The FBI is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to prevent victims from noticing simultaneous high-dollar cyber heists.

The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves who are using a modified version of the ZeuS Trojan called “Gameover.” The rash of thefts come after a series of heavy spam campaigns aimed at deploying the malware, which arrives disguised as an email from the National Automated Clearing House Association (NACHA), a not-for-profit group that develops operating rules for organizations that handle electronic payments. The ZeuS variant steals passwords and gives attackers direct access to the victim’s PC and network.

In several recent attacks, as soon as thieves wired money out of a victim organization’s account, the victim’s public-facing Internet address was targeted by a network attack, leaving employees at the organization unable to browse the Web.

A few of the attacks have included an odd twist that appears to indicate the perpetrators are using money mules in the United States for at least a portion of the heists. According to an FBI advisory, some of the unauthorized wire transfers from victim organizations have been transmitted directly to high-end jewelry stores, “wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).”

The advisory continues:

“Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as ‘pending’ and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.”

The attackers also have sought to take out the Web sites of victim banks. Jose Nazario, manager of security research at Arbor Networks, a company that specializes in helping organizations weather large cyber attacks, said that although many of the bank sites hit belong to small to mid-sized financial institutions, the thieves also have taken out some of the larger banks in the course of recent e-heists.

“It’s a disturbing trend,” Nazario said.

Nazario said the handful of attacks he’s aware of in the past two weeks have involved distributed denial-of-service (DDoS) assaults launched with the help of “Dirt Jumper” or “Russkill” botnets. Dirt Jumper is a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground, and is made to be surreptitiously installed on hacked PCs. The code makes it easy for the botnet owner to use those infected systems to overwhelm targeted sites with junk traffic (KrebsOnSecurity.com was the victim of a Dirt Jumper botnet attack earlier this month).

Security experts aren’t certain about the strategy behind the DDoS attacks, which are noisy and noticeable to both victims and their banks. One theory is that the perpetrators are hoping the outages will distract the banks and victims.

“The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found),” the FBI said.

That strategy seemed to have worked well against Sony, which focused on weathering a DDoS attack from Anonymous while information on more than 100 million customers was being siphoned by hackers.

“In the chaos of a DDoS, typically network administrators are so busy trying to keep the network up that they miss the real attack,” said Jose Enrique Hernandez, a security expert at Prolexic, a Hollywood, Fla. based DDoS mitigation company. “It’s a basic diversion technique.”

Another theory about the DDoS-enhanced heists holds that the thieves are trying to prevent victim organizations from being able to access their accounts online. One crime gang responsible for a large number of cyber heists against small to mid-sized U.S. businesses frequently invoked the “kill operating system” command built into the ZeuS Trojan after robbing victims.

Organizations that bank online should understand that they are liable for any losses stemming from cyber fraud. I have consistently advised small to mid-sized entities to consider using a dedicated computer for online banking — one that is not used for everyday Web surfing — and preferably a non-Windows system, or a “live CD” distribution.

A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.

Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.

The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.

When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.

Capital One declined to comment for this story, citing the ongoing litigation.

Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.

“By operating a single factor identification online banking system, Capital One lefts its customers open to identity theft and failed to take sufficient safeguards to prevent unauthorized access to its client’s online banking accounts, including the ability to send wire transfers,” the company charged in its complaint.

Global Title also alleges that Capital One should have known that the transfers were fraudulent and unauthorized.

“Capital One was put on notice through Ms. Aurora’s phone call at 2:09 on June 1, 2010, and on subsequent calls that same day, that Global Title had no access to its online banking system,” the complaint states. “Accordingly, Capital One knew or should have known that any wire transfer that afternoon would be unauthorized.”

BUSY, BUSY MULES

Dorin Codreanu

Some of the fraudulent activity was tied to money mule activity that was busted up by federal prosecutors last year. Two wires totaling more than $234,000 were sent to Key Marius Import LLC, a company flagged by federal investigators as a fraudulent front for organized cyber thieves.  In November 2010, Wisconsin police arrested two men who were wanted as part of a crackdown in late Sept. 2010 on so-called “J1″ money mules who were in the United States on work/travel visas. According to an FBI press release from last fall, Key Marius and the commercial bank account attached to it were set up by one of those men, Dorin Codreanu, a Moldovan who pleaded guilty to conspiracy charges earlier this year.

Codreanu was sentenced to three years in prison, and ordered to pay restitution of more than $110,000 to his victims. The court judgment against him (PDF) states that the company Codreanu was ordered to pay restitution was not Global Title but a Dinkels Bakery; the remainder of the $110,000 restitution was to be paid to court services, Level One Bank and JP Morgan Chase.

Other companies that received large wire transfers may also have been fronts set up in advance of the attack. Key Marius Import LLC was established in April 2010, as were; Alvarez Here and Now, Inc. of Ontario, Calif, which received a fraudulent wire of $39,560 on June 2; Sharp and Bright Designs Inc. of Simi Valley, Calif., which was sent a bogus wire of $19,583 from Global Title on June 2; PWD Properties, incorporated in late January 2010 in Wilmington, Del., was sent a fraudulent wire of $28,582 on June 2.

Capital One was able to reverse all but the first three fraudulent wires ($119,500 to Key Marius, $39,560 to Alvarez Here and Now, and $48,698 to a Dwaine Peterson), leaving Global Title with a $207,758 loss. As a result, it was forced to take out a loan to make the required cash distributions from the firm’s escrow account.

UNCERTAIN LEGAL GROUND

Banks in the United States are supposed to adhere to online banking authentication guidance issued in 2005 by regulators at the Federal Financial Institutions Examination Council (FFIEC), but many institutions have been slow to comply with the guidelines.

Several victims of corporate account takeovers have sued their banks, claiming similar negligence, but with mixed results. In June 2011, a Michigan court held Comerica Bank liable for more than half a million dollars stolen in a 2009 cyber heist. Two months later, a district court judge in Maine ruled that banks which protect accounts with little more than passwords and secret questions are in compliance with the FFIEC’s security guidance.

Faced with an explosion of corporate account takeovers in the past two years, the FFIEC recently updated its guidance, which calls for “layered security programs” to deal with riskier commercial banking transactions, including methods for detecting transaction anomalies, the use of out-of-band verification, and enhanced customer awareness campaigns. Those requirements, which will inform the activities of bank security examiners, are set to take effect on Jan. 1, 2012.

Avivah Litan, a fraud analyst with Gartner Inc., said many banks are still out of compliance with the FFIEC’s older guidance.

“The new guidance isn’t that radical, and it basically re-affirms the previous guidelines and clarifies some points,” Litan said. “This case sounds like a clear violation of the FFIEC guidance, which says put controls in place that are commensurate with the risk, and many banks still aren’t doing that.”

Global Title is asking the court for a $500,000 judgment, plus pre- and post-judgment interest and attorney’s fees. Their legal challenged has cleared its first major set of procedural hurdles, and unless both parties settle before then, the case is scheduled to go to trial on April 10, 2012.

A copy of the company’s complaint is available here (PDF).

Update, 12:36 p.m. ET: Fixed the link to Global Title’s complaint filing.

Update, Nov. 15, 4:53 p.m. ET: Capital One provided the following statement in response to this article:

“Capital One’s authentication controls protecting our commercial platforms are compliant with the federal multifactor authentication guidance. These controls are the subject of annual risk assessments to ensure they remain appropriate in light of the threat environment. In the funds transfer realm, among the controls utilized are hard tokens and out-of-band confirmation of payment instructions.

As part of our broader security measures, Capital One provides security – and safe computing – related ‘best practice’ tips and recommendations to let our small business and commercial clients know what they can do to protect themselves and reduce their fraud risk.”

Authorities in the United Kingdom have convicted the 13th and final defendant from a group arrested last year and accused of running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ZeuS banking Trojan. The news comes days after U.S. authorities announced the guilty plea of the 27th and final individual arrested last year in New York in a related international money-laundering scheme.

Yevhen Kulibaba

According to the Metropolitan Police, the U.K. courts have convicted 13 members of the gang, including four who were profiled last year by KrebsOnSecurity shortly after their initial arrest and charging. The gang is thought to have used the ZeuS Trojan to steal nearly £3 million (USD $4.6M) from banks in the U.K.. They are believed to be responsible for aiding in the theft of at least USD $3 million from U.S. banks and businesses in the past two years.

Karina Kostromina

Among those convicted were the husband-and-wife ringleaders of the gang, 33-year-old Ukrainian property developer Yevhen Kulibaba, and his wife, Karina Kostromina, 34. According to British prosecutors, the two lived a “jet set” lifestyle and spent money on holidays, cars and property. Kostromina was cleared of conspiracy charges but convicted of money laundering, and sentenced this week to two years in prison. Kulibaba is awaiting sentencing on charges of conspiracy to defraud.

Yuriy Konovalenko

An individual described as Kulibaba’s right-hand man — 29-year-old Yuriy Konovalenko, aka “Pavel Klikov” — is due to be sentenced, also for conspiracy. Valerij Milka, a 30-year-old Ukrainian whom U.K. police say was a building laborer and fourth member of the conspiracy, was jailed for three years after admitting his role.

Milka "Valera" Valerij

News of the convictions in the United Kingdom comes days after authorities in the United States announced the guilty plea of the 27th and final individual arrested last year in New York as part of a major law enforcement sweep against Russian and Eastern European exchange students-turned-money mules. U.S. prosecutors have charged a total of 37 Russian and Eastern European students in connection with last year’s law enforcement sweep; According to the FBI, two defendants have entered into deferred prosecution agreements, and eight defendants are fugitives and are being sought in the United States and abroad.

It should be noted that these individuals were only a small part of a much larger fraud ring. According to sources close to the investigation, the true masterminds of these ZeuS-powered bank heists reside in Donetsk, Ukraine, and have yet to be charged with any crime. Authorities in Ukraine this time last year detained five individuals identified by the FBI and other national law enforcement authorities as the “coders and exploiters” in the fraud operation, but the men were released and have not been charged with a crime.

Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heists in the past two weeks, many small to medium sized organizations took the bait.

These fake NACHA lures were mailed the week of Sept. 19, even though the sent date on the message says Aug. 3. Source: Commtouch.

Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Using NACHA’s name as bait is doubly insulting because victims soon find new employees — money mules — added to their payroll. After adding the mules, the thieves use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds (minus a commission) overseas.

On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama. John Ziak, director of information technology at the center, said he suspects the organization’s accounting firm was the apparent source of the compromise. That means other clients may also have been victimized. He declined to name the accounting firm.

Ziak said the bank was able to block some of the fraudulent transfers, but that it was too soon to say how much the thieves got away with. But the center may have better leverage than most victims in convincing the bank to accommodate them: Many of its doctors are on the board of directors of the organization’s bank.

“We still don’t know how much is going to be coming back,” Ziak said. “We can chalk it up to lessons learned, but we’re going to be making some changes with the bank…forcing them to implement a higher level of security for our account.”

Last month, computer crooks also robbed the North Putnam Community School Corporation, which serves the children of six northern townships of Putnam County, Indiana.

Mary Sugg Lovejoy, superintendent of the K-12 school system, said thieves stole about $98,000 from school coffers, sending the money to numerous individuals who had no prior business with the school district. Fortunately for North Putnam, all of the fraudulent transfers were returned shortly after the attack, Lovejoy said.

In a separate attack on a public institution, malicious hackers last month struck the City of Oakdale, Calif., according to a story in the Modesto Bee. High-tech criminals stole $118,000 from a city bank account, the publication reported last week. Oakdale city officials are confident that its insurance carrier would reimburse the loss, minus a $2,500 deductible.

But that story ended on a sour note. The reporter quoted officials from the city’s bank, Oak Valley Community Bank, wrongly laying blame for the incident on a lack of technology and security.

“It’s the same story we hear from a lot of institutions,” Oak Valley President Chris Courtney said. “It’s about safekeeping the information on your computers, scanning for viruses and having a state-of-the-art security system.”

Blocking these attacks has little to do with state-of-the-art computer systems or scanning files with anti-virus. It’s not clear what malware family was used in any of these attacks, although the first two mentioned in this story involved a cyber gang that favors the ZeuS Trojan (the fraudulent NACHA messages in the screen shot above contained a malware dropper that installs ZeuS). But organizations should understand that these attacks have far more to do with social engineering and tricking humans than with defeating technology and security solutions.

As I’ve noted in past stories, all of the victims I’ve interviewed were running anti-virus software: Very few of them had protection against the malware used in the attack until after their money was stolen.

Most commercial banks have significant room for improvement in securing the transaction and authentication space for their customers. But businesses that rely on their financial institutions to detect fraudulent activity are setting themselves up for an expensive lesson.

No single approach or technology will stop all of these account takeovers, but preventing the theft of your online banking credentials is a critical first step. That’s why I continue to advise that small- to mid-sized organizations use a dedicated computer for online banking. Using a non-Windows PC — such as a Live CD or a Mac — is the safest approach, but not necessarily the most practical or affordable. An alternate approach is to access bank accounts from an isolated PC that is locked-down, regularly updated, and used for no other purpose than online banking.

Zeustracker.abuse.ch tracks antivirus detection rates for new variants of the ZeuS Trojan. The average detection rate is about 38 percent.

I’ve written a great deal about “money mules,” people looking for part-time employment who unwittingly or willingly help organized cyber thieves launder stolen funds. The most common question I get about money mules is: “Do any of them ever get prosecuted?” The answer is generally “no” because it’s hard to prove that these mules weren’t scammed. But recently, I encountered a mule who made it abundantly clear that he understood exactly what he was doing.

A complicit mule negotiating a new deal.

In June 2011, I was investigating an online banking heist against a company called Jackson Properties. Thieves had broken into Jackson’s computers and stolen the firm’s online banking credentials. They added a half dozen money mules to the company’s payroll account, using mules they’d acquired from a gang I call the Back Office group. This mule gang uses multiple bogus corporate names, and the Back Office front company that supplied the mules in this attack was called AMR Company.

Reginald, a 45-year-0ld Texas resident, was among the mules hired by AMR Company. Reggie communicated with the mule recruiters by logging into a Web site set up by the fake company, and checking for new messages. A source who had figured out how to view the administrator’s account (and hence, all messages on the server) sent me some choice screenshots from several mule communications.

On June 7, the mule recruiters sent Reginald a transfer of $4,910, claiming that Jackson Properties was its client. Reginald was to withdraw the money in cash and wire it overseas, minus a small commission. The payment never landed in his account; it was blocked when Jackson detected the fraudulent transactions and worked with its bank to get them reversed.

But that apparently did not deter our Reginald, who told his recruiter and manager at AMR Company that he understood the whole thing was a scam, and that he had done this sort of thing before. He said he was ready and willing to open additional bank accounts to help with future fraud schemes.

On June 8, Reggie signed into his account at AMR Company and wrote the following to Sarah, his erstwhile boss:

“Let me say from the start. I knew what this was about. I’ve had success working with others like yourself in the past, especially comrades from Russia. I know this game well. If you want to have an ally in the US, I’m your guy. I have more accounts. I’d like us to try again, with another account…Listen Sarah, I am all for making some money. I couldn’t care less about our banking system, anything we can get out [sic] it. Lets [sic] do it. I cant do this without you. I can open up accounts in different names, that’s easy for me. But I have no way of funding them like you do. Think it over and see if there’s a way we can make some money. Even if we only succeed one time…we will still succeeded. I have another account ready to go. Respond to me and I will send you the name, routing, account num, etc.”

The eager mule ended his proposal with a startling declaration:

“Have a great day, Sarah, and thanks for trying. I assure you the only victim on my side will be the banks. I can easily set up active checking or savings with info I have.”

Sarah wrote back that she was interested in his idea:

“Dear Reginald,

We are interested in your offer if you can set up different accounts. What percentage would you like to get for you part of the job We can not offer you a fixed price.”

Reginald replied:

“I think 40 percent is fair. That’s what the Russians give me.”

Apparently, Reggie’s percentage was too high; he never heard from Sarah again, even after he offered to lower his cut to 30 percent of future fraudulent transfers.

I could not reach Reginald at the number he gave to AMR Company; the line was disconnected. But a search on his email address revealed more information about his current activities. He is currently the registered contact for a shady-looking enterprise that has all of the hallmarks of a multi-level marketing or pyramid scheme.

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

Lea French, MECA’s chief financial officer, said the trouble began when an employee with access to the organization’s online accounts opened a booby-trapped email attachment containing password-stealing malware.

The attackers used MECA’s online banking credentials to add at least six people to the payroll who had no prior business with the organization. Those individuals, known as “money mules,” received fraudulent transfers from MECA’s bank account and willingly or unwittingly helped the fraudsters launder the money.

French said the attackers appeared to be familiar with the payroll system, and wasted no time setting up a batch of fraudulent transfers.

“They knew exactly what they were doing, knew how to create a batch, enter it in, release it,” she said. “They appear to be very good at what they do.”

Prior to the heist, MECA refused many of the security options offered by its financial institution, First National Bank of Omaha, including a requirement that two employees sign off on every transfer.

“We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,” French said. “We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.”

MECA was able to reverse an unauthorized wire transfer for $147,000 that was destined for a company called Utopia Funding U.S.A. The organization was not as lucky with the remaining transfers.

The funds stolen from MECA were sent to money mules recruited through fraudulent work-at-home job offers from a mule recruitment gang that I call the “Back Office Group.” This gang is one of several money mule recruitment outfits, and they appear to be among the most active. Like many other mule gangs, they tend to re-use the same format and content for their Web sites, but change their company names whenever the major search engines start to index them with enough negative comments to make mule recruitment difficult.

The mules used in the MECA heist were recruited through a Back Office Group front company named AV Company. Mules were told they were helping the company’s overseas software engineers get paid for the work they were doing for American companies. In reality, the mules were being sent payments to transfer that were drawn on hacked accounts from victims like MECA.

More than $9,000 of MECA’s money was sent to Erik Rhoden, a resident of Fleming Island, Fla. Rhoden was recruited in June by the Back Office Group. Rhoden successfully transferred the funds to three individuals in Eastern Europe, but says he didn’t profit from the work. His story matches that of other mules recently recruited by Back Office, and indicates a devious shift in tactics which ensures that mules never receive a payment for their work.

Typically, the Back Office group had instructed mules to withdraw transfers in cash, pocket eight percent as a commission, and wire the remainder of the funds to specific individuals overseas. Recently, the Back Office group changed its policy, and began telling mules to transmit the entire amount. In place of commissions, mules are now promised a payday at the end of the month. That payday almost never comes.

“They said I was going to get benefits, a salary, and a bonus for each transaction, but that was all a lie,” said Rhoden, who recently landed a job as a drink server in a local bar.

MECA lost more than $70,000 from the heist, although French said she believes their Travelers cyber security policy will help recoup some or all of the loss.

“We have a $25,000 deductible, plus the cost of an ongoing forensic investigation, which is going to be pretty expensive,” she said.

MECA has since added more security features to its online banking account, and access to that account is only possible through a locked-down, dedicated computer.

“All of this is a day late and a dollar short, I guess,” French said. “Why isn’t someone out shouting on the rooftops about this fraud? People need to understand how exposed they are.”

A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines.

Sanford, Maine based Patco Construction sued Ocean Bank in 2009, alleging poor security after a $588,000 cyber heist. Patco sued to recover its losses, arguing in part that the bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Patco’s motion for summary judgment and granting the bank’s motion.

On Thursday, the judge presiding over the lawsuit affirmed that recommended decision (PDF), ruling that no further proceedings were necessary. Patco’s attorney Dan Mitchell said the company has 30 days to file an appeal, but that it hasn’t yet decided whether to challenge the decision.

The decision comes as commercial account takeover victims in other states are challenging banks over the security of their online banking platforms. In June, a Michigan court ruled that Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business. In July, A California real estate escrow company that lost more than $465,000 in an online banking heist last year sued its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.

These cases are being tried decided at the trial level in different federal districts. They are not “case law.” Case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made. Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them. Establishing a uniform national standard for judging all cases involving cyber theft would require a decision by the U.S. Supreme Court. Banks and organizations may not be willing to carry their appeals to this level, fearing that a national standard may not be in their best economic interests.

KrebsOnSecurity will continue to follow these cases and to bring you updates on new developments as they happen. Stay tuned.

It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account.

The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

The BKA’s advisory isn’t specific about the responsible strain of malware, but it is becoming increasingly common for banking Trojans to incorporate “Web injects,” custom designed plug-ins that manipulate what victims see in their Web browsers.

This attack is an insidious extension of the tactic that was pioneered by the URL Zone Trojan, which specializes in manipulating the balance that victims see when they log into their (cleaned-out) bank accounts.

If you log in to your bank account and see something odd, such as a “down for maintenance” page or an alert about a wayward transfer, your best option is to pick up the phone and call your bank. Make sure you are using the bank’s real phone number: Malware like the ZeuS Trojan has been known to present newly-fleeced victims with messages about problems with the bank’s Web site, along with a bogus customer support phone number.

A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.

The plight of Redondo Beach, Calif. based Village View Escrow, first publicized by KrebsOnSecurity last summer, began in March 2010. That’s when organized crooks broke into the firm’s computers and bank accounts, and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Village View’s bank, Professional Business Bank of Pasadena, Calif., relied on third-party service provider NetTeller, which allowed commercial customers to authenticate to the bank’s site with little more than a username and password. Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.

The attack on Village View demonstrates the sophistication of malicious software like the ZeuS Trojan. The thieves disguised a banking Trojan as a UPS shipping receipt, and the company’s owner acknowledged opening the attachment and forwarding it to another employee who also viewed the malware-laced file. Once inside Village View’s systems, the attackers apparently disabled email notifications from the bank.

Nevertheless, Village View’s lawsuit challenges Professional Bank’s claims that its systems used “multi-factor,” and “state-0f-the-art” ebanking systems, and accuses the bank of negligence for not having procedures to help the company recover the fraudulent transfers.

This lawsuit comes just weeks after a decision in a similar case brought by another victim of ebanking fraud. In June, a U.S. district court in Michigan ruled that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 unauthorized wire transfers from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered in that case amounted to $560,000.

Julie Bonnel-Rogers, an attorney for Village View Escrow, said the Experi-Metal decision “cracked the door open” for her client’s lawsuit against the bank, because there is limited case law on the subject, and because claims against banks for wire transfer fraud have traditionally been very narrowly defined.

Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said the Village View lawsuit relies on similar claims made by Experi-Metal, arguing that its financial institution failed to act in good faith and that its online banking security procedures were not commercially reasonable.

“If the bank didn’t even follow their own written procedure for funds transfer verification as alleged in the pleadings, I’d be surprised if the bank didn’t lose just on breach of contact,” Castagnoli said. Still, she noted that the Experi-Metal decision was not binding on any other court, and that the court could review the issues of good faith and reasonable security, or decide that those issues don’t need to be addressed at all.

A copy of Village View Escrow’s complaint is available here (PDF).

Organized cyber thieves stole more than $28,000 from a small New England town last week. The case once again highlights the mismatch between the sophistication of today’s attackers and the weak security measures protecting many commercial online banking accounts.

On July 11, 2011, I alerted the town controller of Eliot, Maine that its accounts were probably being raided by computer crooks in Eastern Europe. I had heard from a “money mule,” an individual who was recruited through a work-at-home job scam to help the thieves launder money. He had misgivings about a job he had just completed for his employer. The job involved helping to move almost $5,000 from one of his employer’s “clients” to individuals in Ukraine. The receipt his employer emailed to him along with the money transfer said the client was “Town of Eliot, Ma.”

Norma Jean Spinney, the town controller, said she immediately alerted the town’s financial institution, TD Bank, but the bank couldn’t find any unusual transactions. Spinney said that three days later she received a call from TD Bank, notifying the town of a suspicious batch of payroll direct deposits totaling more than $28,000. TD Bank may have had a chance to stop this robbery, but apparently they dropped the ball.

Nevertheless, the town is not likely to see the stolen money again. Unlike consumers, organizations are not protected against online banking losses from cyber fraud. What’s more, a forensic analysis by a local IT firm showed that Spinney’s PC was infected with at least two banking Trojans at the time of the heist.

TD Bank spokeswoman Jennifer Morneau declined to discuss the incident, citing customer confidentiality policies.

Spinney said TD Bank required a user name and password, and the answer to least one “challenge question” when logging in to the town’s account.

New guidelines issued by banking regulators last month state that challenge questions are not adequate to protect corporate online-banking accounts from today’s cyber thieves. Unfortunately, many banks continue to rely on existing methods of authenticating customers: Bank examiners won’t start measuring how banking institutions conform with the recommendations until Jan. 2012.

If you’re responsible for a commercial bank account and you’re accessing the account online, the safest way to do so is to use a non-Windows computer such as a Mac, or a Live CD version of Linux. The bad guys may begin to write banking Trojans to help them rob organizations using other computing platforms, but all of the attacks I’ve written about to date involved malware that will not run on anything but a Windows PC. For those who must use Windows, accessing your accounts through a dedicated PC that is only used for that purpose is another alternative, if you access your accounts by using only that dedicated machine and never through any other.

If your bank allows it (and most do), consider taking advantage of anti-fraud mechanisms like Positive Pay, and requiring that more than one person must sign off on all accounting transactions.

The new guidelines include many recommendations for improving online-banking security. Bank customers should review them and compare them to their bank’s present security. A bank that provides adequate protection will not wait until 2012 to implement the enhanced measures.