Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: fbi

    A Little Sunshine / Target: Small Businesses31 Comments
    27
    May 10

    Cyber Thieves Rob Treasury Credit Union

    Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned.

    Treasury Credit Union -- Image courtesy Google Streetview

    In most of the e-banking robberies I’ve written about to date, the victims have been small to mid-sized businesses that had their online bank accounts cleaned out after cyber thieves compromised the organization’s computers. This incident is notable because the entity that was both compromised and robbed was a bank.

    The attack began Thursday, May 20, when the unidentified perpetrators started transferring funds out of an internal account at Treasury Credit Union, a financial institution that primarily serves employees of the U.S. Treasury Department in the state of Utah and their families. Treasury Credit Union President Steve Melgar said the thieves made at least 70 transfers before the fraud was stopped.

    Melgar declined to say how much money was stolen, stating only that the total amount was likely to be in the “low six-figures.”

    “We’re still trying to find out what net [loss] is, because some of the money came back or for whatever reason the transfers were rejected by the recipient bank,” Melgar said, adding that the FBI also is currently investigating the case. A spokeswoman for the Salt Lake City field office of the FBI declined to comment, saying the agency does not confirm or deny investigations.

    Many of the transfers were in the sub-$5,000 range and went to so-called  “money mules,” willing or unwitting individuals recruited over the Internet through work-at-home job schemes. Melgar said other, larger, transfers appear to have been sent to commercial bank accounts tied to various small businesses.

    Continue reading →

    Target: Small Businesses45 Comments
    11
    May 10

    FBI Promises Action Against Money Mules

    The FBI’s top anti-cyber crime official today said the agency is planning a law enforcement action against so-called “money mules,” individuals willingly or unwittingly roped into helping organized computer crooks launder money stolen through online banking fraud.

    Patrick Carney, acting chief of the FBI’s cyber criminal section, said mules are an integral component of an international crime wave that is costing U.S. banks and companies hundreds of millions of dollars. He said the agency hopes the enforcement action will help spread awareness that money mules are helping to perpetrate crimes.

    “We want to make sure that public understands this is illegal activity and one of the best ways we can think of to give that message is to have some prosecutions,” Carney said at a Federal Deposit Insurance Corporation (FDIC) symposium in Arlington, Va. today on combating commercial payments fraud. “We realize it’s not going to make the problem go away, but it should help raise awareness and send a signal.”

    Continue reading →

    A Little Sunshine / Web Fraud 2.012 Comments
    20
    Apr 10

    Call Centers for Computer Criminals

    A call service that catered to bank and identity thieves has been busted up by U.S. and international authorities. The takedown provides a fascinating glimpse into a bustling and relatively crowded niche of fraud services in the criminal hacker underground.

    In an indictment unsealed on Monday, New York authorities said two Belarusian nationals suspected of operating a rent-a-fraudster service called Callservice.biz were arrested overseas. Wired.com’s Kim Zetter has the lowdown:

    According to the indictment (.pdf), the two entrepreneurs launched the site in Lithuania in June 2007 and filled a much-needed niche in the criminal world — providing English- and German-speaking “stand-ins” to help crooks thwart bank security screening measures.

    In order to conduct certain transactions — such as initiating wire transfers, unblocking accounts or changing the contact information on an account — some financial institutions require the legitimate account holder to authorize the transaction by phone.

    Thieves could provide the stolen account information and biographical information of the account holder to CallService.biz, along with instructions about what needed to be authorized. The biographical information sometimes included the account holder’s name, address, Social Security number, e-mail address and answers to security questions the financial institution might ask, such as the age of the victim’s father when the victim was born, the nickname of the victim’s oldest sibling or the city where the victim was married.

    U.S. authorities have seized the Callservice.biz Web site, which now features the seals for the FBI and Justice Department prominently on its homepage. The feds also seized Cardingworld.cc, a highly-restricted online criminal forum where Callservice.biz was hosted.

    If you spend any amount of time on underground forums like Cardingworld.cc, however, you’ll quickly discover that these criminal call centers are among the most popular of fraud services offered. For example, another fraud forum — Verified.su — is home to a number of calling services. Among them are two competing call centers that each began as point-and-click fraud shops that helped customers purchase electronics with stolen credit cards and then split the profits after selling the goods on eBay.

    One such service, Atlanta Alliance, used to offer paying members a password-protected Web site where customers could select a range of high-priced gadgets — such as digital cameras, laptops and smart phones — that could be bought with stolen credit cards. The service even allowed customers to manage the shipment of these products to awaiting “reshipping mules,” individuals in the United States recruited for the purpose of receiving stolen goods and reshipping them to Russia, Ukraine and other nations where many vendors refuse to ship due to the high incidence of fraud from those areas.

    Continue reading →

    Target: Small Businesses63 Comments
    30
    Mar 10

    Online Thieves Take $205,000 Bite Out of Missouri Dental Practice

    Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.

    Dentists working at the Smile Zone, a Springfield, Mo. based dental practice that caters specifically to the needs of children, weren’t exactly all smiles on March 22. That was the day unidentified crooks sent at least $205,000 of the practice’s money to nearly a dozen individuals around the country.

    Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires. Once again, it seems the attack was carried out with the help of money mules, willing or unwitting individuals hired through work-at-home job schemes over the Internet and lured into helping the attackers launder the stolen money.

    “I’ve got the names, account numbers, and phone numbers for most of them, and have even looked some of them up on Facebook,” Hudkins said of the co-conspirators. “The bank talked to two of the [mule] account holders and asked them why they opened the account, who it was for, that kind of thing. Both of them said they’d had their resumes out on careerbuilder.com or monster.com and that someone they’d never met contacted them and offered to help them make some money.”

    Hudkins said he contacted the FBI, and that the agent he spoke with told him the FBI wouldn’t open a case on the theft unless it was over $500,000 in losses. As it stands, he was told, his case would be lumped into a group of similar investigations that is being run out of an FBI task force in Omaha, Nebraska. It also appears there is little appetite for prosecuting the money mules, he said.

    “The FBI said prosecuting these [mules] for doing anything wrong is near impossible,” Hudkins said.

    Continue reading →

    A Little Sunshine / Other19 Comments
    13
    Mar 10

    FBI: Online Fraud Costs Skyrocketed in 2009

    Source: ic3.gov

    Reported losses from online fraud more than doubled last year, from $265 million in 2008 to nearly $560 million in 2009, according to figures released Friday by the FBI.

    The figures come from complaints referred to the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. Last year, the IC3 received some 336,655 complaints, a 22.3 percent increase from the year prior.

    Ironically, among the largest sources of complaints (16.6 percent) were e-mail scams that fraudulently used the FBI’s name to gain information from the recipient. Of the top five categories reported to law enforcement during 2009, non-delivered merchandise and/or payment fraud ranked nearly 20 percent; identity theft 14 percent; credit card and auction fraud, just over 10 percent each. The median dollar loss was $575, while the highest median losses were associated with investment fraud ($3,200), overpayment fraud ($2,500) and advanced-fee fraud ($1,500).

    The full report is available from this link at ic3.gov (.pdf).

    A Little Sunshine / Target: Small Businesses / The Coming Storm36 Comments
    9
    Mar 10

    Cyber Crooks Leave Traditional Bank Robbers in the Dust

    Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.

    Speaking at the RSA Security Conference in San Francisco last week, David Nelson, an examination specialist with the Federal Deposit Insurance Corporation (FDIC), said online banking attacks against small businesses of the sort I have chronicled countless times over the past year netted thieves $25 million between July and September of 2009.

    I wondered how that stacked up against real-life bank robbers here in the U.S., so I had a look at the FBI‘s published bank crime statistics for that same time period last year. Turns out, traditional bank robbers committed a total of 1,184 bank robberies during those three months, netting slightly more than $9.4 million (including $3,071 in travelers checks).

    In fact, real-life bank robbers stole a total of just over $30 million in the first three quarters of 2009, just $5 million more than cyber crooks did in the third quarter of last year alone.

    Small wonder that the haul from cyber bank robberies has overtaken that of physical heists:  Cyber thieves take far fewer risks to life, liberty and limb than do real-life bank robbers. In that same three month period last year, the FBI says bank robberies at bricks-and-mortar institutions caused five deaths — all them perpetrators of the crime.

    What’s more, the perpetrators of these incessant attacks against small businesses banking online for the most part reside in countries that are traditionally beyond the reach and influence of U.S. law enforcement. Sure, bank robbers occasionally kill people (more often themselves) while they’re stealing your money, instead of silently lifting it out of your bank account from afar like cyber thieves. That alone makes them a more emotional high-value target for the feds. But let’s face it: Traditional stick up artists are a lot easier to collar. For one thing, by necessity they are all here in the United States.

    In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

    Continue reading →

    Latest Warnings57 Comments
    14
    Jan 10

    FBI: Beware Haitian Quake Relief Scams

    The earthquakes that have wrought so much devastation and death in Haiti this week are moving many to donate to various relief efforts. But security experts and the FBI are warning people to be on the lookout for ghoulish criminals scams that invariably spring up in the wake of such natural disasters in a bid to siphon funds from charitable organizations.

    Continue reading →

    Target: Small Businesses13 Comments
    5
    Jan 10

    FBI Investigating Theft of $500,000 from NY School District

    The FBI is investigating the theft of nearly a half million dollars from tiny Duanesburg Central School District in upstate New York, after cyber thieves tried to loot roughly $3.8 million from district online bank accounts last month.

    On Friday, Dec. 18, thieves tried to electronically transfer $1.86 million from the district’s account at NBT Bank to an overseas account. The following Monday, the attackers attempted to move another $1.19 million to multiple overseas location. It wasn’t until the next day, when transfers totaling $758,758.70 were flagged by a bank representative as suspicious, that the two previous unauthorized transactions were discovered, school officials said.

    As of today, Duanesburg and its bank have succeeded in recovering $2.55 million of the stolen funds, but the school district is still out $497,000.

    Continue reading →

    Target: Small Businesses23 Comments
    4
    Jan 10

    Buried Warning Signs

    In a year marked by record bank failures and Wall Street swindlers walking away with tens of billions of investor dollars, it’s perhaps not surprising that the activities of organized cyber gangs looting at least $100 million dollars from small to mid-sized businesses went largely unheralded.

    The mainstream media could be forgiven for focusing on bigger fish. For one thing, this particular strain of fraud has many moving parts and is challenging to explain to broad audiences. Also, raising awareness about fraud is always tough because the issue almost invariably involves U.S. banks and federal law enforcement, two entities that by their very genetic makeup resist discussing anything that is not tightly scripted and on-message: The FBI is hyper-reluctant to discuss or even acknowledge ongoing investigations (particularly those in which the main actors are overseas), and the banks simply don’t want to spook customers in any way.

    But law enforcement and the banking industry appear to have been at odds over how and how much to communicate with the public about the seriousness and impact of these crimes. The following anecdotes offer a peek into some of the struggles I experienced last year trying to extract useful and truthful information from both parties.

    Friday, Aug. 21, 3:00 p.m. ET: I was wrapping up a story for The Washington Post about a confidential alert drafted by the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry group representing some of the nation’s largest banks. The document I’d gotten hold of seemed to validate the focus of my reporting for the previous 10 weeks: It said the FBI was tracking a major upswing in incidents involving organized computer thieves who were using malicious software to steal tens and hundreds of thousands of dollars from countless small- to mid-sized businesses throughout the United States.

    I had finagled a draft version of the alert, and understood that the final version would be sent sometime later that day, although the distribution list was reportedly limited to a few hundred people — mostly law enforcement and bankers. Problem was, I couldn’t confirm whether the alert had in fact been sent as planned, or whether the final version was changed much from the version I’d obtained.

    What’s more, after two days of waiting, I still had no meaningful response from the FBI to my query, which sought to verify the alert’s statement that the FBI believes organized cyber thieves involved in this type of crime were stealing at least a million dollars a week from victims, and that several new victim firms were coming forward each week.

    My editor was restless: Without an answer to these questions, the story would hold until next week. The answers didn’t come, and the story held.

    When I finally got confirmation the following Monday that the alert had gone out, I also learned that the final version had been significantly watered down. Gone were the monetary damage estimates, including this stark assessment: ‘Total economic impact of these activities, if they continue unabated, is likely to be in the hundreds of millions of dollars.’

    Gone was any mention of specific countries to which the stolen tens of millions were flowing (Russia, Ukraine and Moldova). Removed was the part about the quasi-financial institutions responsible for the cross-border flow of stolen cash (Moneygram and Western Union).

    Mind you, this was an alert that was not intended for public distribution, but merely to be sent to a small group of banks and law enforcement folks.

    Continue reading →