February 19, 2013

A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.

Ascent1At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.

KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters.

Ascent was unaware of the robbery at the time, but its bank would soon verify that a series of unauthorized transactions had been initiated on the 24th and then again on the 26th. The money mule I spoke with was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.

Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.

“It said the bank was offline for 24 hours, and we couldn’t get in to the site,” Shope said. “We called the bank and they said everything was fine.”

But soon enough, everything would not be fine from Bank of the West’s end. Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline. It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan — a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.

Shope said the FBI is actively investigating the breach. The FBI declined to comment for this story. Bank of the West also did not respond requests for comment.

But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve.

Shope said Bank of the West has been able to claw back about half of the stolen funds, and expects to recover a great deal more. He said many of the bigger fraudulent transfers went to other businesses. For example, one of the mules was either running or working at a Hertz equipment rental franchise on the East Coast, and had called Ascent Builders to complain after the bank discovered the fraud and began clawing back large transfers. That mule, apparently unaware he was helping thieves launder stolen money, was calling to find out what happened to his $82,000.

“We got a call from a Hertz rental equipment company back east, and they said “Why did you take this deposit out of our account?’ Shope recalled. “I asked him what he thought it was for, and he said, “Oh, this was for some equipment that we were purchasing for you guys from Russia, and we already sent the money on [to Russia], so what’s going on?”‘

A few thoughts about this attack. If you run a business and suddenly find yourself unable to log in to your commercial account, pick up the phone and call your bank to inquire about any recent money transfer activity. Very often, malware that thieves use to steal banking passwords in these cyberheists will also redirect the victim to an error page that says the bank’s site is down for maintenance. If this happens to you, call your bank and ask them to check your accounts (don’t trust a customer service phone number offered on a “down for maintenance” page; call the number on your bank card or search online for the institution’s customer service number).

Also, get educated about the risks of banking online with a business account, and then take steps to make sure your organization isn’t the next victim. Regulation E limits the liability for consumers who lose money due to unauthorized account activity online (provided they notify their financial institution of the fraudulent activity within 60 days of a statement). Businesses do not enjoy such protections, although a couple of recent court cases brought by cyberheist victims against their banks have gone in favor of the businesses, suggesting that banks may find it increasingly difficult to disavow financial liability in the wake of these attacks going forward.

Finally, consider banking online with a dedicated system. This among several recommendations I include in a short list of other tips that small businesses should consider when banking online.


40 thoughts on “DDoS Attack on Bank Hid $900,000 Cyberheist

  1. Mikle

    You very wisely point out the need for a dedicated system.

    What needs continual remphasis is that any dedicated system remain solely for connecting with the bank(s). To use it for anything else at all can defeat its purpose entirely.

  2. Bill

    My name is not Bill, and w.stackpole@hotmail.com is not an e-mail account of mine.
    Both are filled in alongside Name (required) and email (required) on this comment page.
    Any ideas why this is?

    1. William Stackpole

      This is fraud, how dare you steal my information!!

      I have reported you to the E-police and will be filing a lolsuit, expect a subpoena from the honorable Judge Ed Lollington.

      Good day sir.

    2. Jon

      Regardless of why, posting the email address was unnecessary and will probably cause spam mail

    3. Rabid Howler Monkey

      I’ve noticed other krebsonsecurity.com posters name and email information presented as well, multiple times actually. I suspect (and hope) that there is a bug somewhere in the web site.

      Why hope? If not a bug, the miscreants may be at work.

      1. BrianKrebs Post author

        I have been trying to get in touch with the guy who maintains the voting plugin used on this blog, because I suspect it has something to do with that. I’m getting close to pulling the plug on that plugin and just seeing if that solves the issue. He hasn’t been responsive so far.

  3. wiredog

    I wonder if philippe.bastien.1 sees my info? We both have the same .com for out email.

    1. wiredog

      Also, I’m on Chrome.

      This time things were filled in properly. Weird.

      1. BrianKrebs Post author

        I turned off the comment rating/voting plugin, so I’d be interested to hear if anyone else is still seeing that ghosting issue with the comments. Thanks.

        1. Kent

          My name and email is correctly filled in.
          I thought it was a browser history fill-in anyway.

        2. voksalna

          Hey, that was one of my most favourite features of this ‘blog’ 🙁

        3. voksalna

          Hey, this was one of my most favourite features of this ‘blog’. 🙁

          1. BrianKrebs Post author

            Yes, I rather enjoyed it, too. Kept me from having to moderate comments, which I am loathe to do. But, given the choice of dealing with a buggy plugin and hearing from 20 different worried readers each day and having less functionality on the site, I’m inclined to choose the latter.

  4. Kent

    Brian,

    Don’t these banks participate in some kind of banking association(s) where security information/guidance/best practises are given high priority ?
    If I were the bank president, I’d be reading a blog like yours every day.
    I get the feeling from reading your blog that a lot of them are fairly naive – no ?

    1. BrianKrebs Post author

      Judging from my interactions with bankers when I speak about this threat publicly, most are aware of it but maybe not particularly attuned to it. I think the focus tends to be on making sure they are meeting regulatory requirements, which are changing rapidly enough to keep most of these bank execs busy enough. Unfortunately, the cyber attack methods change even faster.

      1. Richard Steven Hack

        “maybe not particularly attuned to it”

        They couldn’t care less. It’s not their money going missing. And – so far – the situation is rare enough that ALL their customers aren’t being victimized.

        When the banks’ customers are regularly being nailed to the wall, then and only then will they change.

        And that situation will come about sooner or later.

        The problem is: Will the standard recommendations currently being suggested actually work to ameliorate the situation then? The jury is out on that, given how some hackers are bypassing two-factor authentication and even telephone call backs.

        1. Bill

          You are wrong sir! We do care about out clients, not just about their money. I have been in the online banking business for 16 years and my FI spends a good share of our time educating clients about fraud. But with all the regulatory crap coming out of washington we spend much less time educating and more time responding to regulation.

          1. Richard Steven Hack

            “Educating about fraud” is not doing something via infrastructure to deal with fraud. More banks need to do more.

            Not that it will help, mind you! 🙂

            But blaming inaction on the requirements to respond to government regulation is a cop-out.

  5. JC

    In addition to a dedicated PC, urge your bank to offer out of band authentication like a phone call confirmation for online banking logins and external funds transfers including ACH and wire payments. If your bank refuses, vote with your feet and move to a bank that cares about and understands security.

  6. Jamie Salcedo

    Of all the places that need airtight security…It reminds me of this local bank that put more attention on computer monitoring software than it did for protection on their servers. Pretty silly decision.

  7. David

    No ghost here now, anyway. (Mine was the original Stackpole post).
    Hope this short circuits that lolsuit.

  8. Clyde tolson

    The FBI is on it. I’m sure there will be a press release soon enough.

  9. dimitry ivnsov

    what??? 900.000$ its small money its nothing why you even wright abotu this small ammount ? banks have billions who cares? 900k $ its pocket money life is expensive living is costly its not money
    why so much noise about this banking thefts and stuff? i think people make too much noise about this,? too much noise of nothing

    1. BrianKrebs Post author

      Dimitry, you misunderstand where the money was being stolen from. It wasn’t the bank that lost money. it was the victim business.

    2. Kent

      Dimitry,

      If $900K is a pittance for you, I could give you instructions on how to wire it to me, maybe help you simplify your life over there.
      😉

      -K

  10. Mike W

    I work in banking IT and although none of my banks have been hit like the bank in the story, I’m aware of quite a few incidences over the years.

    1: The banks aren’t the bad guys here. The cyber criminals are the bad guys.

    2: Don’t underestimate how good the cyber criminals are at doing their “job”.

    3: As in the story above, the customers system was compromised, not the banks.

    In similar situations the cyber criminals used the compromised machine to watch the customers activity for, in some cases, months so that they could make transactions that fit the normal patterns of the customer (raised no red flags). They also initiated their fraudulent transactions after the customer entered their login credentials (no mater how many factor they were). That “website down” message popped up after authentication, they were already logged in when the cyber criminals took remote control of their machine.

    Although Reg-E doesn’t cover business accounts the same as personal, banks often refund lost money (comes out of the banks pocket) because even though the customers system was compromised the bank always gets blamed for not doing enough to protect the customers money.

    As Krebs says, use a dedicated machine.

    You can’t surf Facebook all day on the machine you use to do banking!

    1. pmshah

      I use a live boot CD of Puppy linux to make all my critical transactions. I don’t do anything else with it !

  11. pmshah

    I am surprised that the US banking industry has not found a solution to this.

    We have 2 levels of security. For every individual transfer the bank sends out an OTP ( one time password) to the authorized individual requesting that transfer. Unless the same is fed into the appropriate box, within a certain time, the transaction does not go through.

    The second is a preprogrammed time bound code generated which must be used to log into your account.

    But then the safest is to walk down to your bank in person with the request!

  12. SteveCr48

    I heard you on Security Now, and now found your blog and website. Excellent!

    You might consider recommending a Chromebook as a dedicated access machine. They’re inexpensive, easy to use, and very secure. (Glad to answer questions/help if I can.)

  13. Doubting Thomas

    How come the Sacramento Bee never reported any of this? Makes me wonder a bit if the whole thing is really true. Not that the Bee is on top of everything, but if you search Ascent Builders there you only get 3 innocuous hits. And if you google the name you only get this guy’s blog. Seems that a bunch of cyber guys would be commenting on this.

      1. Kent

        Generally it’s probably not a great practice to judge the veracity of investigative reporting by how often it’s already been covered by other media.
        James Marshall who first found gold at Sutter’s Mill in California in 1848 probably did not spend a lot of time wondering if it was really gold or not.

        1. Kent

          . . . because no one had ever found it before.

    1. MadMonkey

      The very fact that you’re doubting Mr Krebs probably means you have little idea who he really is! Lets just say that he can get his stories straight from the horses (mules) mouth.

      @Mr Krebs: Great idea about using a Live CD for doing your banking online!

      But what about KeyScrambler, I use it in my browser to scramble my keyboard input?

      http://www.qfxsoftware.com/

  14. sudon't

    I love how my bank – BB&T – only allows alpha/num characters for passwords. Nothing like forcing the few customers who’ll use strong passwords to dumb it down.

    1. MadMonkey

      What about those stupid security questions that are used for resetting your password?

      Questions like ‘When were you born’ or ‘What is your mothers maiden name’ don’t increase security in my mind and could easily be compromised. Even if you did answer with something other than the truth we often forget what we wrote making them even less effective.

  15. Kent

    >>I love how my bank – BB&T – only allows alpha/num characters for passwords.

    Yeh, mine was doing that too – and a brokerage house I think.
    I haven’t checked lately, but it totally surprised me – of all the institutions you’d think the money vaults would be the ones to be totally on top of it.

    >>stupid security questions that are used for resetting your password

    I’ve been thinking of just making up gibberish answers to those and storing them in my password manager program when I have the time.

Comments are closed.