helping the company’s overseas software engineers get paid for the work they were doing for American companies. In reality, the mules were being sent payments to transfer that were drawn on hacked accounts from victims like MECA.

More than $9,000 of MECA’s money was sent to Erik Rhoden, a resident of Fleming Island, Fla. Rhoden was recruited in June by the Back Office Group. Rhoden successfully transferred the funds to three individuals in Eastern Europe, but says he didn’t profit from the work. His story matches that of other mules recently recruited by Back Office, and indicates a devious shift in tactics which ensures that mules never receive a payment for their work.

Continue reading →

Target: Small Businesses — 56 Comments
8
Aug 11

Judge Nixes Patco’s eBanking Fraud Case

A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines.

Sanford, Maine based Patco Construction sued Ocean Bank in 2009, alleging poor security after a $588,000 cyber heist. Patco sued to recover its losses, arguing in part that the bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Patco’s motion for summary judgment and granting the bank’s motion.

On Thursday, the judge presiding over the lawsuit affirmed that recommended decision (PDF), ruling that no further proceedings were necessary. Patco’s attorney Dan Mitchell said the company has 30 days to file an appeal, but that it hasn’t yet decided whether to challenge the decision. Continue reading →

Anonymous: Don, You can’t be serious. We have a right to privacy. If I want to buy... 28 4
MrUnFixit-Maybe: Not an appropriate time for somebody to be fiddling with... 18 0
John: Thanks very much, Brian. You are my chief source of security information, and I... 17 1
Tim Benton: Global Payments should be ostracized by merchants. Their lack of... 17 1
George: Besides many other things they should do, Global Payments execs need to take a... 15 0

Krebs on Security

In-depth security news and investigation