May 10, 2010

Last week I traveled to Cooperstown, N.Y. to deliver a keynote address about the scourge of online banking fraud that I’ve written about so frequently this past year. I flew into Albany, and in the short, 60 minute drive west to Cooperstown, I passed through tiny Duanesburg, a town whose middle school district is still out a half million dollars from e-banking fraud. On my way to Cooperstown, I also passed within a few minutes of several other recent victims — including a wrecking firm based on Schenectady that lost $70,000 last month when organized thieves raided its online bank account.

Alexander “Sandy” Jackson‘s world started crashing down on Apr. 20, the day he learned that more than $70,000 of company’s cash had been transferred to 10 complete strangers scattered about the United States. Since then, the owner of Jackson Demolition Service has spent a good deal of time trying to retrieve that money. So far, he and his bank have recovered about one-third of the amount stolen.

Oddly enough, Jackson first learned of the fraud after being contacted by an individual who received close to $5,000 of the firm’s money.

That individual was Montgomery, Ala. resident April Overton. In March, Overton responded to an e-mail from a company that said it found her resume on, and would she be interested in a work-at-home job entering tax information on behalf of American tax filers? Overton said she accepted the job, and for more than a month worked several hours each day completing various tax forms with personal tax information sent to her via e-mail, forms that she then had to fax back to her employers, who claimed to be Tax World LLC, at

“I was basically processing tax returns, and they’d have me log in to a site every morning between the hours of 8:30 a.m. and 11:30 a.m., and would send me information, have me filing out [IRS Form] 1040 tax returns,” Overton said.

The information at indicates that the company is based in New Jersey, and that it has been in business since 2002. However, the state has no record of a business by that name, and the domain name was registered in March 2010 via a Russian domain name registrar. In addition, the same Web server hosts an identical site reachable through the domain A message left at the phone number listed on both sites was not returned.

Overton said she spent more than a month entering and faxing tax information for Tax World before she was paid. The payment took the form of an unexpected $4,700 deposit into her bank account from a company in North Carolina. She said she spent that money, assuming it was payment for her work, until the deposit was recalled by the issuing bank, at which point her account went thousands of dollars into the red.

A few days later, she received another $4,700 deposit, this time from Jackson Demolition Service. Suspecting that the rug was about to be pulled out from beneath her yet again, she picked up the phone and called the wrecking firm, effectively alerting workers there to the missing money. Overton’s bank, however, appears to have used the deposit from Jackson to replace the overdraft amount from the previous deposit from the North Carolina firm.

“She got a $4,700 deposit and spent it right away, but her bank overdrafted her account because that deposit got recalled,” Jackson said. “Then my money comes flying in there and her bank grabs that to replace the missing money.”

Overton has promised to repay the $4,700 to Jackson. Meanwhile, it remains unclear what Overton’s employers were doing, if anything, with the completed tax forms, although experts say it’s not uncommon for organized criminal groups to secretly file taxes on behalf of other people, request a refund and then later request that the refund check be sent to a new address.

The closing slide in my presentation up in New York included a list of tips that I urged small business owners in the audience to consider in order to avoid becoming the next victim of this type of crime. The thrust of my speech was that today’s attacks against online banking have become so sophisticated that banks need to adopt authentication mechanisms that work even when their customers’ PCs are already compromised by organized criminal gangs.

Unfortunately, very few commercial banks are prepared to meet this threat. As such, I encourage small business owners to take a few simple precautions, such as banking online only from a dedicated computer. This can take the form of a laptop or desktop that’s used only for online banking and nothing else; a Mac OS X system (all of the malware used to steal online banking credentials simply fails to run on non-Windows computers); or a bootable Linux installation that runs off of a CD-Rom or DVD.

By the way, if you ever get a chance to visit Cooperstown, N.Y., consider staying at the picturesque Otesaga Resort Hotel there, where I snapped this photo last week right before a thunderstorm moved into the area.

Further reading:  Target: Small Businesses

33 thoughts on “A Stroll Down Victim Lane

  1. rofojo

    How about booting Linux off a thumb drive? I assume that is also secure and not hard to do.

    1. Jane

      It is slightly more complicated to set up, but I use this method for the convenience. On the other hand, it’s a lot easier to grab a CDR than order one of the USB sticks with the write-protect switch.

    2. Toddzilla

      Booting from a USB thumb drive is not as secure as booting from a CD. A CD is read-only. The operating system on the CD cannot be altered by malicious code. An operating system stored on a thumb drive is no different than one stored on a typical hard drive. It can be modified by malicious code just as easily as any hard disk. Then you are in no better shape than you were before.

      1. dc0de

        There are thumb drives that can be RO (read-only) enabled. If you cannot find one, you’re not looking hard enough.

      2. Ned

        USB flash drives with write-protect switches are available, but not as easy to find as drives without the feature. I personally boot a customized Ubuntu from a write-protected thumb drive.

        It’s worthy to note that even if the USB drive was not write-protected and running live linux, it’s highly unlikely (but not impossible) for it to get infected.

  2. Steven Alm

    Neat article, man. Well written and informative. Nice to see that you’re doing well.

  3. zmlp

    The common thread that seems to be consistent with all such “job offers” is a very professional “looking” website, specifically designed to impress—and mislead. On May 5, I received the following email:


    My name is Steve Armstrong. I represent Fine Job Finder recruitment agency ( I’ve checked your resume on and we believe you might be a good candidate for our partner’s vacant position. In case of your interest in getting a new job or part time job, please let me know and I will be glad to explain you this offer in details.

    Steve Armstrong.
    Fine Job Finder Inc.

    When I investigated, I observed a very professional “looking” website but, Web Of Trust displayed no information regarding the veracity of the website.

    I was immediately suspicious but, to give “Steve Armstrong” the benefit of the doubt, I—perhaps ill-advisedly—replied regarding my suspicions, with at least 5 primary reasons for my suspicions.

    I also included a demand that, if the “offer” was legitimate, he reply with an accurate and detailed explanation of the professional position offered, the offering firm’s name, the offering firm’s physical address, the names of the representative firm contact(s), and a contact phone number, and contact email address.

    To date, I’ve received no reply…

    1. Ron Harding

      i also looked at the website – i noticed a word was misspelled in the top of the home page – not english native no doubt.

      the plain message keyed me off right away – at least they provide job title, even the indian recruiters do that.

      I can’t stand this crap! i am looking for work and the stinking scammers are going after recruiters now too! got to keep the guard up i guess.

      i bet it’s some loser teenager living with mom/dad with nothing better to do.

    2. N Pham

      I got the same type of email today. But with a modified domain in the body. Its the exact same copy the one suspicious thing was that they made up a Sweden contact address but claimed to be out of Memphis, TN.

  4. Carl "SAI" Mitchell

    Thumb drives are not write-once media. It’s MORE secure, but not as secure as a liveCD. The security gain is probably irrelevant in the real world…

  5. Mike Mulholand

    There are a couple of odd things about this story. If the return of the ACH item would overdraft Ms Overton’s account, why did the bank do it? RDFIs (Receiving Depository Financial Institutions) are not required to return an ACH credit if there are no funds in the account to support that action. It’s well known in the industry that recalling credits is as hard as finding hens teeth. Further, they apparently refused to return the Jackson credit, using it instead to pay off the previous $4.700 fraudulent credit. So why did they return it in the first case and refuse the next. Very curious. One thing this story does demonstrate is how sophisticated the fraudsters are in recruiting money mules and other duped “employees”.
    These stories are focused on the originating side of the equation, but there is one to tell on the receiving side as well. The RDFI can monitor incoming ACH items for unusual activity. Why would they do that? First, to protect their customer. April is going to take that loss, and my guess is she can afford it even less than the hapless Mr. Jackson. Second, to protect he bank’s reputation. You really don’t want to be known in cyber criminal circles as a “mule bank”.

  6. D

    Out of curiosity, to what group / at what conference did you give the keynote?

    Can we see the slides?

  7. Joshua

    I am in the risk/fraud department for an online bill pay company and deal with mainly individuals and would like to alert everyone that this happens often to individuals as well. Granted the amounts are not nearly as staggering, the damage in relative terms is just the same. I busted a fraud today that seemed to follow this same routine: innocent victim, $2500 set up as a check payment to an apparent money mule in NJ coming from an FI in MS with an IP access through a proxy in the Dominican Republic.

  8. Dave Mich

    Brian. Funny how and look soooo similar, isn’t it.

  9. dc0de

    How about an overhaul of the ACH system?

    This antiquated system is the root of many of these problems, as it allows any financial institution to request a transfer of funds from any other institution’s accounts with very little, if any, authentication.

    I recall a website about 3 years ago, that would allow me to setup YOUR checking account for ACH actions, without ever NOTIFYING YOU that I was doing it “on your behalf”. I only needed to know your routing # and account #. Two items of information that are very easily obtained.

    I think it’s high time that we, as the account holders, start holding the financial institutions liable for their failures to secure their systems from this type of malicious activity.

    While I understand that the financial institutions are reticent to make these changes, if they were actually financially liable for these ACH transactions, I think that they would quickly change their tune.

    That’s my 2cents, YMMV.


  10. Eric

    I can also recommend the Otesaga Resort Hotel, but it is pretty pricey. If my wife and I go back to Cooperstown, I would be tempted to just find a nice B&B instead.

  11. emv x man

    Most small business owners have enough to do without having to become security experts; it shouldn’t be allowed that banks can shirk their responsibilities.
    Solving problems at the source is always more effective.

    1. InfoSec Pro

      @emv x man, re shirking responsibilities:

      Nobody can evade responsibility for their share of solving the problem, that’s the real problem. The SMB (small-mid business) community looks to the banks because they want to use IT without knowing IT. The banks look to their customers because they don’t want the hassle and cost of doing it right (dual factor, OOB confirms, etc). Everybody wants to make it somebody else’s problem. The world doesn’t work like that.

      btw a week or two ago I discovered several fraudulent transactions on one of my accounts, apparently the result of a skimmer getting the card data and sending it overseas (I wouldn’t’ve minded as much picking up the meal tab in Nice if I’d been there to enjoy it!). Fortunately it was discovered the next day and reported immediately, so the issuer canceled and replaced the card and reversed the charges. Looks like I suffered no loss and minimum hassle. But that’s only because I did my part by discovering the fraud promptly!

    2. AnonymousMike

      The source of these problems is ultimately an infection on the customer PC, I agree solving that would solve the issue.

      Banks have a part in helping to stop these fraudulent transactions from occurring. Just like small business owners do as well, end user security practices have to evolve over time just like bank security has to evolve over time. Its no longer acceptable for small business owners to say “I took the same precautions I’ve taken for the last 5 years” and I got a virus, so its the banks fault.

      Both parties have a responsibility to implement better security practices, and both parties are clearly not doing so at the moment. Stories like these help drive those changes for both parties, assisted by regulation and guidance etc.

  12. Darrell

    With all of the talk about the boot CDs, is there an easy way to obtain one without all kinds of techno work – how about an ISO that is reliable that can be downloaded and work without a lot of configuration, that can be provided to merchants?

  13. Paul

    I still question why only one money mule feels bad and responsible for their actions. Why isn’t our government doing more to punish the people who receive these funds.

    Knowlingly or not, they must take responsibility for their actions.

  14. Mike

    This type of fraud will never be fixed since the banks have no incentive to fix the problem. They are not liable for the problem since the credentials of the victim are used. Furthermore, banks allow large sums of money to be transferred to just about anybody without any kind of verification on the part of the bank. The only way that this kind of fraud will cease is if the banks are held accountable. Granted, the malware is also a problem. However, it takes both the bank’s lack of controls and the malware on the victim’s machine. It wouldn’t take much for a bank to require in-person confirmation when an authorization of payments to people and/or destinations is requested. This would definitely cut down on the thefts. If the banks were made liable for this type of fraud, they would put controls in place immediately. Right now, there is no incentive so the problem will continue.

    1. Rob

      The Hillary Machinery case will start in a year (little less) and we might get a better description of commercially reasonable security. If that one doesn’t make it we’ll have to rely on BK and others to keep reporting on the issue and get it pushed into the mainstream.

      1. Bert Knabe

        We can only hope that if the court provides a definition they enlist the assistance of people like Brian Krebs. Otherwise the definition is likely to be obsolete before the ink is dry on the decision. We must also hope that a jury isn’t fooled by fancy footwork into believing the bank isn’t culpable. PlainsCapital is counting on getting a judge and/or jury that is naive when it comes to computer security.

    2. Aaron Jacobson

      I agree that this problem will continue until someone gives the banks an incentive to fix it. However, it’s also important to realize that most small- and medium-sized banks outsource their transaction services (and security) to a handful of large processing companies. These processing companies are perhaps as culpable as the banks themselves.

  15. Oneway or another

    If businesses and banks tighten control of the ACH system, fraudsters will utilize a different channel and scheme, possibly a more creative approach to using wires.

    Mules will still be mules, banks will still deny responsibility and businesses will still be vulnerable. Education plays a key role in prevention. I don’t know a single business owner who doesn’t want to keep tight control of their finances, i assume they won’t have a problem learning something new after they lose a few dollars. Its a shame most won’t listen until then.

    Bootable CD’s, non-writable thumb drives or dedicated PC’s are all simple, albeit more cumbersome, ways to reduce your risk footprint. I’m sure there was a day when businesses didn’t lock their doors, only to be ruined by someone with less of a moral foundation than the majority.

    Brian, keep telling the stories. Readers keep telling your friends, especially the business owners of the world.

  16. KFritz

    This mule did actual WORK, and most folks’ expectation after work is PAY. Granted, she behaved like a jackass by spending 4.7 K so quickly, but she sounds like far less of a dupe that any other mule previously described.

  17. Me

    They really do go through a lot of work jeez. Taxreturnworld…,+atlantic+city&oe=utf-8&client=firefox-a&ie=UTF8&hq=&hnear=1711+Atlantic+Ave,+Atlantic+City,+Atlantic,+New+Jersey+08401&gl=us&ei=DXvtS42ZOsP68Aagm9z9Cg&ved=0CBMQ8gEwAA&ll=39.360416,-74.43233&spn=0.022198,0.038581&t=h&z=15&layer=c&cbll=39.360464,-74.432206&panoid=QXT83DeFLRlCHTQUWxJxuA&cbp=13,343.07,,0,-2.08

    There really is a tax business there. The real fun would be visiting the store to try to tie things together

  18. Sensible

    Is the Ford Company required to provide automobile operators with training and a drivers license? No the government requires the operator to take the training and pass the test. It wouldn’t make a lot of sense for the government require Ford to train and test all auto operators before buying a car. Why should banks be required to verify a commercial users internet competence and check the effectiveness of the business internal controls? Not unlike the automobile operator shouldn’t the small business be held accountable for something? Legislation that would require banks to pay for losses that are a result of small biz systems being exploited would seem to drive all the wrong behavior. Sarbanes Oxley section 404 requires public companies to have solid internal controls, why not have small businesses verify they understand the risks of ebanking and also that they have adequate controls in place when they get their business license.

  19. James Pannozzi

    These things KEEP happening as do terrorist attacks for one fundamental reason -> essential reforms from the bottom up, in all aspects of our institutional infrastructure are badly needed. However, lobbyists and special interests of the institutions, eager to preserve their loopholes, profiteering tricks and other impedimentia, along with the inertia and fear of drastic system changes, slow, or block the reforms from happening. Just LOOK at the mess in the Gulf because improper or non-existent controls were operative, or else the pretence of controls without the substance were in place. How’s THAT for one big mess. See what happens when you let special interests, in this case the oil companies, have their way?!!

    We’ve already had a major financial meltdown and a major terrorist attack that killed thousands. Exactly how long are we going to acquiesce in this until we demand that our legislators, political leaders, and even the news media start taking action?

Comments are closed.