February 3, 2010

Hackers broke into computer systems at a Massachusetts chapter of the United Way last month and attempted to make off with more than $150,000 from one of the nation’s largest charities.

Patricia Latimore, chief financial officer at the United Way of Massachusetts Bay and Merrimac Valley, said unknown attackers tried to initiate a number of bogus financial transfers out of the organization’s bank account, but that the United Way was able to work with its bank to block or reverse the unauthorized transfers.

“We were able to pretty much capture things as they were happening,” Latimore said. “Fortunately, we saw it on the day that it occurred.”

The intruders attempted to send more than $110,000 in unauthorized payroll transfers to at least a dozen individuals across the United States who had no prior business with the United Way chapter. At least one large wire transfer was attempted, for nearly $40,000, to a 32-year-old man in New York.

A screen shot of the Web site where Hong said he signed up for a financial agent position.

William Hong, of Flushing, N.Y., said he was approached in late December by an entity calling itself the Classic Group. Hong said the company, which gave its Web address as classic-groupco.ws, told him it had found his resume on Monster.com and asked would he like a work-at-home job as a financial manager?

Hong, who is and was unemployed at the time, said he took the job, and that the application process required him to fax an employee agreement, a canceled check, a copy of a utility bill or his drivers license, along with his bank account information. Hong gave his erstwhile employers the account and routing numbers for Merging Stone Capital Group Inc., a company he had started several years ago.

Hong said he didn’t hear much from the Classic Group until the last week of January, when he received notice that a wire transfer of $39,800 had landed in his business account. But the money didn’t stay there long enough for him to make it to the bank and wire it overseas, as instructed by his employers.

“It got the transcript from my bank and it shows that the United Way of Massachusetts Bay direct deposited the funds, and then reversed the funds right after that,” Hong said. “I guess, you know, that saying is right, about when something sounds too good to be true, it probably is.”


32 thoughts on “Hackers Try to Steal $150,000 from United Way

  1. js

    This sounds like a good potential sting that could be used in the future to deter operators from trolling for mules.

    Now if the FBI and IRS could flood the various job boards with bogus applicants who appear to be perfect mules and then the money laundering legal proceedings begin!

    It would be a small price of cooperation (and a hedge against fraud) for banks to give up a honeypot bogus accounts to the Law enforcement to make it look real enough.

  2. Henry S. Winokur

    It seems to me that the only way to start to put a dent in this is to make a law against it–at the Federal level, since it’s basically bank fraud–that protects the victim, the victim’s bank and penalizes the perpetrator, one of whom is the mule. Clearly the guys on the other side of the pond are pretty much untouchable, but without the mule the scams go nowhere.

    1. Solo Owl

      I’m pretty sure it’s already illegal, under the wire fraud and bank fraud statutes. What would be more effective would be to extend to business accounts the same protections against fraud and errors that consumers get. This would cause the banks to be vigilant.

  3. TheGeezer

    There should be more money coming in for the mules as the zeusbot IRS campaign started today using fake IRS sites registered with ccTLDs of about 5 different countries.

    If the registrars were held financially responsible for not taking down fraudulent domains after they were reported this would slow this activity down considerably.

    Some registrars monitor sites which report fraud and take them down before anyone even has to report it to them. At least one registrar does such a good job of verifying the registrant information that the fraudulent domain applications get rejected.

    Most of the registrars used by the botnets however take so long to respond the damage has already been done. As far as I am concerned they are criminally complicit.

  4. ax0n

    And here all along I thought that United Way’s executives were doing pretty good at scraping plenty off the top without help from computer criminals. It’s a meta-charity.

  5. Ned

    Laws are useless without enforcement. What use is a federal law when they can’t enforce it. Mules themselves are victims, unless they are aware of their role. Notice they target job seekers for a reason, they are vulnerable when unemployed.

    I can name many levels of failure:

    – people unaware of how scams take place
    – people unaware of how computer viruses spread
    – insecure software that can be easily improved
    – banks not being vigilant on transactions
    – incompetent law enforcement
    – antivirus software that is costly and almost useless
    – registrars not enforcing their own terms.
    – ISPs not monitoring zombie traffic.

    Not in a particular order… and I’m sure I missed something.

    1. d

      Ned,

      If you believe people are that dumb that they don’t know or suspect, I got some land to sell you. By now, everyone should know NOT to give their banking info via email. That should be a dead giveaway. Plus, not only are these mules looking like fools, but Mr. Hong provided all his other, pertinent information. At the least, he should open up a new account — but he brought this on himself. Yes, it’s tough out there in this economy, but don’t add to the problem.

      The plan doesn’t work without the mule.

      1. Ned

        d, I don’t think people are dumb, but I believe most are unaware of how their accounts get compromised. I assume the account in the article was compromised through a virus or security hole rather than a brute force attack. And I get the impression it was by chance they foiled the attack. If I’m wrong and it was by brute force, then you’re right and the next line of defense is the mule. Otherwise, what worries me most is how the account was compromised in the first place.

        There has to be a complete rethink of how to handle software and online security. I suspect Brian has more to say then he’s letting, he has to be mindful of his career and be diplomatic in his criticism.

  6. TheGeezer

    Addendum – as of this post, all domains for the zeus IRS exploit have been taken down except 2, which are registered with the ccTLD of ‘.cz’ (Czech Republic}.

    Bad day for the money mules! Good day for the rest of us!

  7. TheGeezer

    Another addendum – as of this post, all known domains used in the zeus IRS exploit are down, including those using the ccTLD of the Czech Republic!

    All registrars reacted responsibly! Progress is being made!

  8. wiredog

    ax an employee agreement, a canceled check, a copy of a utility bill or his drivers license, along with his bank account information.
    Hope he’s ready to deal with being on the receiving end of an ID theft.

  9. timeless

    > money didn’t say there

    Brian: I presume you meant “stay there”

  10. Alex

    I have myself received a couple of those emails offering to work from home. As demonstrated is this case, the human factor is still very, very important; United Way was able to catch the scam on the fly and Mr. Wong was willing to provide way too much personal information to a company he didn’t know about.

    I firmly believe that a solution to this or any other type of scam will require little technical input. We just need to add more of the human factor to online transactions, even it this means eliminating some of the automation we had work so hard for. A good example, although not very well implemented I think, is the dongle offered by Paypal that brings two way authentication to transactions.

    Good job. I am a long time reader after a recommendation from Steve Gibson and Leo Laporte.

  11. Michael

    In the last month, I’ve received several “employment offerings” that are very similar to this one, from entities with very professional sounding names, such as the “Prime Group;” names that also appear to have legitimate, very similar, very professional-appearing web sites!
    I was, of course, immediately suspicious of such offers that seemed “too good to be true,” especially since I’ve never placed my resume on employment websites such as Monster.com.
    Vigilance: The state or quality of being vigilant; watchfulness; keenly watchful to detect danger; wary; ever awake and alert…

  12. KFritz

    Kudos to that branch of United Way for being on its toes, but how much of their success in foiling the attack can be attributed to luck, apart from their skill? Great story.
    Also, great idea to shame Mr. Hong. Wish his story and picture was ALL OVER the MSM.

  13. AlphaCentauri

    It’s hard to hold the mules responsible. If they actually understood what was going on, they wouldn’t give their bank account information in the first place. The criminals could empty their accounts and not even bother trying to hack the United Way, after all. (Care to guess how strong mules’ passwords are?)

    Yes, they should be suspicious when the offer is too good to be true. But what if the criminals got smarter and offered less lucrative terms? If the mule is offered $25 per transaction, should he still be suspicious?

    You have to share your social security number with employers, even when you hate and distrust the people you work for. You reveal your bank account and routing number every time you pay with a check, no matter how little you know about the vendor you are paying and the people in its accounts payable department. And if you’re looking for a job, you’ve got a lot of personal information on a resume that gets mailed/faxed/emailed to HR employees at businesses you’ll probably never work for. So it’s not so bizarre for someone to go along with a request for this information from an online employer with a superficially professional-appearing website.

    Americans are too accustomed to consumer protection laws that prevent criminals from being blatant about scams. They know to be suspicious of someone selling goods out of the trunk of his car, but they expect if he were doing it parked next to a police station, he wouldn’t be selling hot laptops. On the internet, criminals can have incredible chutzpah. The general public needs to be educated to be much more skeptical on online merchants and to know how to evaluate which ones can be trusted.

    Wouldn’t it be nice if everyone getting internet access for the first time had to go through a tutorial before being connected?

  14. Timothy

    Does “Regulation E” apply to these types of fraudulent transfers?

    1. Solo Owl

      No. Regulation E only concerns consumer accounts. It does not apply to business accounts.

  15. Pete

    Fortunate == Lucky

    I hope they increase security to prevent unauthorized changes so they no longer need to rely on luck to spot things after they have happened.

  16. op

    Any system can be penetrated. The evidence of the penetration can be erased. With check fraud, the bank destroys the check. Computer penetration is like rape or seduction. Both involve penetrations and the computer isn’t telling anybody it was raped or how it was raped. Instead of investigations, you end up chasing wild geese have no paper trail and scant unverified evidence leading virtually nowhere. Data showed how the big boys got bailed out as mortgage fraud multiplied, so you go from working at home to homeless. You thought the real estate agent was seducing you and he was raping you. One bad idea after another. Now your mortgage papers are worthless and your money is digital and Google and NSA are going to police the world. Support your local sheriff.

  17. TheGeezer

    More money for the mules!

    As of this post the zeus botnet boys are back with active Czech Republic domains for IRS, Visa and Facebook fraud. Thank you registrars for making crime so easy on the net!

    Oh, and let’s not forget the chinese registrar OnlineNIC, (They used to have a US address which was a vacant lot in Oakland, CA), who when told that the domain name they registered, chasetrustbank, using a name server in Russia was fraudulent and used to fake a Chase bank, and was given the address of a screenshot of the fraudulent site, replied with “prove it”.

    Imagine what the brick and mortar world would be like if anyone could set up a fake Chase bank or a fake IRS representative in a shopping mall. I think ICANN needs to redo its contracts with registrars. OnlineNIC is still an ICANN authorized registrar, even though they have been successfully sued for fraudulent activity in the past by Verizon.

    1. TheGeezer

      @Alpha We’re definitely on the same page here.
      Actually I got two responses. The first was unbelievably stupid.

      I gave them a reference to the phishtank report on the fraud so they could see the entire URL with their registered domain and the screen shot of the fake Chase bank page. The response I got was: “Sorry, we are not the registrar for phishtank”.

      I replied back typing very slowly “I know you are not the reg..is..strar for …” (you get the picture). The response about proving it was then from a different person. I replied back again hoping to copy Chase on it, but couldn’t find a good Chase email address.

      In my last reply I summed up our correspondence to that point and made a list of all the things they should have checked, the last being that if the registrant was claiming to be Chase bank then the registrant should prove he is indeed acting on behalf of JPMorgan, that the burden of proof was on the registrant and the registrar not on me.

      And I’m sure you’ve seen this type of registrant ‘whois’ information before. The information supplied could only be described as ‘cocky’, like they were trying to show that they could supply the most absurd information and still get registered, which of course they could and did.

      I didn’t get a response to my last email which I must admit was not intended to be polite. The site is down, the domain was still registered last time I looked.

      I still think we’re going too easy on the registrars. That’s why I think the contract with ICANN has to be strengthened.

      If I bought a Glock handgun in a mall and shot four people trying to load it and explained to the police that I really was just learning how to use it, that explanation would not go over too well.

      The registrars have the same power in their hands to inflict damage as has been shown by the many articles Brian has written. If they can’t handle it they shouldn’t be in the business. I know registrars who can handle it very well. They have tools which provide them feeds on fraud. OpenDNS provides a free feed and some use netcraft.

      If they can’t take down a domain in a reasonable length of time after it’s been shown to be fraudulent they just simply shouldn’t be allowed to register domains. And this means they should be available to take domains down 24/7, not just prime shift 5 days a week. It is too serious an issue to be handled when they can get around to it.

      Thanks for the Chase link.

      1. AlphaCentauri

        ICANN is answering to too many masters, one of which is probably all the money coming in when spammers register thousands of domain names. They also have to avoid looking like the Americans telling the rest of the world what to do, or everyone else may take their marbles and go home to their own registries.

        OTOH, in the brief time I’ve been reporting domains, I’ve seen dramatic changes in the way individual registrars deal with fraudulent registrations. Registrars like HKDNR, Gandi, Directi and TodayNIC have gone from being some of the worst to being some of the best. OnlineNIC is potentially on the brink of cleaning up. So I’d favor patient, persistent education so that when they make the decision to stop tolerating this crap (or the Chinese government makes the decision for them), they’ll have some idea how to go about changing their procedures.

        Also, remember that hiring someone truly fluent in English is an expensive proposition in China. The help desk people are probably really struggling to understand a lot of what we send them.

        1. TheGeezer

          good point.. again… especially about the delicate political position of ICANN… they don’t want to become ICANT!

  18. Ed

    If I were Rod B., our former CyberSecurity Czar, I’d be asking these three staffers at the ICANN team some tough questions. Maybe Howard S. and Keith A. can sit in?

    What if the registrars were subjected to the same international laws that banks must comply with that address KYC and Anti-Money Laundering Statutes? “Knowing Your Customer” compliance / enforcement should be put in the hands of the same entities who are responsible for transnational economic crime. The nexus of the Internet, Organized Crime (RBN) and people like King Arthur, Bra1n and others who are being protected by nations states remains the primary challenge. Just another layer of due diligence could result in the same treatment as EST Domains.

    See Page 232-234 in the book “Fatal System Error” by Joe M. for more.
    ==================

    John J. – General Counsel

    John brings 18 years of legal and business experience in the technology and entertainment industries to this position and has provided services to individuals, non-profits/trusts, and companies (from startups to Fortune 500 companies) as a dealmaker, litigator, corporate and intellectual property lawyer, and business executive.

    ==================

    Greg R. – Chief Internet Security Advisor

    Greg joined ICANN in July 2008 as Chief Internet Security Advisor where he provides expertise on security matters both external and internal while managing the Security group.

    ==================

    Yurie I. – Director, Global Security Programs

    Yurie joined ICANN in April 2008 as Director, Global Security Programs where she leads ICANN’s involvement in collaborative response activities and works with ICANN partner organizations and stakeholders at global and regional levels in implementing ICANN security, stability and resiliency programs.

  19. Alba

    Dear Friends, Happy April Fool’s Day!!!

    There is an envelope on the windshield with a note of apology and two tickets to a music concert. The note reads, “I apologize for taking your car, but my wife was having a baby and I had to hot-wire your ignition to rush her to the hospital. Please forgive the inconvenience. Here are two tickets for tonight’s concert of Garth Brooks, the country-and-western music star.”
    Their faith in humanity restored, the couple attends the concert and returns home late. They find their house has been robbed. Valuable goods have been taken from throughout the house, from basement to attic. And, there is a note on the door reading, “Well, you still have your car. I have to put my newly born kid through college somehow, don’t I?”

    Happy April Fool’s Day!

Comments are closed.