A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.

Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.

The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.

When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.

Capital One declined to comment for this story, citing the ongoing litigation.

Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.

“By operating a single factor identification online banking system, Capital One lefts its customers open to identity theft and failed to take sufficient safeguards to prevent unauthorized access to its client’s online banking accounts, including the ability to send wire transfers,” the company charged in its complaint.

Global Title also alleges that Capital One should have known that the transfers were fraudulent and unauthorized.

“Capital One was put on notice through Ms. Aurora’s phone call at 2:09 on June 1, 2010, and on subsequent calls that same day, that Global Title had no access to its online banking system,” the complaint states. “Accordingly, Capital One knew or should have known that any wire transfer that afternoon would be unauthorized.”

BUSY, BUSY MULES

Dorin Codreanu

Some of the fraudulent activity was tied to money mule activity that was busted up by federal prosecutors last year. Two wires totaling more than $234,000 were sent to Key Marius Import LLC, a company flagged by federal investigators as a fraudulent front for organized cyber thieves.  In November 2010, Wisconsin police arrested two men who were wanted as part of a crackdown in late Sept. 2010 on so-called “J1″ money mules who were in the United States on work/travel visas. According to an FBI press release from last fall, Key Marius and the commercial bank account attached to it were set up by one of those men, Dorin Codreanu, a Moldovan who pleaded guilty to conspiracy charges earlier this year.

Codreanu was sentenced to three years in prison, and ordered to pay restitution of more than $110,000 to his victims. The court judgment against him (PDF) states that the company Codreanu was ordered to pay restitution was not Global Title but a Dinkels Bakery; the remainder of the $110,000 restitution was to be paid to court services, Level One Bank and JP Morgan Chase.

Other companies that received large wire transfers may also have been fronts set up in advance of the attack. Key Marius Import LLC was established in April 2010, as were; Alvarez Here and Now, Inc. of Ontario, Calif, which received a fraudulent wire of $39,560 on June 2; Sharp and Bright Designs Inc. of Simi Valley, Calif., which was sent a bogus wire of $19,583 from Global Title on June 2; PWD Properties, incorporated in late January 2010 in Wilmington, Del., was sent a fraudulent wire of $28,582 on June 2.

Capital One was able to reverse all but the first three fraudulent wires ($119,500 to Key Marius, $39,560 to Alvarez Here and Now, and $48,698 to a Dwaine Peterson), leaving Global Title with a $207,758 loss. As a result, it was forced to take out a loan to make the required cash distributions from the firm’s escrow account.

UNCERTAIN LEGAL GROUND

Banks in the United States are supposed to adhere to online banking authentication guidance issued in 2005 by regulators at the Federal Financial Institutions Examination Council (FFIEC), but many institutions have been slow to comply with the guidelines.

Several victims of corporate account takeovers have sued their banks, claiming similar negligence, but with mixed results. In June 2011, a Michigan court held Comerica Bank liable for more than half a million dollars stolen in a 2009 cyber heist. Two months later, a district court judge in Maine ruled that banks which protect accounts with little more than passwords and secret questions are in compliance with the FFIEC’s security guidance.

Faced with an explosion of corporate account takeovers in the past two years, the FFIEC recently updated its guidance, which calls for “layered security programs” to deal with riskier commercial banking transactions, including methods for detecting transaction anomalies, the use of out-of-band verification, and enhanced customer awareness campaigns. Those requirements, which will inform the activities of bank security examiners, are set to take effect on Jan. 1, 2012.

Avivah Litan, a fraud analyst with Gartner Inc., said many banks are still out of compliance with the FFIEC’s older guidance.

“The new guidance isn’t that radical, and it basically re-affirms the previous guidelines and clarifies some points,” Litan said. “This case sounds like a clear violation of the FFIEC guidance, which says put controls in place that are commensurate with the risk, and many banks still aren’t doing that.”

Global Title is asking the court for a $500,000 judgment, plus pre- and post-judgment interest and attorney’s fees. Their legal challenged has cleared its first major set of procedural hurdles, and unless both parties settle before then, the case is scheduled to go to trial on April 10, 2012.

A copy of the company’s complaint is available here (PDF).

Update, 12:36 p.m. ET: Fixed the link to Global Title’s complaint filing.

Update, Nov. 15, 4:53 p.m. ET: Capital One provided the following statement in response to this article:

“Capital One’s authentication controls protecting our commercial platforms are compliant with the federal multifactor authentication guidance. These controls are the subject of annual risk assessments to ensure they remain appropriate in light of the threat environment. In the funds transfer realm, among the controls utilized are hard tokens and out-of-band confirmation of payment instructions.

As part of our broader security measures, Capital One provides security – and safe computing – related ‘best practice’ tips and recommendations to let our small business and commercial clients know what they can do to protect themselves and reduce their fraud risk.”

Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States.

The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.

Over the next four business days, the thieves initiated another three fraudulent batch payments to money mules. Some transfers went to money mules who owned businesses, such as a $14,750 payment to Mission Viejo, Calif. based Art Snyder Software. Most money mules were sent payments of less than $5,000.

Pittsford town supervisor William Carpenter said the FBI is investigating the incident, and that many of the details of how the attackers got in remain unclear. He said the FBI told him the thieves most likely stole the town’s online banking password using a banking Trojan. He added that the town has recovered just $4,800 of the stolen funds, the proceeds of a single transfer. I left a message with the FBI field office in New York but haven’t yet heard back.

“We have good firewalls and anti-virus software, and we weren’t at all lax in our security systems,” Carpenter said. “We thought we were pretty secure.”

Carpenter said the fraud went undetected for days. He said the town normally does its direct deposit payroll bi-weekly on Wednesdays, and that the first fraudulent transfers happened during a non-payroll week.

The attack happened shortly after Pittsford opened an account with Canandaigua National Bank & Trust (CNB), a regional institution based in Canandaigua, N.Y. Carpenter said that prior to banking at Canandaigua, the town held its online accounts at a different bank, where all transactions had to be approved by at least two town officials. But he said the town hadn’t yet established these dual controls over their account at Canandaigua at the time of the fraud.

Carpenter said he was not fully versed in the security mechanisms in place for the bank’s commercial customers, but a review of the security procedures displayed on Canandaigua’s Web site indicate that they include a user name, password, a set of security questions. Customers also have the option of registering their computers, which involves downloading a CNB certificate or cookie. According to the bank’s site, “when you log in from a registered computer you are not required to answer a security question to complete the process.”

CNB spokesman Steve Martin declined to respond to any specific questions about the incident, but he confirmed the information about the bank’s authentication procedures.

The question of how far commercial banks should go to authenticate their customers was the subject of a court battle I wrote about earlier this week. The lawsuit was brought by a Maine construction firm that lost $345,000 in May 2009 when thieves used the ZeuS Trojan to steal the company’s online banking credentials and defeat their bank’s online security measures, which were eerily similar to CNB’s: passwords, secret questions and registered computers. That case also involved a series of fraudulent transfers that took place over the course of a week.  A magistrate in that case issued a recommended decision earlier this month that said the bank’s security measures were sufficient to meet federal guidelines on ebanking authentication.

The proliferation of commercial banking thefts involving the ZeuS Trojan and other sophisticated attack tools underscores the asymmetry between the attackers and defenders. As I have detailed in more than 75 stories on this topic, ZeuS allows attackers to manipulate the victim’s browser and to log in to the victim’s bank account using the victim’s own PC, effectively negating any security that a device fingerprint or registered computer may provide.

Unfortunately, these attacks will continue; I’ve been in touch with three other organizations in the past week that have experienced losses from ebanking thefts but have asked not to be named. There are millions of towns, cities, nonprofits, churches and small businesses that remain dangerously exposed to this type of attack, and far too many banks that are not doing enough to educate their customers about the threat and to implement systems capable of detecting the attacks when they occur.

An online bank robbery in which computer crooks stole $63,000 from a Kansas car dealership illustrates the deftness with which cyber thieves are flouting the meager security measures protecting commercial accounts at many banks.

At 7:45 a..m. Monday, Nov. 1, 2010, the controller for Abilene, Kansas based Green Ford Sales, Inc. logged into his account at First Bank Kansas to check the company’s accounts. Seven hours later, he logged back in and submitted a payroll batch for company employees totaling $51,970. The bank’s authentication system sent him an e-mail to confirm the batch details, and the controller approved it.

The controller didn’t know it at the time, but thieves had already compromised his Microsoft Windows PC with a copy of the ZeuS trojan, which allowed them to monitor his computer and log in to the company’s bank account using his machine. Less than an hour after the bookkeeper approved the payroll batch, bank records show, the thieves logged in to Green Ford’s account from the same Internet address normally used by the dealership, using the controller’s correct user name and password.

The attackers cased the joint a bit — checking the transaction history, account summary and balance — and then logged out. They waited until 1:04 p.m. the next day to begin creating their own $63,000 payroll batch, by adding nine new “employees” to the company’s books. The employees added were in fact money mules, willing or unwitting individuals recruited through work-at-home job scams to help crooks launder stolen funds.

Green Ford’s controller never received the confirmation email sent by the bank to verify the second payroll batch initiated by the fraudsters, because the crooks also had control over the controller’s e-mail account.

“They went through and deleted it,” said Green Ford owner Lease Duckwall. “If they had control over his machine, they’d have certainly had control over his email and the password for that, too.”

To me, this attack gets to the heart of why these e-banking thefts continue unabated at banks all over the country every week: An attacker who has compromised an account holder’s PC can control every aspect of what the victim sees or does not see, because that bad guy can then intercept, delete, modify or re-route all communications to and from the infected PC. If a bank’s system of authenticating a transaction depends solely on the customer’s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today’s more stealthy banking trojans.

It is difficult to believe that there are still banks that are using nothing more than passwords for online authentication on commercial accounts. Then again, some of the techniques being folded into today’s banking trojans can defeat many of the most advanced client-side authentication mechanisms in use today.

Banks often complain that commercial account takeover victims might have spotted thefts had the customer merely reconciled its accounts at day’s end. But several new malware strains allow attackers to manipulate the balance displayed when the victim logs in to his or her account.

Perhaps the most elegant fraud techniques being built into trojans involve an approach known as “session riding,” where the fraudster in control of a victim PC simply waits until the user logs in, and then silently hijacks that session to move money out of the account.

Amit Klein, chief technology officer at Trusteer, blogged this week about a relatively new strain of malware dubbed OddJob, which hijacks customers’ online banking sessions in real time using their session ID tokens. According to Klein, OddJob keeps online banking sessions open after customers think they have “logged off,” enabling criminals to extract money and commit fraud unnoticed.

All of these developments illustrate the need for some kind of mechanism on the bank’s end for detecting fraudulent transactions, such as building profiles of what constitutes normal customer activity and looking for activity that appears to deviate from that profile. For example, in almost every case I’ve written about, the victim was robbed after thieves logged in and added multiple new names to the payroll. There are most certainly other such markers that are common to victims of commercial account fraud, and banks should be looking out for them. Unfortunately, far too many small to mid-sized banks outsource much of their visibility at the transaction level to third-party service providers, most of whom have been extremely slow to develop and implement solutions that would enable partner banks to flag many warning signs of account takeovers.

FOLLOWING THE MONEY

Duckwall praises his bank for moving quickly to contact the mules’ banks after being alerted by the company’s controller at 8 a.m. on Nov. 3. But he said the recovery effort was slowed considerably by the responses from many of the mules’ banks.

“The really frustrating thing was we got on phone with our bank and they immediately contacted all of the other banks, and most of them in turn fax or email you a form that you have to fill out, sign and send back,” Duckwall said. “It’s just really frustrating how long it takes to try to stop something that like that. It was kind of a large disruption in our operation.”

Duckwall reached out to one of the mules, a man named Shawn Young from New York, who received nearly $5,000 of Green Ford’s money. Young hadn’t yet wired the money overseas as instructed by his recruiters, a bogus entity calling itself “R.E. Company” (its Web site is still up at this link). Young said he communicated with the mule recruiters at R.E. Company by logging in to his account at this Web site, uploading his personal and bank account information, and awaiting instructions. Those instructions would later arrive on Nov. 3 (see screen shot below left).

Duckwall said First Bank Kansas managed to recover all but $22,000 of the stolen funds, and that the company and bank have made several security adjustments since the incident.

“Two confirming e-mails are sent…one to me, and one to [the controller]. Our ACH limit for our account is kept at $0 all the time except for pay days,” Duckwall explained in an email. “Then the bank president raises the limit. On paydays, the limit is raised, [the controller] logs in and creates the ACH batch file, and [he] contacts me.  I log in, review the file, and authorize it.  I use a machine from home for that. Then I notify the bank president, who lowers our limit back to $0. Every time the controller and I log in we request a email passcode (no cookies set on our machines).  I receive all of the confirming emails that are generated by the system, on four different machines.”

From where I sit, that’s a ridiculous number of hoops to have to jump through to make a payroll every other week. Also, those changes don’t address the root of the problem: They still succeed or fail based on an insecure mode of communication (email) that can be hijacked on the customer’s end. What’s more, these changes continue to push all of the security and authentication of the transaction out to the customer, which is always the weakest link.

Authorities in the United States and Moldova apprehended at least eight individuals alleged to have helped launder cash for an international cyber crime gang that stole more than $70 million from small to mid-sized organizations in recent months.

In Wisconsin, police arrested two young men who were wanted as part of a crackdown in late September on money mules who were in the United States on J1 student visas. The men, both 21 years old, are thought to have helped transfer money overseas that was stolen from U.S. organizations with the help of malicious software planted by attackers in Eastern Europe.

Codreanu and Adam

Dorin Codreanu and Lilian Adam, both originally from Moldova, are being transferred to New York, where they were charged on Sept. 30 in connection with the international money laundering scheme (hat tip to Sophos).

In related news, the government of Moldova’s Specialized Services Center for Combating Economic Crimes and Corruption (CCECC) announced late last month that it had detained six individuals suspected of helping the same international ZeuS gang launder money.

All six of those detained were bank employees, and one worked at the Bank of Moldova. According to Moldovan authorities, the suspects allegedly specialized in intercepting Western Union and MoneyGram payments that mules had sent to Eastern Europe after receiving bank transfers from organizations victimized by the ZeuS Trojan.

Altogether, Moldovan prosecutors are looking at 12 suspects, including a government official who is alleged to have provided the group with copies of ID cards needed to open bank accounts. That nation’s anti-corruption center said it has conducted over 30 searches at detainees’ houses, and seized at least $300,000, a gun, and two luxury cars.

Eleven of the 37 money mules charged in September in connection with these attacks are still at large. Photos of the suspects are available at this alert posted by the FBI.

A major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan.

The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com.

On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS.

This attack will no doubt fool a large number of people. Dan Tynan, a reporter for IT World, said he was tricked into clicking the link and possibly infecting his system.

It’s a good idea to avoid clicking social networking site invites that arrive by e-mail, especially if you don’t recognize the name of the person who’s inviting you. Instead, consider just browsing to the social networking site and handling any invites there. Also, this attack is a good reminder that it pays to stay up-to-date on the latest security patches.

What interests me most about this scam is that it shows that criminals wielding ZeuS are now using employment-oriented online services both to infect new PCs and to “cash out” these same victims, thanks to money mules recruited at job search sites like Monster.com and Careerbuilder.com.

I asked Cisco to supply more information about the domains used in this attack. Some of that information is included at the summary listed here (please take care with the domains on this list — they all should be considered hostile).

A recent chat with an individual who was almost tricked into helping organized criminals launder thousands of dollars stolen through e-banking fraud introduced me to one of the most clever and convincing money mule recruitment Web sites I’ve ever encountered. Through the use of images stolen from legitimate Web sites and well-placed video and interactive content, this bogus work-at-home job site may become a model for mule recruitment scams to come.

Training to be a "financial agent," a.k.a. a "money mule."

Money mules are people willingly or unwittingly lured into helping crooks launder stolen funds, usually through work-at-home job scams. Reshipping mules are sent goods and asked to reship them to addresses abroad, or are sent money and asked to purchase goods and then ship them overseas. In both jobs, the mule usually earns a commission for his or her work (either fixed percentage of the transfer or permission to keep one of the purchased goods), but both are usually cut loose before they see their promised paychecks.

A mule who spoke with KrebsOnSecurity.com on condition of anonymity said he was recruited as a financial agent by Lydon Online, which communicated with him via Web-based e-mails (see image directly below), as well as via cell phone text messages.

The mule, whom we’ll call “Jeremy,” ignored instructions to supply his bank account information in preparation for receiving deposits from Lydon Online. That’s because shortly after signing up with Lydon, Jeremy learned that another company which also had hired him for a work-at-home job as a financial agent had tried to send him nearly $10,000 stolen from a Pennsylvania dental practice that was robbed of many times that amount last month (the dental office also agreed to speak to me on the condition of anonymity).

You need a valid set of credentials to see some of the more interesting sections of mycareerjob.net, but the site’s designers did a superb job making it look legitimate. Included on nearly every page are pictures of fellow “employees,” and exemplary trainees, which are really just photos lifted from dozens of random Web sites. Among my favorite areas of the site is the Agent Awards section, which includes a couple of photos swiped from Travel Weekly.

In a section touting the beauty of working remotely via the Internet, mycareerjob.net sings the praises of an alternate reality game called Second Life, promising recruits that they will soon have the opportunity to interact with clients via Second Life.

The part of the site that really takes the cake is the interactive “agent training” video, which uses a computerized voice and images from the cult hacker film The Matrix to walk new recruits through the daily routine of a reshipping mule. Click on the embedded YouTube.com video below to watch the training message. A transcript of the instructions contained in the video is available at this link.

Organized cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals, KrebsOnSecurity.com has learned.

In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines.

The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered.

The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries.

“While the Diocese of Des Moines is protected by insurance and anticipates the restoration of the funds, we have been advised that such criminal activity is rampant,” Des Moines Bishop Richard Pates said. “Obviously, any entity that experiences such a crime should be significantly concerned.”

Once again, the theft involves so-called money mules willingly or unwittingly recruited by a specific money mule cash-out gang whose work I have written about several times already. Among the mules involved in this incident was a man in Newnan, Ga. who received almost $30,000 of the church’s cash. Daniel Huggins, the 29-year-old owner of Masonry Construction Group LLC, got mixed up with a company calling itself the Impeccable Group, claiming to be an international finance company operating out of New York.

Huggins said the Impeccable Group recruited him via e-mail, claiming it had found his resume on job search site Monster.com. The Impeccable Group told him he would be doing payment processing for the company, and on Aug. 16, Huggins’ erstwhile employers sent him two payments, one for almost $20,000 and another for slightly less than $10,000.

Huggins said he contacted the Impeccable Group shortly after the transfers because the amounts seemed quite high and the transfers appeared to be coming from the Catholic Church. The scammers apparently were ready for this question and were quick on their feet with a reply that was as plausible as it was diabolical: Huggins was told the money was going to be distributed as legal settlements to people who had been affected by the clergy sexual abuse scandals that have rocked the church in recent years.

“The told me it was going to be payouts to some of the settlements in the sex crimes cases against the Church,” Huggins said.

Huggins’ bank discovered the fraud and froze his account while there was still almost $10,000 left in it from the fraudulent transfers. Huggins said he was told to expect a call from lawyers for the Des Moines diocese, but he’s conflicted about whether he will return the money he made from his part in the scam: Minus the Western Union and Moneygram wire fees, Huggins earned commissions totaling nearly $800 for helping the thieves transfer the stolen money out of the country.

“I already sent the money to pay off my credit card balance,” Huggins said. “I guess I’m still up in the air on that one.”

The screen shots below were taken of Huggins’ “task manager,” an online communications panel that Impeccable Group used to communicate with money mules they had recruited.

A business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000.

Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas. Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line.

While the contents of that deposition remain closed under a confidentiality order, Hi-Line’s lawyers say the information gleaned in the interviews shows serious security missteps by Community Bank, and that they are ready to sue if the bank does not offer a settlement.

“In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

Hi-Line president Gary Evans said the fraud began on Thursday, Aug. 20, about the same time the company processes its normal $25,000 payroll. After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24.

Evans said he had trouble logging in to his account on Thursday and had the bank reset his password, but the fraudulent transactions hadn’t showed up on his account at that time. He said he took that Friday off as he always does, and when he tried again to log in after returning to work on Monday, he again found the bank’s site would not accept his password.

“When I finally got the bank to reset my password and got into my account, I noticed the duplicate payroll batches and said ‘Why are you all pulling my payroll out three times?’” Evans said of his recollection of how he came to realize his firm had been robbed. “At the time, as I was resetting my password, I had to scroll through the bank’s online customer agreement, which basically said the bank is not responsible for any fraud. I should have known at that point that they were not going to take any responsibility for this at all.”

Evans said the bank should have detected that something was amiss, and not just because of the unusual and repeated payroll batches. He said the crooks accessed his account from five different Internet addresses with locations that were nowhere near Texas, including from computers located more than 1,300 miles away, in Washington, D.C. and Maryland.

Community Bank did not respond to requests for comment. But in protesting the deposition, Community Bank claims (PDF) that hackers had infiltrated Evans’ computer with a virus and used it to steal his online banking credentials, which included a user name, password, PIN and several challenge/response questions.

The organized criminal gang that hacked and robbed Hi-Line could not have succeeded without the assistance of “money mules,” accomplices who were willingly or unwittingly hired through work-at-home job schemes to help cyber thieves launder stolen funds. Among those lured into the scam was Josh Enlow, a 28-year-old gas station attendant in Phoenix. Enlow said he was hired by an entity calling itself The Total Group Co., which initially contacted him in an e-mail stating it had found his resume on a job search Web site, and would he be interested in an “accounts payable” position?

A few weeks later, Enlow received “several” (he says doesn’t recall how many) deposits — including one transfer for more than $8,400. He then wired the money to individuals in Eastern Europe as instructed, he said. (See screen shots below taken from the Total Group Web site.)

The receipt Enlow received for one of the transfers from Hi-Line's hacked account.

In very few of the many stories I’ve written about online banking fraud against businesses has insurance paid for much — if any — of the losses victim companies suffered. However, several victims I’ve interviewed in recent incidents did have cybersecurity insurance coverage bundled as part of larger business risk insurance policies. In each case, the businesses suffered fairly substantial thefts, and appear likely to recoup all of their direct financial losses.

The most recent incident involved Golden State Bridge Inc., a Martinez, Calif. engineering and construction company that builds bridges. The thieves used an extremely stealthy but as-yet-unclassified strain of malicious software to steal the company’s online banking credentials, and on May 19th, the crooks used that access to set up a series of fraudulent payroll payments totaling more than $125,000.

Initially, the attackers set up two batches of automated clearing house (ACH) payments –one for $50,000 and another for $75,000 – effectively sending a series of transfers to a dozen different money mules, willing or unwitting individuals lured into helping the criminals launder stolen funds by wiring the funds overseas and taking a small commission (usually 8 percent) for themselves.

When the first two batches were processed by Golden State’s bank on May 20, the thieves apparently figured they were home free, and set in motion another seven bundles of fraudulent payments for several hundred thousand dollars more, according to Ann Talbot, the company’s chief financial officer.

“Once they executed those first two successfully, they must have been like, ‘Oh, we’ve hit the mother lode! Let’s go for it!’,” Talbot recalled. “Had they succeeded in putting those through, we and the bank would have been looking at losses of more than $750,000.”

But Talbot noticed the fraudulent transfers the day the money started moving out of Golden State’s accounts, and sprang into action to get the seven new batches canceled. Unfortunately, by that point most of the mules who were sent loot in the first two batches had already withdrawn their transfers.

Talbot said nearly all of the money mules were located on the East Coast, which she believes is a tactic designed to give the attackers the longest head start possible before West Coast victims notice the fraudulent transfers.

“These mules were with East Coast banks, and most of them had [withdrawn] the money from their banks before we were even open for business,” Talbot said.

For what it’s worth, I observed this same pattern of the thieves relying mainly East Coast mules in an earlier post, Charting the Carnage from eBanking Fraud.

SECRET QUESTION CHECKUPS

Like many financial institutions serving primarily business customers, the California Bank of Commerce — Golden State’s bank — pushes most of the security and authentication for its online banking systems out to customers, requiring a simple username and password, and occasionally prompting customers to provide the correct answer to one or more of their “secret questions”.

Read more after the jump….

According Golden State Bridge, the bank has a curious practice of automatically verifying all of its customers’ secret questions and answers every 180 days.

“So how does it do this? It flashes them on your screen and asks, ‘Are these your secret questions and answers? Click ‘Yes’ or ‘No’,” Talbot said.

And when was the last time Golden State was prompted to confirm their secret questions and answers? Why, the very day before the fraudulent transfers began, Talbot said.

“I don’t know how long that malware or Trojan was on our machine, it could have been weeks or months,” Talbot recalled. “All I know is, we saw this fraud the day after the bank prompted us to confirm all five of those questions and answers.”

Virginia Robbins, chief administrative officer at California Bank of Commerce, declined to discuss Golden State’s claims or even confirm whether the company was a customer. But she emphasized that security is never about just software and hardware.

“Any financial institution can put all of the controls they want in place, but if their client isn’t following the instructions or doing things properly, there are certain challenges,” Robbins said. “We do look for all of our clients to use dual controls. and we want to make sure there are multiple points of control. Because what we’re seeing today is that a malware compromise can happen at a single point in the system, and so there have to be multiple controls in place on the customer’s side.”

Indeed, Talbot acknowledges that she and her co-workers aren’t blameless in this incident.  For example, the company had previously instituted a series of checks and balances to ensure that no single employee could both initiate and approve a payroll batch. Yet, at one point recently, Golden State Bridge undid that protection to accommodate a special case, but never bothered to put those restrictions back into place.

THIRD TIME’S A CHARM?

Golden State Bridge purchased $1 million worth cybersecurity insurance as part of a broader business risk policy offered by Arch Insurance Group, one of several firms now offering cybersecurity coverage. The company decided to get the insurance after suffering another major cyber crime incident almost three years ago.

In 2007, Golden State was banking with a financial institution aptly named Bridge Bank located in downtown San Jose. One day, the company opened for business to find that someone had wired $79,000 out of its accounts, destined for an account in Russia. Talbot said Bridge Bank shared the Internet address from which the fraudulent online login originated, and that she traced it back to servers operating out of a large building just four blocks away at 55 South Market St.

The owner of those servers was a problematic [and now defunct] hosting provider named McColo. In 2008, in response to questions from The Washington Post and security researchers about massive amounts of fraud, spam and other cyber crime activity flowing in and out of McColo’s servers, the hosting provider’s two upstream Internet providers pulled the plug on the company. As a result, the volume of spam sent worldwide tanked overnight — by some estimates as much as 75 percent. A nest of other fraudulent activity also evaporated (at least for a while) after McColo’s unplugging: One expert I spoke with who helps retailers control online fraud told me $250,000 worth of retail fraud committed against his customers on a typical day completely stopped the day McColo was unplugged.

Talbot said she’s glad Golden State purchased the insurance: The company managed to recover three of the fraudulent transactions, and its total loss now stands at just shy of $100,000. Golden State Bridge is confident that after paying its $10,000 deductible, the insurance company will cover the rest — probably by going after the bank. But Talbot said she’s worried she won’t be able to afford cyber risk insurance after this latest incident.

“I don’t think it will be offered to us again, or if it is, the cost will probably be so incredibly prohibitive that it may not be worth it,” Talbot said.

David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.

Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.

Now, Green’s firm — DKG Enterprises, a party supplies firm based in Oklahoma City — is wrangling with its bank over who should pay for the loss, said Joe Dunn, the company’s controller. So far, DKG has managed to recover just $22,000 of the $98,000 stolen in the April 27 incident.

Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.

“He knew better than that,” Dunn said of his boss’s logging into the family Windows machine. “The thing about it is this wouldn’t have been able to happen if the security had been place that is currently in place, which means he can only access the bank’s site from his Mac. We no longer allow access from any other computer other than his.”

Dunn said that not long after the fraudulent transfers were sent out, he heard from one of the money mules that were sent the firm’s money and asked to wire it overseas to the fraudsters.

“This guy, he went to go use his debit card to fill up his car at a gas station and his card was declined,” Dunn said.  “He was trying to figure out what had happened, so he researched where the money came from, went online and called the first number he could find and of course he got me. All I could do is refer him to the FBI. I think he’d figured out by that point what had happened.”

Dunn added the company’s bank is disavowing any responsibility for the incident, but that there is a small silver lining.

“Our take is we weren’t provided the utmost security to prevent this from happening,” he said. “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”

Further Reading: Target: Small Businesses