A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.
At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.
KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters.
Ascent was unaware of the robbery at the time, but its bank would soon verify that a series of unauthorized transactions had been initiated on the 24th and then again on the 26th. The money mule I spoke with was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.
Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.
“It said the bank was offline for 24 hours, and we couldn’t get in to the site,” Shope said. “We called the bank and they said everything was fine.”
But soon enough, everything would not be fine from Bank of the West’s end. Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline. It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan — a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.
Shope said the FBI is actively investigating the breach. The FBI declined to comment for this story. Bank of the West also did not respond requests for comment.
But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve.
Shope said Bank of the West has been able to claw back about half of the stolen funds, and expects to recover a great deal more. He said many of the bigger fraudulent transfers went to other businesses. For example, one of the mules was either running or working at a Hertz equipment rental franchise on the East Coast, and had called Ascent Builders to complain after the bank discovered the fraud and began clawing back large transfers. That mule, apparently unaware he was helping thieves launder stolen money, was calling to find out what happened to his $82,000.
“We got a call from a Hertz rental equipment company back east, and they said “Why did you take this deposit out of our account?’ Shope recalled. “I asked him what he thought it was for, and he said, “Oh, this was for some equipment that we were purchasing for you guys from Russia, and we already sent the money on [to Russia], so what’s going on?”‘
A few thoughts about this attack. If you run a business and suddenly find yourself unable to log in to your commercial account, pick up the phone and call your bank to inquire about any recent money transfer activity. Very often, malware that thieves use to steal banking passwords in these cyberheists will also redirect the victim to an error page that says the bank’s site is down for maintenance. If this happens to you, call your bank and ask them to check your accounts (don’t trust a customer service phone number offered on a “down for maintenance” page; call the number on your bank card or search online for the institution’s customer service number).
Also, get educated about the risks of banking online with a business account, and then take steps to make sure your organization isn’t the next victim. Regulation E limits the liability for consumers who lose money due to unauthorized account activity online (provided they notify their financial institution of the fraudulent activity within 60 days of a statement). Businesses do not enjoy such protections, although a couple of recent court cases brought by cyberheist victims against their banks have gone in favor of the businesses, suggesting that banks may find it increasingly difficult to disavow financial liability in the wake of these attacks going forward.
Finally, consider banking online with a dedicated system. This among several recommendations I include in a short list of other tips that small businesses should consider when banking online.