Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.
Lea French, MECA’s chief financial officer, said the trouble began when an employee with access to the organization’s online accounts opened a booby-trapped email attachment containing password-stealing malware.
The attackers used MECA’s online banking credentials to add at least six people to the payroll who had no prior business with the organization. Those individuals, known as “money mules,” received fraudulent transfers from MECA’s bank account and willingly or unwittingly helped the fraudsters launder the money.
French said the attackers appeared to be familiar with the payroll system, and wasted no time setting up a batch of fraudulent transfers.
“They knew exactly what they were doing, knew how to create a batch, enter it in, release it,” she said. “They appear to be very good at what they do.”
Prior to the heist, MECA refused many of the security options offered by its financial institution, First National Bank of Omaha, including a requirement that two employees sign off on every transfer.
“We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,” French said. “We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.”
MECA was able to reverse an unauthorized wire transfer for $147,000 that was destined for a company called Utopia Funding U.S.A. The organization was not as lucky with the remaining transfers.
The funds stolen from MECA were sent to money mules recruited through fraudulent work-at-home job offers from a mule recruitment gang that I call the “Back Office Group.” This gang is one of several money mule recruitment outfits, and they appear to be among the most active. Like many other mule gangs, they tend to re-use the same format and content for their Web sites, but change their company names whenever the major search engines start to index them with enough negative comments to make mule recruitment difficult.
The mules used in the MECA heist were recruited through a Back Office Group front company named AV Company. Mules were told they were helping the company’s overseas software engineers get paid for the work they were doing for American companies. In reality, the mules were being sent payments to transfer that were drawn on hacked accounts from victims like MECA.
More than $9,000 of MECA’s money was sent to Erik Rhoden, a resident of Fleming Island, Fla. Rhoden was recruited in June by the Back Office Group. Rhoden successfully transferred the funds to three individuals in Eastern Europe, but says he didn’t profit from the work. His story matches that of other mules recently recruited by Back Office, and indicates a devious shift in tactics which ensures that mules never receive a payment for their work.
Typically, the Back Office group had instructed mules to withdraw transfers in cash, pocket eight percent as a commission, and wire the remainder of the funds to specific individuals overseas. Recently, the Back Office group changed its policy, and began telling mules to transmit the entire amount. In place of commissions, mules are now promised a payday at the end of the month. That payday almost never comes.
“They said I was going to get benefits, a salary, and a bonus for each transaction, but that was all a lie,” said Rhoden, who recently landed a job as a drink server in a local bar.
MECA lost more than $70,000 from the heist, although French said she believes their Travelers cyber security policy will help recoup some or all of the loss.
“We have a $25,000 deductible, plus the cost of an ongoing forensic investigation, which is going to be pretty expensive,” she said.
MECA has since added more security features to its online banking account, and access to that account is only possible through a locked-down, dedicated computer.
“All of this is a day late and a dollar short, I guess,” French said. “Why isn’t someone out shouting on the rooftops about this fraud? People need to understand how exposed they are.”