05
Jan 10

FBI Investigating Theft of $500,000 from NY School District

The FBI is investigating the theft of nearly a half million dollars from tiny Duanesburg Central School District in upstate New York, after cyber thieves tried to loot roughly $3.8 million from district online bank accounts last month.

On Friday, Dec. 18, thieves tried to electronically transfer $1.86 million from the district’s account at NBT Bank to an overseas account. The following Monday, the attackers attempted to move another $1.19 million to multiple overseas location. It wasn’t until the next day, when transfers totaling $758,758.70 were flagged by a bank representative as suspicious, that the two previous unauthorized transactions were discovered, school officials said.

As of today, Duanesburg and its bank have succeeded in recovering $2.55 million of the stolen funds, but the school district is still out $497,000.

Audrey Hendricks, a communications specialist with Duanesburg Central, said the thieves tried to steal more than a quarter of the district’s annual budget, which stands at less than $15 million. The district services about 1,000 students kindergarten through 12th grade in a rural area about 30 miles west of Albany.

Dozens of similar attacks on school districts, cities, counties and small businesses across the country last year have all started with malicious software that helped the attackers steal user names and passwords needed to access the victim’s online bank accounts.

Hendricks said the FBI and the New York State police are investigating, but she said it’s not clear yet whether malicious software played a part in this attack as well.

“At this point, we don’t know exactly how it happened,” Hendricks told krebsonsecurity.com. “The FBI only knows so much, which is unfortunate because we have lots of questions.”

To prevent any district bank accounts from being further compromised, the district closed all of its bank accounts and established new ones with restricted online access, the district said in a letter (.pdf) sent today to families with students in the area.

Tags: , , , , , ,

15 comments

  1. Another good real-life example of the damage done by cyber criminals.
    Thanks for doing this Brian, as I think many people still have the impression that the victims are mostly people who were ‘asking’ for it by downloading ‘free’ software or ‘free’ porn.

    It will be interesting to see what the school’s vulnerability was.
    I wonder if this will be another example of a crime which could have been prevented if a domain registrar had assumed more responsibility in monitoring the use of domains they register.
    Incidentally, the zeus botnet is back again with their facebook exploit using one of their favorite TLDs of ‘.be’.
    Had their campaign tried using a domain registered with Domicilium it would have probably been taken down within hours of being registered.

  2. I think the role of lax registrars is a factor that’s ‘after the fact’. For to make any of this work, the perps need to get at the local machine. If they can’t do that, then it doesn’t matter how cooperative the registrars are. And the registrars wouldn’t be an issue if this weren’t already a ‘big money’ issue.

    Certainly lax security can always be a factor in targeted attacks, but when the victims already utter the magical words about ‘malware’ then one is reminded who the real culprit is.

    And for my money, one can’t in such case claim one doesn’t know how something like this happened. For it happened by not having a clue about operating systems and system security and just purchasing the same old same old.

    I’m a PC and looting school accounts was my idea.

    • @Rick – Not sure if you are being sarcy with your last comment but dont blame the same old same old for if the same old was something else then given the driving factors / the cause of the effect there would still be theft and you would be playing the same track.

      However if this is not the case then I agree with you that the USER is the problem and as someone stated before maybe a mandatory web usage IQ test is required to sift out those unfit for internet Banking. Although the Banks would have to agree on this and we all know what their stance is on profit margin related things.

      Signed
      Anonymous Coward

      • James R. ("Jim") Woodhill

        I have been trying to find the words that would persuade those who think that online banking funds transfer fraud is the *users’* fault and that Duanesburg School District et. al. should bear the losses that they are wrong. As Brian has reported in:

        http://krebsonsecurity.com/2010/10/bill-would-give-cities-towns-and-schools-same-e-banking-security-guarantees-as-consumers/

        It looks like Sen. Chuck Schumer (D, NY/Committee on Banking, Housing, and Urban Affairs/Subcommittee on Financial Services) beat me to it. Those words, of course, begin with, “Be It Enacted by the Senate and the House of Representatives of the United States of America, in Congress Assembled…”

        Just nine months from this incident to the introduction of this legislation. Not bad as things on the Hill go…

        Not that I support this bill as written. I believe Sen. Schumer has the right problem, but the wrong solution. A straight extension of Regulation E could drive America’s small- and medium-sized banks out of online banking. At a minimum, it will force them to divert their time and attention from making loans to becoming cyber-security experts. Now, there is nothing about cyber-security that is inherently harder than running a community bank, so if our bankers work hard enough they will succeed, but do we really want eastern European cyber-criminal gangs to force America to change the way we do things? This is about as sensible as allowing a handful of Jihadist crazies to force us to submit to having our private parts patted down every time we fly.

    • You are right Rick that the registration is after the fact of installing the malware.
      However, the malware is often accessed via a registered domain name.

      The registrar’s role is therefore VERY important!
      And yes, we can claim to not know how this happened. Was it again a fraudulently registered domain that should have been detected by the registrar? Or was it an employee downloading ‘free’ software? We don’t know how this happened. “not having a clue about operating systems and system security” is not the answer.

      Let’s look at the example of the small business in D.C., Parkinson Construction, which fell victim to the Social Security Administration exploit which Brian reported on early december.
      http://voices.washingtonpost.com/securityfix/2009/12/who_says_pay-per-click_revenue.html

      The Zeus botnet SSA exploit was running in late November using the ccTLD of ‘.be’.
      It should have been clear to any registrar that the US Social Security Administration does not register with DNS.be and does not use a fast-flux server. The registrar is in the computer business.
      They should be able to see this and respond. Parkinson Construction is not in the computer business.
      If this registrar had shown the same responsibility demonstrated by some others, Parkinson Construction would have received a ‘Host Not Found’ error message rather than a trojan.

      The personal computer has become a necessary but dangerous appliance for most people and certainly for business.
      No one is required to know electronics to be guaranteed safety from electrical shock from their dvd player.
      You should not have to be a computer guru to avoid ‘software shock’ from your computer either.

      The registrars need to have their focus redirected from bragging about how many domains they’ve registered to how few malevolent domains they’ve registered. They are the ones who should be the computer gurus, not victims like Mr. Parkinson and Duanesburg Central School District.
      It doesn’t take much of a computer guru to know that the IRS and SSA are not located in Chili or Argentina.
      Let the Registrar be responsible for the research. That would prevent the majority of these incidents.

  3. A reader sent this to me via e-mail and I thought it was interesting enough that I got permission to excerpt part of it here.

    I have read your column for many years and have always found you to be factual and on the cutting edge of cyber crime trends. I worked for an online financial services company for more than a decade. I was in their corporate security investigations group. I was the senior manager of investigations from late 2005 until I left and worked directly with law enforcement on the types of cases you have written about so well.

    My group investigated all fraud activity perpetrated against it and I can tell you we dealt with the Russian or as we told everyone “Eastern European” groups since 2003. They started small by opening accounts with stolen identities and funding via ACH and experimented with stock pump and dump as early as December 2003. Our firm lost less then a million dollars in 2004 to ACH, wire fraud and pump and dump and a couple of million in 2005, but we fully reimbursed customers because of what it could do to our business if it became public. We had compromised customers sign a general release/non-disclosure form to protect our reputation. We also had these customers send us their hard drives or we performed remote diagnostics and as a result were highly familiar with the viruses and how credentials were being stolen. We referred all of these cases to law enforcement and I worked directly with different FBI and Secret Service agents on many of these cases. We also participated in Secret Service Electronic Crime Task force groups around the country during this time frame of 04/05.

    2006 changed the course of history, as my firm lost more money between July and September then we had between 2001-June 2006, when we lost over $10 million. It was a result of pump and dump, as well as wire and ACH fraud. Of course this impacted everyone in the online brokerage business, but we were on the bleeding edge. As you well know, RBN and others learn quickly and they used all of the knowledge and skills they had accumulated over the past several years and they came at us hard and fast. We had founded a working group with NCFTA in Pittsburgh and had quarterly meetings to share all of this information and we also began sharing information directly via email within our working group real time to help combat this activity. It helped to slow it down, but we were never able to stop it.

    The “bad guys” continue to evolve and your articles have well documented how this evolution is continuing. They still hit individual accounts at banks and brokerages, but the bigger targets are now small business and local governments.

    Keep up the good work and hopefully you can bring more attention to this growing problem.

  4. @BrianKrebs – thanks for sharing that email, and thanks to the author for being willing to have it shared. I think it should give a good argument against those who continue to blame the victims, that organization probably knows more about securing systems than most of your readers and still took big losses despite strong motivation to protect themselves with best in class measures. If they couldn’t stop the bleeding how is a local school district going to do so?

    btw I served on a local (regional) school board for a few years, comparable in size to Duanesburg. Our entire IT budget would not have covered my present salary, and that’s probably true for most of the knowledgeable readers on here. It takes time and effort and diligent competence to properly manage and secure systems, that’s why it is so seldom done right. If local governments and schools spend money to get the resources they need to do the job right they get slammed by taxpayers and/or cut back in mission critical areas.

    @ TheGeezer, “Parkinson Construction is not in the computer business.” Exactly the problem. It takes so much competence and diligence to properly secure desktop PCs that almost anyone not in the IT business cannot justify the expense to do it right, especially with the need for expertise so outstripping the available supply.

  5. Brian – I’ve been following you for years as a security consultant and as a CISO and am glad to see the new site up and active.

    My partners and I have been debating who should be responsible for these attacks. On one hand, you can blame the banks for having poor business processes that do not account for the potential for misuse. On the other hand, you have the organizations themselves who have ignorant users who provide access to banking credentials.

    Since I think that the argument can go either way (or both ways, which would be the reality), I think that it would be really interesting if you were to put up a “Wall of Education” page that lists the affected banks and organizations, sorted by dollar value of the attack. It would be interesting to see how many times individual banks start popping up.

  6. Awareness is a good thing, but unfortunately the current security model is so full of holes that there are few pragmatic ways to stop the bleeding, short of abandoning on-line banking. Even with that scenerio, there would be no full-proof guarantee that customer finances would be fully safe in the banks hands, since they are also dependent on vulnerability-centric defenses.

  7. Great Article.

  8. Just posting to subscribe to this. I live within ten miles of this school district and have been in IT since before the internet, have not seen any follow-up on it. Looking forward to it.

    And sorry, I have no contacts there, nor any inside info to offer.

    C.