Computer crooks stole more than $200,000 from an auto body shop in Ohio last month in a brazen online robbery. The attack is yet another example of how thieves are using malicious software to bypass bank security technologies that are often touted as strong deterrents to this type of fraud.
The latest victim is Clarke Collision Center, an auto body shop in Hudson, Ohio. According to Craig Kintz, owner of Kintz Tech, a local security consulting company that responded to the incident, on Feb. 23 an employee of the victim firm noticed something strange when she went to log in to the company’s online bank accounts: The site said the bank’s system was down for maintenance.
Clark Collision’s bank, Cincinnati-based Fifth Third Bank, requires business customers to enter their user name and password, and a one-time passcode generated by a battery-operated key fob that is synched up to the bank’s back end servers. This approach — what banking regulators call “multi-factor authentication” — involves asking the user to provide something they know (a user name and password) in addition to something they have (a code generated by a security token).
But Kintz said that when the body shop employee visited the bank’s site and entered her user name, password and the output from the security token, she was directed to a page that said the bank’s site was temporarily unavailable. The page she was sent to even included a 1-800 number supposedly for the bank’s customer service line.
Kintz said the woman called that number, but quickly found that it was not in service. When the employee looked up the real customer service number for the bank and called to complain about the suspicious activity, she learned that there had just been a large number of wires and money transfers out of the company’s accounts to individuals in the United States and overseas, Kintz said.
“She reported it to the bank at 9 o’clock that morning,” Kintz told Krebs on Security. “By 11:30 a.m. the bank had frozen all of the company’s accounts, but by that time those accounts had all been emptied.”
Kintz said Fifth Third was able to reverse or stop payment on all of the fraudulent bank-to-bank transfers that were sent to money mules involved in the scam — willing or unwitting people in the U.S. hired by the perpetrators — but that Fifth Third was unable to reverse the wire transfers that constituted the bulk of the fraudulent transactions. Still, he said, Fifth Third ultimately made Clarke Collision whole, crediting the company’s account the remaining missing money.
Whoever hit Clarke Collision Center’s bank account was busy that day: Kintz said a bank manager told his client that four other Fifth Third business customers had been similarly attacked that very same day.
I sought comment from Fifth Third, but the bank declined to discuss any specific customer cases. Whitney Ellis, the bank’s assistant public relations manager, sent me the following statement via e-mail:
In regard to the commercial malware issue, Fifth Third Bank, as well as many other banks, has been alerted of a new wave of cyber attacks aimed toward businesses and corporations to get financial information. The Bank is determined to help its commercial clients ease this threat via aggressive customer education and additional tools to aid in the prevention of possible attacks.
For those that have been affected, we are working with the customer and proper authorities to try and rectify the situation. We have been, and will continue to be in contact with our clients in aggressive customer education and sharing best practices to help prevent these type of cyber crimes.