A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.

Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.

The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.

When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.

Capital One declined to comment for this story, citing the ongoing litigation.

Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.

“By operating a single factor identification online banking system, Capital One lefts its customers open to identity theft and failed to take sufficient safeguards to prevent unauthorized access to its client’s online banking accounts, including the ability to send wire transfers,” the company charged in its complaint.

Global Title also alleges that Capital One should have known that the transfers were fraudulent and unauthorized.

“Capital One was put on notice through Ms. Aurora’s phone call at 2:09 on June 1, 2010, and on subsequent calls that same day, that Global Title had no access to its online banking system,” the complaint states. “Accordingly, Capital One knew or should have known that any wire transfer that afternoon would be unauthorized.”

BUSY, BUSY MULES

Dorin Codreanu

Some of the fraudulent activity was tied to money mule activity that was busted up by federal prosecutors last year. Two wires totaling more than $234,000 were sent to Key Marius Import LLC, a company flagged by federal investigators as a fraudulent front for organized cyber thieves.  In November 2010, Wisconsin police arrested two men who were wanted as part of a crackdown in late Sept. 2010 on so-called “J1″ money mules who were in the United States on work/travel visas. According to an FBI press release from last fall, Key Marius and the commercial bank account attached to it were set up by one of those men, Dorin Codreanu, a Moldovan who pleaded guilty to conspiracy charges earlier this year.

Codreanu was sentenced to three years in prison, and ordered to pay restitution of more than $110,000 to his victims. The court judgment against him (PDF) states that the company Codreanu was ordered to pay restitution was not Global Title but a Dinkels Bakery; the remainder of the $110,000 restitution was to be paid to court services, Level One Bank and JP Morgan Chase.

Other companies that received large wire transfers may also have been fronts set up in advance of the attack. Key Marius Import LLC was established in April 2010, as were; Alvarez Here and Now, Inc. of Ontario, Calif, which received a fraudulent wire of $39,560 on June 2; Sharp and Bright Designs Inc. of Simi Valley, Calif., which was sent a bogus wire of $19,583 from Global Title on June 2; PWD Properties, incorporated in late January 2010 in Wilmington, Del., was sent a fraudulent wire of $28,582 on June 2.

Capital One was able to reverse all but the first three fraudulent wires ($119,500 to Key Marius, $39,560 to Alvarez Here and Now, and $48,698 to a Dwaine Peterson), leaving Global Title with a $207,758 loss. As a result, it was forced to take out a loan to make the required cash distributions from the firm’s escrow account.

UNCERTAIN LEGAL GROUND

Banks in the United States are supposed to adhere to online banking authentication guidance issued in 2005 by regulators at the Federal Financial Institutions Examination Council (FFIEC), but many institutions have been slow to comply with the guidelines.

Several victims of corporate account takeovers have sued their banks, claiming similar negligence, but with mixed results. In June 2011, a Michigan court held Comerica Bank liable for more than half a million dollars stolen in a 2009 cyber heist. Two months later, a district court judge in Maine ruled that banks which protect accounts with little more than passwords and secret questions are in compliance with the FFIEC’s security guidance.

Faced with an explosion of corporate account takeovers in the past two years, the FFIEC recently updated its guidance, which calls for “layered security programs” to deal with riskier commercial banking transactions, including methods for detecting transaction anomalies, the use of out-of-band verification, and enhanced customer awareness campaigns. Those requirements, which will inform the activities of bank security examiners, are set to take effect on Jan. 1, 2012.

Avivah Litan, a fraud analyst with Gartner Inc., said many banks are still out of compliance with the FFIEC’s older guidance.

“The new guidance isn’t that radical, and it basically re-affirms the previous guidelines and clarifies some points,” Litan said. “This case sounds like a clear violation of the FFIEC guidance, which says put controls in place that are commensurate with the risk, and many banks still aren’t doing that.”

Global Title is asking the court for a $500,000 judgment, plus pre- and post-judgment interest and attorney’s fees. Their legal challenged has cleared its first major set of procedural hurdles, and unless both parties settle before then, the case is scheduled to go to trial on April 10, 2012.

A copy of the company’s complaint is available here (PDF).

Update, 12:36 p.m. ET: Fixed the link to Global Title’s complaint filing.

Update, Nov. 15, 4:53 p.m. ET: Capital One provided the following statement in response to this article:

“Capital One’s authentication controls protecting our commercial platforms are compliant with the federal multifactor authentication guidance. These controls are the subject of annual risk assessments to ensure they remain appropriate in light of the threat environment. In the funds transfer realm, among the controls utilized are hard tokens and out-of-band confirmation of payment instructions.

As part of our broader security measures, Capital One provides security – and safe computing – related ‘best practice’ tips and recommendations to let our small business and commercial clients know what they can do to protect themselves and reduce their fraud risk.”

Money mules are quite literally the workhorses of the online fraud world. The term “money mule” is borrowed from the nomenclature used to describe the human pack horses of the drug cartels — so-called “drug mules” — people who physically carry illegal substances on their person while crossing the U.S. border.  Some drug mules actually ingest large numbers of tiny bags full of illegal substances, and carry the narcotics in their digestive system on the way into the United States. You can probably guess how the drugs are…er…offloaded by these mules.

Of course, money mules don’t actually ingest the cash they help steal from banks and small businesses that are victimized by criminal gangs, although they do occasionally eat the cost when their bank turns around and holds them liable for the missing money. However, some of the mules — mainly young Eastern European men and women of college age who are here in the United States on temporary J1 visas — do physically carry the cash on their person when they head back home.

Anyway, this blog posts focuses on the former group, those willing or unwitting individuals who stand to very likely make $500-$700 from a single transaction with the crooks. Money mules are recruited through work-at-home job offers that arrive via e-mail, usually claiming that the prospective employer found the recipient’s resume’ on careerbuilders.com, monster.com, or some other job search site. Recruits are told they will be helping to move money for international companies, and are asked to provide their bank account and routing numbers so that they can receive incoming transfers.

Now, technically speaking, most mules are by default fired after their first and only successful job: Each mule is worth slightly less than $10,000 to the cyber gangs, who will cease communicating with a mule the minute after he or she successfully wires the money to the crooks and e-mails the access number the criminals need to pick up the cash.

The mules’ job isn’t that difficult: Wait by the computer between 8 and 11 a.m. for a message saying a deposit is ready for withdraw. The mule is instructed to then go down to their bank, pull out the money in cash, and then wire it abroad via Western Union and Moneygram.

But you’d be surprised at how often the mules screw this up. Here are the Top 10 ways that mules can get fired:

10. Ask for paid maternity leave, or 401k matching. I spoke with a mule not long ago who was so naive she thought she was actually going to get the benefits described to her in the “employee contract” the mule recruiters sent to her via e-mail in a PDF file. In fairness, some of the employment contracts sent to prospective mules are rather convincing.

9. Show up late for work. Mule recruiters try very hard to impress upon mules the importance of pulling out any money transfers as quickly as possible. The reason is that, usually within 24 hours, the victim company or its bank will figure out that the a batch of transfers was unauthorized, and will seek to reverse it. If the money is still in the mules’ account when that reversal is initiated, the thieves usually can kiss that money goodbye. For that reason, many mule recruitment groups offer cash incentives to mules who complete their tasks within an hour or two of the mule’s local bank branch opening for the day.

8. In a conversation with your mule recruiter, start any sentence with, “So, I just got a call from my bank’s fraud department…”. [CLICK...DIAL TONE]

7. Complain about your  negative $888,888.88 balance. Bank of America accounts often will be assigned this particular eye-popping but completely arbitrary balance to signify to bank employees that an account is frozen, often due to suspected fraud.

6. Ask to get paid. Money mules sometimes also get roped into reshipping scams, which involve receiving merchandise bought with stolen credit cards. The recruits are asked to then reship the goods to the cyber gangs overseas. According to interviews with several investigators who have worked a number of these reshipping scams, the reshipping mules usually are promised a big check at the end of the month, and in the meantime are sent dozens of packages to reship. Usually, the mule recruiters cease shipping items and all contact with the mules just a few days before the end of the first month, or whenever the mule asks to get paid, whichever comes first.

5. Tell your boss: “Listen, I’m not really comfortable with this Western  Union stuff. Can’t I just send you a check?” Pinkslip!

4. Complain to your recruiter, “Hey, how come my bank account is now showing negative $9,500?”. Whoops.

3. Ask your mule handler, “Hey, do you know a guy named Bobbear?” There’s a good reason why this fearless fraud fighter’s Web site is frequently the target of distributed denial of service attacks.

2. When asked to provide an account into which customer (victim) funds will be transferred, give them an account number with the Police and Fire Federal Credit Union.

…and the number one way to get fired as a money mule?

1. Submit a wrong bank account or routing number. You’d be amazed at how many times the cyber gangs don’t get their money, all because a mule transposed a number. In several cases I’ve investigated, the victim company was first alerted to the fraud because a mule had given an incorrect routing number, causing the victim’s bank to generate an alert about a failed transfer. Bad mule! No commission for you!