Target: Small Businesses


11
Apr 13

Hay Maker Seeks Cyberheist Bale Out

An Oregon agricultural products company is suing its bank to recover nearly a quarter-million dollars stolen in a 2010 cyberheist. The lawsuit is the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime.

oregonhayOn Sept. 1, 2010, unidentified computer crooks began making unauthorized wire transfers out of the bank accounts belonging to Oregon Hay Products Inc., a hay compressing facility in Boardman, Oregon. In all, the thieves stole $223,500 in three wire transfers of just under $75,000 over a three day period.

According to a complaint filed in Umatilla County Circuit Court,  the transfers were sent from Oregon Hay’s checking account at Joseph, Ore. based Community Bank to JSC Astra Bank in Ukraine. Oregon Hay’s lawyers say the company had set a $75,000 daily limit on outgoing wires, so the thieves initiated transfers of $74,800, $74,500 and $74,200 on three consecutive days.

Unfortunately for both parties in this dispute, neither Oregon Hay nor Community Bank detected anything amiss until almost two weeks after the fraud began; on Sept. 14, the victim firm found it was unable to access its accounts online. But by that time, the money was long gone.

Both Oregon Hay and Community Bank declined to be interviewed for this story.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations can be held responsible for any losses due to phishing or account takeovers. But as cyberheists have ramped up dramatically over the past several years, a number of victim companies have opted to sue their financial institutions in the hopes of recovering the losses.

Continue reading →


26
Mar 13

Missouri Court Rules Against $440,000 Cyberheist Victim

A Missouri court last week handed a legal defeat to a local escrow firm that sued its financial institution to recover $440,000 stolen in a 2009 cyberheist. The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank: requiring two employees to sign off on all transfers.

courthouseSpringfield, Mo. based Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer of $440,000 to a corporate bank account in Cyprus.

Choice Escrow alleged that BancorpSouth’s security procedures were not commercially reasonable. Choice pointed out that the bank’s most secure option for Internet-based authentication relied principally on so-called “dual controls,” or requiring business customers to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

But in a decision handed down on March 18, 2013, a judge with the U.S. District Court for the Western District of Missouri focused on the fact that Choice Escrow was offered and explicitly declined in writing the use of dual controls, thereby allowing the thieves to move money directly out their account using nothing more than a stolen username and password.  The court noted that Choice also declined to set a limit on the amount or number of wire transfers allowed each day (another precaution urged by the bank), and that the transfer amount initiated by the thieves was not unusual for Choice, a company that routinely moved large sums of money.

Continue reading →


19
Feb 13

DDoS Attack on Bank Hid $900,000 Cyberheist

A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.

Ascent1At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.

KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters.

Ascent was unaware of the robbery at the time, but its bank would soon verify that a series of unauthorized transactions had been initiated on the 24th and then again on the 26th. The money mule I spoke with was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.

Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.

“It said the bank was offline for 24 hours, and we couldn’t get in to the site,” Shope said. “We called the bank and they said everything was fine.”

But soon enough, everything would not be fine from Bank of the West’s end. Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline. It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan — a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.

Continue reading →


28
Jan 13

Big Bank Mules Target Small Bank Businesses

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

The attack on Niles Nursing Inc. provides a textbook example. On Monday, Dec. 17, 2012, computer crooks logged into the company’s online banking accounts using the controller’s credentials and tunneling their connection through his hacked PC. At the beginning of the heist, the miscreants added 11 money mules to Niles’ payroll, sending them automated clearing house (ACH) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.

nilesmulespartNiles’ financial institution — Ft. Lauderdale, Fla. based Optimum Bank — evidently saw nothing suspicious about 11 new employees scattered across five states being added to its customer’s payroll overnight. From the bank’s perspective, the user submitting the payroll batch logged in to the account with the proper credentials and with the same PC that was typically used to administer the account. The thieves would put through another two fraudulent payment batches over next two days (the bank blocked the last batch on the 19th).

In total, the attackers appear to have recruited at least two dozen money mules to help haul the stolen loot. All but two of the mules used or opened accounts at four out of five of the nation’s top U.S. banks, including Bank of America, Chase, Citibank, and Wells Fargo. No doubt these institutions together account for a huge percentage of the retail banking accounts in America today, but interviews with mules recruited by this crime gang indicate that they were instructed to open accounts at these institutions if they did not already have them.

ANALYSIS

I’ve spoken at numerous financial industry conferences over the past three years to talk about these cyberheists, and one question I am almost always asked is, “Is it safer for businesses to bank at larger institutions?” This is a tricky question to answer because banking online remains a legally and financially risky affair for any business, regardless of which bank it uses. Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is entirely up to the bank.

What’s more, it is likely that fewer cyberheists involving customers of Top 5 banks ever see the light of day, principally because the larger banks are in a better financial position to assume responsibility for some or all of the loss (provided, of course, that the victim in return agrees not to sue the bank or disclose the breach publicly).

I prefer to answer the question as if I were a modern cyberthief in charge of selecting targets. The organized crooks behind these attacks blast out tens of millions of booby-trapped emails daily, and undoubtedly have thousands of stolen online banking credentials to use at any one time. There are more than 7,000 financial institutions in the United States…should I choose a target at one of the top 10 banks? These institutions hold a majority of the financial industry’s assets, and they’re accustomed to moving huge sums of money around each day.

On the other hand, their potential for fraud is almost certainly orders of magnitude greater than at smaller institutions. That would suggest that it may be easier for these larger institutions to justify antifraud expenditures. That incentive to enact antifraud protections is even greater because these institutions have huge numbers of retail customers, a channel in which they legally eat the loss from unauthorized account activity.

Continue reading →


29
Nov 12

Online Service Offers Bank Robbers for Hire

An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise.

The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York. These associates are not mere “money mules,” unwitting and inexperienced Americans tricked and cajoled into laundering money after being hired for bogus work-at-home jobs. Rather, as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity (the ad refers to them as неразводные “nerazvodni” or “not deceived”). Put simply: These are mules that can be counted on not to freak out or disappear with the cash.

These complicit “foreign agents” in the U.S. can be hired to launder funds stolen through cyberheists and tax fraud.

The rest of the ad reads:

“We provide convenient service to our partners:

  • Unique administrative interface – fast response
  • We will react momentarily to any new task
  • Adapt every action of a money mule to client’s requirements
  • Timely payments via WebMoney/Liberty Reserve/Western Union, cash conversion with WU/MG
  • Cashout of tax return, D + P (dump & PIN, cashout of debit cards stolen via skimming)
  • Receive over mail or expensive merchandise pick up in a store
  • Mules are available for other interesting transactions

We work only by reference.”

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow-up Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).

Continue reading →


19
Nov 12

MoneyGram Fined $100 Million for Wire Fraud

A week ago Friday, the U.S. Justice Department announced that MoneyGram International had agreed to pay a $100 million fine and admit to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. Loyal readers of this blog no doubt recognize the crucial role that MoneyGram and its competitors play in the siphoning of millions of dollars annually from hacked small- to mid-sized business, but incredibly this settlement appears to be unrelated to these cyber heists.

According to the DOJ, the scams – which generally targeted the elderly and other vulnerable groups – included posing as victims’ relatives in urgent need of money and falsely promising victims large cash prizes, various high-ticket items for sale over the Internet at deeply discounted prices or employment opportunities as ‘secret shoppers.’  In each case, the perpetrators required the victims to send them funds through MoneyGram’s money transfer system.”

The government found that the heart of the problems at MoneyGram stemmed from the age-old conflict between the security staff and the folks in sales & marketing (oh, and willful neglect of employee fraud).

“Despite thousands of complaints by customers who were victims of fraud, MoneyGram failed to terminate agents that it knew were involved in scams.  As early as 2003, MoneyGram’s fraud department would identify specific MoneyGram agents believed to be involved in fraud schemes and recommended termination of those agents to senior management.  These termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity grew from 1,575 reported instances of fraud by customers in the United States and Canada in 2004 to 19,614 reported instances in 2008.  Cumulatively, from 2004 through 2009, MoneyGram customers reported instances of fraud totaling at least $100 million…To date, the U.S. Attorney’s Office for the Middle District of Pennsylvania has brought conspiracy, fraud and money laundering charges against 28 former MoneyGram agents.”

$100 million may seem like a painful fine, unless you take a look at MoneyGram’s company facts page, which states some fairly staggering figures: “MoneyGram has 293,000 agent locations in 197 countries and territories,” or, to put it another way, “more than twice the locations of McDonald’s, Starbucks, Subway and Wal-Mart combined.”

The company doesn’t say how much money it moved last year, but an older version of that page said that in 2010, approximately $19 billion was sent around the world using MoneyGram transfer services. The same page notes that MoneyGram is the second-largest money transfer company in the world. Second only to Western Union, no doubt, which has long struggled with many of the same anti-money laundering problems.

Each week, I reach out to or am contacted by organizations that are losing hundreds of thousands of dollars via cyber heists. In nearly every case, the sequence of events is virtually the same: The organization’s controller opens a malware-laced email attachment, and infects his or her PC with a Trojan that lets the attackers control the system from afar. The attackers then log in to the victim’s bank accounts, check the account balances – and assuming there are funds to be plundered — add dozens of money mules to the victim organization’s payroll. The money mules are then instructed to visit their banks and withdraw the fraudulent transfers in cash, and wire the money in smaller chunks via a combination of nearby MoneyGram and Western Union locations.

The latest example: On Nov. 16, 2012, attackers logged into accounts at Performance Autoplex II Ltd., a Honda dealer based in Midland, Texas, and began adding money mules to the company’s payroll. The thieves added at least nine mules, sending each a little more than $9,000. One of the mules used in this attack — a Louisa Lies (no kidding, that’s her real last name) — got two transfers totaling $9,220.58. She was instructed to visit two different Western Union locations, sending a total of $3,844 to two different recipients (one in Russia, the other Ukraine); Lies sent another pair of transfers (again, to two different people in Russia and Ukraine) totaling just over $5,000, via two separate MoneyGram locations. Lies said she paid $155 in fees to Western Union, and $136 in MoneyGram charges.
Continue reading →


6
Nov 12

Cyberheists ‘A Helluva Wake-up Call’ to Small Biz

The $180,000 robbery took the building security and maintenance system installer Primary Systems Inc. by complete surprise. More than two-dozen people helped to steal funds from the company’s coffers in an overnight heist in May 2012, but none of the perpetrators were ever caught on video. Rather, a single virus-laden email that an employee clicked on let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers.

The St. Louis, Missouri-based firm first learned that things weren’t quite right on Wednesday, May 30, 2012, when the company’s payroll manager logged into her account at the local bank and discovered that an oversized payroll batch for approximately $180,000 had been sent through late Tuesday evening.

The money had been pushed out of Primary Systems’ bank accounts in amounts between $5,000 and $9,000 to 26 individuals throughout the United States who had no prior interaction with the firm, and who had been added to the firm’s payroll that very same day. The 26 were “money mules,” willing or unwitting participants who are hired through work-at-home job schemes to help cyber thieves move money abroad. Most of the mules hired in this attack were instructed to send the company’s funds to recipients in Ukraine.

“The payroll manager contacted me at 8:00 a.m. that day to ask if I’d authorized the payroll batch, and I said no, it must have been a bank error,” said Jim Faber, Primary Systems’ chief financial officer. “I called the bank and said they said no, they did not make an error. That was a helluva wake-up call.”

The company’s financial institution, St. Louis-based Enterprise Bank & Trust, declined to comment. But of course, mistakes were made all around. Primary Systems’ employees failed to be wary of virus-laden email attachments, and relied too heavily on its firewalls and antivirus software to block attacks. The bank failed to bat an eyelash before processing a $180,000 transfer marked as “payroll” on a Tuesday, even though the company has always processed its payroll batch on Friday mornings. It also failed to flag as strange the overnight addition to Primary’s payroll of 26 new employees located in nearly as many states, even though almost all of the victim firm’s legitimate employees are based in Missouri.

The only parties to this crime who didn’t make missteps were the thieves. According to Faber, investigators believe the crooks cased the joint virtually before launching the heist, which came in just below the $200,000 threshold that would have prompted the bank to obtain verbal permission from Primary Systems for the transfer.

“If it was over $200k, [the bank] wouldn’t have allowed the transfer to happen without confirming it with us,” Faber said. “But this just flew right under that kickout. Our payroll is a lot less than that. This was six times our normal payroll and was in mid-week.”

Continue reading →


3
Aug 12

Uptick in Cyber Attacks on Small Businesses

New data suggests that cyber attacks aimed at small businesses have doubled over the past six months, a finding that dovetails with my own reporting on companies that are suffering six-figure losses from sophisticated cyber heists.

According to Symantec, attacks against small businesses rose markedly in the first six months of 2012 compared to the latter half of 2011. In its June intelligence report, the security firm found that 36 percent of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. That figure was 18 percent at the  end of Dec. 2011.

“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said Paul Wood, a security intelligence manager at Symantec. “It almost seems attackers are diverting their resources directly from the one group to the other.”

I’m seeing the same uptick, and have been hearing from more small business victims than at any time before — often several times per week.

In the second week of July, for example, I spoke with three different small companies that had just been hit by cyberheists (one of the victims asked not to be named, and the other didn’t want their case publicized). On July 10, crooks who’d broken into the computers of a fuel supplier in southern Georgia attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed.

The bank, First National Bank of Coffee County, managed to claw back an unusually large amount — approximately $260,000. The fuel company hired an outside forensics firm to investigate, and found that the trouble started on July 9, when the firm’s controller clicked a link embedded in an image in an email designed to look as though it was sent by the U.S. Postal Service and alerting the recipient about a wayward parcel. The link in the image loaded content from a site hosting the BlackHole exploit kit, which downloaded the ZeuS Trojan to the controller’s PC.

Interestingly, the fuel company and its bank said one of the money mules that the attackers recruited to help launder the stolen funds turned out to be an employee of Wells Fargo from Alabama. Many money mules are simply not the brightest bulbs, and it is usually difficult to prove that they weren’t scammed as well (because more often than not, the mules end up losing money).  But one would think people who work for banks should be at least be aware of these schemes, and held to a higher standard. What’s more, if this mule wasn’t complicit then he probably suspected something wasn’t right, because he had the funds sent to an account he controlled at a local credit union in Birmingham — rather than an account at Wells Fargo.

By the way, this is the second time I’ve encountered a money mule working at a major bank. Last year, I tracked down a woman at PNC Bank in Maryland who was hired by a mule recruitment gang and later helped move nearly $4,500 from a victim business in North Carolina to cybercriminals in Ukraine. She claimed she did not understand what she had done until I contacted her.

Continue reading →


16
Jul 12

Spy Software Aims to Corral Money Mules

Borrowing from the playbook of corporations seeking better ways to track employee productivity, some cybercriminal gangs are investing in technologies that help them keep closer tabs on their most prized assets: “Money mules,” individuals willingly or unwittingly recruited to help fraudsters launder stolen funds. It seems that at least one mule recruitment gang employs custom software to spy on new recruits.

Last month, I heard from a reader in North Carolina named John who’d been roped into working for a company that claimed to be in the digital concierge and outsourcing business. John became suspicious that he was involved in something shady when they told him he should expect a transfer of nearly $10,000 to the personal bank account that he’d provided to his erstwhile employer in order to eventually receive a paycheck.

The software stole this glimpse of my test machine’s desktop.

The firm that hired John, a fictitious company called VIP One, recruits mules to help process fraudulent transfers from businesses victimized by account takeovers. Prior to sending its mules money, VIP One has prospective mules spend several weeks doing relatively meaningless busy work, for which they are promised payment at the end of the month.

VIP One requires all new recruits to install a “time tracking” application, basically a digital stopwatch that employees are expected to use to keep track of their time “on the job.” John was kind enough to let me take a peek inside his account at VIP One, and to download the time tracking software. It’s safe to say that time is certainly not the only thing being tracked by this program.

I installed the application in a Window XP virtual machine equipped with Wireshark, a free program that lets you inspect the data packets going in and out of a host machine. I pressed start and left the software alone for a few hours. A review of the Wireshark logs showed that the time tracking tool periodically and surreptitiously took screenshots of my system, uploading them to a site called gyazo.com. This Web site appears to be associated with a legitimate screen-grabbing application that automates the grabbing and posting online of screen captures.

My test machine also had several peripherals plugged into it, including a Webcam. To my surprise, further review of the logs showed that the time tracking tool hijacked my machine’s Web cam and took several pictures, also posting them to gyazo.com.

Continue reading →


12
Jul 12

Banking on a Live CD

An investigative series I’ve been writing over the past three years about organized cyber crime gangs using malware to steal millions of dollars from small to mid-sized organizations has generated more than a few responses from business owners concerned about how best to protect themselves from this type of fraud.

I said this nearly three years ago, and it remains true: The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online. All of the malware used in the attacks I’ve written about is built for Windows. That’s not to say bad guys behind these online heists won’t get around to targeting Mac OS X, or users of other operating systems. Right now, there are no indications that they are doing this.

What the Puppy desktop looks like.

The quickest way to temporarily convert your Windows PC into a Linux system is to use a Live CD. This involves burning an downloadable image file to a CD, inserting the disc into your computer, and rebooting. If this sounds difficult, don’t worry, it’s not.

Here’s a step-by-step guide that should get you up and running in no time flat, with Puppy Linux, an extremely lightweight and fast version of Linux. If you’d prefer to try another distribution, there are dozens to choose from.

Continue reading →