January 22, 2010

Jan. 7, 2010 was a typical sunny Thursday morning at the Delray Beach Public Library in coastal Florida, aside from one, ominous dark cloud on the horizon: It was the first time in as long as anyone could remember that the books simply weren’t checking out.

Sure, patrons were still able to borrow tomes in the usual way — by presenting their library cards. The trouble was, none of the staff could figure out how or why nearly $160,000 had disappeared from their bank ledgers virtually overnight. The money was sent in sub-$10,000 chunks to some 16 new employees that had been added to the usual outgoing direct deposit payroll.

One of those phantom employees was 19-year-old Brittany Carmine, 900 miles to the north in Richmond, Va. Carmine had just  lost her job at a local marketing firm when she received a work-at-home job offer from a company calling itself the Prestige Group. She said after researching the company online, she decided it was legitimate, and filled out the paperwork to begin her employment. Just days later, she received a bank deposit of $9,649, with instructions to wire all but roughly $770 of that to individuals in Ukraine.

Carmine said she successfully wired all of the money to three different individuals overseas, via Western Union and Moneygram. I’ve always wondered why the thieves have their recruits break the money up into sub-$3,000 payments, and Carmine’s description of her experience seems to offer one possible, obvious answer: Breaking that threshold sometimes raises red flags at the money transfer offices.

“At one of the places, the transfer with the fees and everything was more than $3,000, and they said they had to call it in,” Carmine said, of her experience at one Western Union shop. “But I guess it checked out okay, because the money went through.”

Western Union did not return calls seeking comment. I will update this post in the event I hear back from them.

The next day, Carmine found she had a negative $9,649 balance at her bank, which froze her account and sent an investigator to hound her for the money. Brittany says she doesn’t have the money to pay back, but that the whole incident could have been worse. That’s because her mom also had signed up to be a financial agent with the aforementioned Prestige Group, only she hadn’t yet received any money transfers into her account.

The library would later learn that the attackers had swiped its online banking credentials with the help of a password-stealing computer virus, and then initiated a batch of sub-$10,000 transfers to Carmine and 15 other so-called money mules. Because staffers at the library noticed the fraud immediately, their bank was able to reverse most of the other bogus transfers and was willing to refund the library the remaining amount, said Karen Evanson, assistant director at the Delray Beach Public Library (by the way, I am having serious library envy: take a look at this ginormous library: It is two stories, stretches its 250,000 volume collection over 46,826 square feet, and has a coffee bar and a cafe, among other amenities.)

This story highlights a few very stubborn facts about these types of attacks and scams:

-Particularly in this economy, there is a boundless supply of potential money mules like Brittany Carmine and her mom.

-Currently, there is no prosecution or any other disincentive that might discourage people from becoming money mules.

-Very few money mules ever suffer directly for their participation in these crimes. Most get to keep their commissions (although it is highly likely that most of these mules will become victims of identity theft somewhere down the road).

-Any anti-fraud mechanisms that organizations like Western Union and Moneygram may have put in place to deal with this type of money laundering activity do not appear to be working.

-Most small to mid-sized businesses and organizations like this library remain at the mercy of their bank if they suffer one of these attacks. Most banks are not as gracious as the one serving Delray Public Library, and will blame the customer.

-These attacks will continue until the perpetrators in Eastern Europe are brought to justice.

-The organized criminals behind this attack are making off with millions of dollars a week from victims. New information I’ve obtained recently strongly suggests that the group that hit Delray Beach Public Library also was responsible for the $3,000,000 fraud perpetrated against Duanesburg Central School District in upstate New York late last year.

26 thoughts on “Cyber Crooks Cooked the Books at Fla. Library

  1. rybolov

    Hi Brian.

    By using the red-flag rules, they force criminals to use more mules and more transactions. The more different people they use, the higher the chances of the illegal activity being detected. So the rules here work to a point.

    It still is bad for the library and the money mules: they’re the people that lose in the end, usually when they can’t afford to lose anything.

  2. SpamIsLame

    At some point, this has to affect Western Union (especially) and Moneygram, which remain the key vehicles for executing this fraud.

    When will someone go after them? Honestly this is going on numerous years now in terms of rampant online fraud. Banks have as many checks and balances in place as they can, but the key component of this remains Western Union.

    There has to be some way to set up some kind of sting operation involving Western Union especially.

    And yes, I imagine these criminals likely *do* also use hapless individuals on the other end of this equation, doing the pickup for them. Something has got to give.

    I have been steadfastly recommending *against* the use of Western Union for at least six years now. The second I hear those words, I instantly think “fraud”. That can’t be good for that company or its employees.

    SiL / IKS / concerned citizen

    1. JackRussell

      I agree that WU and Moneygram really need to put some much stronger controls in place.

      But I wonder what would happen then – would the money mules then be instructed to put cash in an envelope and Fedex it to the Ukraine?

    2. Rick

      The key vehicle is not Western Union. The key vehicle is not MoneyGram. It is Microsoft Windows. There’s a famous river in Egypt and you’re sinking in it.

    3. JPO

      The financial industry can no longer go back to paper transactions to process the moving of money; they make too much money by moving it around rapidly. Require any fraudulent transactions to be covered by the banking industry. When they are required to cover these losses, they will find a way to prevent the fraud. If the law requires Bank of America to cover millions of dollars in fraudulent withdrawals from the accounts of their clients, you will see a solution quickly.

      I don’t think you can drop the policing on WU; they are a third party. It would be quite difficult for them to determine the legitimacy of a transaction or the intentions of a customers. The idea of a sting in Eastern Europe might make a great movie but would, like the movie, be a fantasy.

  3. jkm

    “-These attacks will continue until the perpetrators in Eastern Europe are brought to justice.”

    ..or, as in this case, until the banks implement user authentication systems that actually are _secure_.

    I agree that a lot can be done in the way of persecuting perpetrators. But it is a big world out there, and there will always be bad fishes swiming in the backwaters of Eastern Europe/Caucasus/Africa/whatever.

    What can be done is for banks to impelement security systems where user credentials can not be stolen.

    1. JackRussell

      Just keep in mind that as soon as they add some authentication systems that the bad guys will try and figure out a way around it. You need to put yourself in their mindset – if you wanted to get cash to someplace like the Ukraine in a way that it couldn’t be recalled, how would you do it? So any time you think up a countermeasure, you have to ask yourself what the bad guys would do to work around whatever barriers have been put in place?

      This reminds me of a story from my grad school days. A couple of students got into a discussion about what would be considered a valid check and what wouldn’t. One student was of the opinion that it needed to be one of those pre-printed things you order from the bank. The other said it could be anything – you could write out a check on a bar napkin if you wanted to. To prove the point, he wrote out a check on a blackboard, and they wheeled the thing down the street to the bank to be deposited. Initially the bank didn’t want to take it, but eventually after talking to various higher-ups they concluded that it was valid, and they deposited the thing.

      The student that wrote out the “check” was later called by the bank to come down and pick the thing up (this is from the days when canceled checks were returned to you, and the bank didn’t want to pay to have the thing shipped back to the dorm).

      1. wiredog

        I had a Home Finance Professor in the Business department (Class was Fin100? Something like that.) at my college who did a similar thing. He wrote a check on a paper grocery bag, and the bank accepted it.

      2. infosec_pro

        @JackRussell: “You need to put yourself in their mindset – if you wanted to get cash to someplace like the Ukraine in a way that it couldn’t be recalled, how would you do it? So any time you think up a countermeasure, you have to ask yourself what the bad guys would do to work around whatever barriers have been put in place?”

        Question is why it is necessary to quickly get cash to someplace far away in such a way that it cannot be recalled?

        If there are legitimate social or commercial purposes for such transactions they need to be distinguished from illegitimate criminal transactions. The problem with present systems is that they do not distinguish.

        Another approach might be to assert that any legitimate transfer should have a rescission mechanism built in, or that legitimate transfers require some minimum dwell time for the funds at various stages along the way.

        Imagine for example that instead of walking into a WU office in Lower Slobovia and walking out with cash the recipient has to walk into a bank branch and sign papers attesting to their rightful ownership before walking out with the cash. Now they have committed fraud in their own country, much more easily enforced and punished – especially if their local bank is on the hook to make good on the funds! Think about how things would be different if WU had skin in the game by being liable for fraudulent transfers!

  4. bankerjsb

    Why under $3,000? Because there’s a Treasury Department recordkeeping regulation that mandates the recording of name, DOB, street address and SSN/other number of the individual initiating funds transfers of $3,000 or more. WU and MoneyGram are subject to that rule.

  5. TheGeezer

    For 5 days in a row now domain names have been registered with the Polish registrar referencing zeus botnet fast-flux servers to execute IRS, USAA, Fifth-Third, AOL-AIM, and Facebook scams and install bots.
    The fraud is reported, the domains taken down, (but only after the scam has run for 24 hours), and new domains are registered the same day and the scam continues.
    The domain resellers are Domainpeople Inc. and IP Mirror Pte Ltd.

    Some registrars reject the applications when the registrant information doesn’t verify, but the polish registrar seems incapable of doing this.

    As long as the registrars are willing to accept fraudulent domain applications the need for and supply of money mules will continue.

    1. JackRussell

      Why can’t that registrar be taken down for not screening these things properly?

      1. AlphaCentauri

        Geezer hasn’t mentioned the domains in question, but I suspect they are some of the .pl domains I’ve seen spammed recently.

        .pl is controlled by a separate registry than the common top level domain names we see in the U.S. (like .com and .net). Each registry sets its own rules for registrars, and each registrar may register domains for several registries, following different rules for each one.

        Some registries set strict rules that protect the privacy and domain name ownership of the registrants, something you might consider attractive as a legitimate domain registrant, but something that can tie the hands of a registrar who wants to shut down a domain fast.

        Domain registration is highly automated — registrars may process thousands of domain registrations per hour. No human being is proofreading those registrations individually. Registrars have to set up automated systems to find fraud if they’re going to have any success. And they need to stop the registrations before they occur, both because criminals only need the use of a domain for a day or two to make money, but also because investigating and documenting fraud costs a registrar more than the registration of the domain name brought in the first place.

        When the scammers descend on a new registry, as they have descended on .pl lately, it’s up to the individual registrars and the registry to decide whether they are going to tolerate it and how they will proceed. If they respond rapidly, the criminals will move on. If they don’t, they will end up with their TLD being synonymous with spam and fraud, as was happening with .cn until their registry recently began clamping down.

        The shutdown of hundreds of thousands of fraudulent .cn domains has sent criminals scurrying to find a new home. pl.nic probably doesn’t know what hit them with all these new scam domains. They probably didn’t have enough staff to deal with it. Judge them in a month or two when they’ve had time to send scammers a message and hopefully can discourage them from even trying to register new .pl domains.

        1. TheGeezer

          @AlphaCentauri – thanks for the info. The domains involved are pikie.com.pl, pikoe.com.pl, pikqe.com.pl, pikye.com.pl, pioqe.com.pl and pioqo.com.pl.

          I realize that there are many applications to process however I know of registrars who do manage to detect and reject fraudulent applications. They were hit hard and were working late to accomplish the verifications. Maybe it’s just a matter of how good their tools are. I would think in this day when it is clear you can wipe out a small business quickly using a fraudulent domain that these tools would be a requirement. And this should be a requirement of not just the ccTLD registrar but the reseller as well.

          And yes, they descended on Poland after wearing out their welcome in Belgium, Korea and the UK.

  6. TheGeezer

    Better hire some more money mules!
    Six days in a row and at least six more polish domains registered for IRS fraud.

    Since when does the IRS register its web site in Poland!!!???
    This again was done with the help of domain reseller Domainpeople Inc. of Vancouver, BC.

    See for yourself, reports on new domains for IRS fraud:

  7. RicoFinelli

    @TheGeezer Some of those sites are listed as offline. I checked them and they are all currently online.

  8. gaarbok

    Authenticate the transaction, not the transactor. If the library employee / treasurer had to verify each of the 16 new employee payments as legitimate, then I think you would have a different outcome.

  9. chris

    dumb question: what happens when a mule decides to keep the money for him or herself? do the cyber gangs just view that as the easy-come-easy-go expense of doing ‘business’. Do some of these gang perceive each-other as competitors and try to steal from one another by planting mole-mules to divert the spoils to thier own coffers?

  10. Thom VanHorn

    People are out of work and desperate to make a quick buck. Despite the fact that simple common sense may have stymied this theft, the monetary impact of fraud will continue to grow. Companies must prioritize securing the sensitive information in their database. But just as importantly, individuals have to think before they do foolish things. If it sounds too good to be true, it probably is.

    Thom VanHorn, Vice President, Global Marketing, Application Security, Inc.

  11. xanthos

    It is a people problem. Unless they want to be seen as willing participants in organized crime, Western Union and Moneygram need to better train their employees to spot potential fraud.

    I wonder if Brittany would have reconsidered if she had seen a poster warning her that by sending money that wasn’t hers to someone she didn’t know, she might be assisting organized crime?

  12. John Corrigan

    It seems to me that WU and others could be required to screen for these transactions with a few simple questions. For example if the transaction is more than $500 a person could be asked: Is this transaction part of a work from home job found on the internet? Have you ever met the person you are sending money to? Depending on the answers to these simple questions they could be provided with an official handout that describes these frauds and how they can be liable for the money. It could also some practical steps they could take, such as talk to their banker. And, BTW you may also be targeted for ID theft.

    John Corrigan

  13. Timothy

    What about Ms. Carmine, the mule?
    She is just as much of a victim as the library, but she is being stuck with a negative balance by the bank.

    Why should she be the one to cover the loss?

  14. infosec_pro

    @OP’s inappropriately hidden comment about economies of scale:

    “Crime doesn’t increase productivity or reduce cost, so profit is always flat. That’s why criminals are dumb. Instead of using shared infrastructure, they are looting it. It’s a good thing that this can’t scale up. How big can the future of library plundering be?”

    This misses the point. It’s not profitability from the perspective of the overall economic system that matters, it is profitability from the perspective of individual players that drives free enterprise.

    Criminals are the ultimate free marketers, unfettered by any legal constraints. Who cares about the future when they are making money in the present? That’s the prime dynamic on Wall Street too.

    The perps scored almost $9,000 from Brittany, maybe a lot more from other mules. That’s profit today, what’s the time value of that money in the future? That’s more important to the crooks than the potential for future profits from ripping off libraries and school districts!

    Incidentally the bank being able to reverse the transactions doesn’t mean the money was recovered, the money Brittany wired through Western Union is gone – what is at issue is whose pocket it came out of. That would be a good question for Brian to ask and get answered, let’s hope to see some reporting along those lines here.

  15. grourbLeque

    [url=http://alternative-reviews-sassy-brit.zanos.pp.ua/]alternative reviews sassy brit[/url]
    [url=http://ffi-video.zanos.pp.ua/]ffi video[/url]
    [url=http://free-female-domination-clips.zanos.pp.ua/]free female domination clips[/url]
    [url=http://best-blow-job-clips.zanos.pp.ua/]best blow job clips[/url]
    [url=http://dvd-introduced.zanos.pp.ua/]dvd introduced[/url]

  16. Skye Hussain

    My online job is freelance programming on rentacoder.com and i also maintain a couple of websites.’*-

Comments are closed.