May 23, 2013

A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter.

jtaOrganized cyber thieves began siphoning cash from Mooresville, N.C. based J.T. Alexander & Son Inc. on the morning of May 1, sending money in sub-$5,000 and sub-$10,000 chunks to about a dozen “money mules,” people hired through work-at-home job scams to help the crooks launder the stolen money. The mules were paid via automated clearing house (ACH) payment batches that were deducted from J.T. Alexander’s payroll account.

The attackers would repeat this process five more times, sending stolen funds via ACH to more than 60 money mules. Some of those mules were recruited by an Eastern European crime gang in Ukraine and Russia that I like to call the “Backoffice Group.” This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a nonprofit hospital in Washington state.

David Alexander, J.T. Alexander & Son’s president, called the loss “pretty substantial” and “painful,” and said his firm was evaluating its options for recouping some of the loss. The company has just 15 employees that get paid by ACH payroll transactions every two weeks. At most, J.T. Alexander’s usual payroll batch is around $30,000. But in just five days, the thieves managed to steal more than a year’s worth of employee salaries.

The company may be able to recoup some of the loss through insurance: J.T. Alexander & Son Inc.’s policy with Employer’s Mutual Casualty Company (EMC) includes a component that covers cyber fraud losses, but the coverage amount is far less than what the victim firm lost.

“They’ve got some specific coverage, but unfortunately the amount of coverage they’ve got is not going to cover anywhere near the amount of money they lost,” said Jim Mitchell, an adjuster for EMC.

According to J.T. Alexander & Son, the company’s bank — Peoples Bancorp of North Carolina Inc., a state-chartered bank with $1.1 billion in assets and 22 branches across the state — had just upgraded its security system a month prior to the cyberheist. Before the upgrade, the company’s controller had to enter a login ID, password and then enter a six-digit code that was read by an automated system at the bank that would call them.

“Also, it used to be we could only access the bank’s site from my computer,” said Kristie Williams, who works in accounting and finance for J.T. Alexander. “The way [the bank] changed it, anybody anywhere could access it as long as they had my login, and apparently that’s what happened because the logins came from a different IP address than our normal one. I think they made it more convenient, but less secure. I wasn’t aware all of that had changed.”

Peoples Bank did not return calls seeking comment.

These types of cyberheists — in which neither the victim organization nor its financial institution notice the theft for days on end — can be especially costly. It’s difficult to assign blame for such incidents to either the victim or its bank — there were failures on both parts, to be sure — but typically the liability for these breaches lies with the victim. That’s why it’s vitally important for small businesses that wish to bank online to assume they are targets of organized crime and to take the necessary precautions, wherever possible.

If you run a small business and manage your company’s accounts online, please take a moment to read my list of recommendations here: Online Banking Best Practices for Businesses.


50 thoughts on “NC Fuel Distributor Hit by $800,000 Cyberheist

  1. Richard

    Wow, this one sounds like it will go to litigation… Brian, are you able to dig up any information from sources other than Peoples Bancorp of NC about this “change”?

    Based on your previous articles, I don’t see how the bank will be able to justify going from a more secure authentication system to one that is less secure – especially if there was no attempt to notify clients of the change.

    1. Matt Peters

      I’m actually wondering about the statement that the girl that works in accounting said. It sounds logical, only having one IP be able to access the account, but that’s a lot of overhead for the bank.

      It’s normal for bank to detect that you’re logging in from a new IP and require more verification, but I haven’t heard of a bank only allowing access from one IP.

      1. Richard

        It’s more likely that their system for payroll computers was a specialized solution – I doubt it was an IP whitelist solution. A MAC-based whitelist is more likely, and not difficult to implement; for a long time cable Internet providers bound your MAC address of your computer to your cable modem… wouldn’t be a stretch to see a similar setup here.

        1. ole bin login

          Umm, Mac addresses only work to first hop! so over the vast internet the mac is that of the last device [router, switch, firewall, etc] to handle the packet.

          Ole

      2. Ben

        The bank I work for has IP whitelisting for business customers. They have to provide the IP addresses to allow (or a range of them), but we maintain the list for them so that someone doesn’t compromise the admin and change the whitelist. It’s just another layer, though…

  2. CooloutAC

    Its tough man. I could be wrong, but i’m pretty sure you can just go into your network settings in microsoft windows, at least windows 7, and change your mac address to whatever combination you want. On wired ethernet connections.

    I think most banks require 2 or 3 passwords now no?

    but ya also some companies will not only verify ip and mac address…they will also take your whole system information of your computer including hardware ids. I just got banned from a game yesterday for talking about how the hackers that ddos’d them offline are probably playing the game. Yes they are probably disgruntled players who got banned, but there is no stopping people fro playing, even with all of that. (I was already banned for doing the same thing previously) What they need to do is to tie credit cards and addresses to cell phones to text activation numbers to like Google first did.

    1. SeymourB

      MAC addresses are only visible on your local network segment. Beyond that segment all people can see is your IP address. Obviously if a device or system on your network gets compromised, then someone could remotely determine your MAC address, but barring that… MAC addresses are local.

  3. CooloutAC

    Hey Krebs, in “Online Banking Best Praitices for Businesses” you should change it to fresh hardrive instead of fresh install. haha

    1. SeymourB

      Under Windows XP and up…

      Start -> Run
      CMD (enter)
      diskpart
      list disk
      find disk number in list (example, 1)
      select disk 1
      clean
      exit

      Voila, you now have a “new” hard disk.

  4. george

    I feel the article is a bit short on details this time. It is said they were notified by a reporter after 5 days, but how did the reporter knew ? Was he notified by one of the money mules ?
    Locking on IP address or MAC address would not have been an effective deterrent, if Mrs. Williams was not aware other computer than hers can be used to login she probably did not introduced her login credentials anywhere else. Since they got stolen, it would imply a trojan was active on the very computer she was used for banking. And if a trojan was there, the thieves could use any method to circumvent that IP address whitelist, probably proxying transactions through her computer…It turned out it was not necessary since a different IP seems to be in the logs, but if it was, they would have done it…

    1. me

      I presume the reporter in this case is one skilled enough to have found out about it through certain associations with a persona we likely don’t even know (ahem – Mr. Krebs), No?

      If there were a trojan responsible here to have stolen the credentials then that proves again how important and beneficial it is to have a dedicated system for banking (no web browsing access, no email client or email access, etc. – just straight vanilla access to the bank website through a proxy firewall, everything else dropped by that proxy). You could take it a step further and have a snapshot running on that system if it’s a VM and roll it back nightly if there is no data kept on it just to be sure any infestations are wiped if there is somehow a compromise via other means.

      1. Frank

        Good luck getting small/medium size business owners to even understand what you just said, let alone implement something like that. I am a banker, and basically our clients think it is our job to protect their PCs/Network and will do nothing to protect themselves, or do not have the resources/knowledge to even contemplate this type of protection.

        We offer IP whitelist and reccomend stand alone PCs amoung other things, but most of the time we get excuses as to why they can’t or wont.

    2. BrianKrebs Post author

      Ouch. I think, George, that I’ve just spoiled you in the past with more details about these heists than you would normally get anywhere else. :p

      Yes, I interviewed some of the mules involved, as I always do, but I didn’t want that to be a focus of this story.

      Every cyberheist I’ve written about involved custom versions of ZeuS (SpyEye or Citadel), basically a powerful banking and remote control trojan that goes undetected by antimalware tools on the victim’s PC. In most cases, the infected system is the CFO’s or the bookkeeper’s computer.

      1. DavidM

        Brian, I know you have interviewed the money mules and the victims and I believe you tried to get interviews with some of the other banks involved in past heists like these.

        I would love to know what Western Union / MoneyGram has to say about these. It almost seems like in every case these types of money transfers by the mules seem to use these two services and they seem to more than not headed to the Ukraine or Russia.

        I wonder if these transfers are heading to some of the same outlets in Russia and the Ukraine used in these and past tranactions.

        There has to be some complicity by some of these outlets in this scam. You have to know the senders identity on the other end and you have to have ID to pick them up.

        One would have to wonder why there aren’t flags being raised that 5k and 10k transfers being picked up at a variety of Western Union/MoneyGram locations in short spurts.

        In this story they said they drained this over 5 days, you would have to think that all these 5k and 10k pick ups are going to spread out but not too far, the crooks controlling this aren’t going to let these pick up get too far out of sight.

        Now either these guys are going everyone false ID (which I suspect is true to some instances) but I wonder if some of these locations in the Ukraine and Russia aren’t being paid a fee to let the pick up person whom the transfers are going to slide through with no issues.

        I find it hard to believe that they can continue to use these services again and again and again with no real tangable results or increased safeguards to prevent this, expecially since these seem to happen in a short period of days and the amounts seem to be significant in total.

        1. george

          @ DavidM

          Yes, it also passed through my head, to what extent WU and MG have an incentive to do something about it ? On one hand, they risk an image problem, on the other hand, if the cyber-heists stop using them completely they might lose income. A lot of income if I do a math regarding the amounts stolen and transferred through them. Maybe if a law would came to make their fee mandatory reimbursable to the victim if a transaction was proven fraudulent, they could be more energetic in preventing this link in the fraud ecosystem.

          1. DavidM

            I was thinking along those lines as well, because Western Union and MoneyGram seem to be the choice of these groups to wire the money back to Russia & the Ukraine

            Of course they both earn the fees off those money transfers, but even so they must see some of the same outlets receiving these transfers. You can only spread them out so far before there has to some of the same outlets and same characters.

            And they all require you to have some photo id to pick them up and know the identity of the sender. With that being said I wonder if some of these outlets are being a little complicit in helping these groups retrieve the money.

            Western Union and Money Gram surely know they are processing a lot of stolen money transfers after the fact. I have to question their methodology in what they are doing in prevention of this.

            Upon looking at both their sites it doesn’t seem much has changed in their sendor and receiver policies for the recipients in way of ID etc to confirm sending and receiving these transfers.

            You would have to think they must look at the franchisee or branches that are recieveing these transfers and how many actually get disciplined.

            The other things I wonder is have the bad guys set themselves up as a supposed legit business and become a agent or franchisee of either Western Union or MoneyGram.

            It would be a lot easier to pass transfers through ones they controlled as they could fabricate who the receiver is as they would have inside knowledge, and they would also be able to keep abreast of what Western Union and MoneyGram are doing to watch for these types of stolen money wire transactions.

      2. george

        @Brian,
        Yes, is true, we were spoiled :). But.. is it you who created the golden standard on reporting those crimes and we’ve grown to expect nothing less, every single time.

  5. Nonya Binness

    “I think they made it more convenient, but less secure.” In the words of an Army General Officer, now retired, “Convenience kills.”

  6. DD

    Two observations:

    1) Poor controls equal poor results. (That’s on the Victim Company since there are always going to be bad people in the world)
    2) The bank should have BSA controls in place to detect transactions like this. If you have a payroll account that normally performs “payroll” on a certain day, then shouldn’t you notice 5k transactions over and over again in a 5 day period? If I’m the victim company, that’s the first thing I’m going to ask my general counsel. Either they bank is out of compliance or the bank failed to manage their controls effectively. Either way, it seems like this falls short of being all the fault of the victim company. Does it not?

    1. SeymourB

      In legal cases usually you have two things to determine:

      1) Was the party negligent
      2) To what percentage were both parties negligent

      Basically 1 tells you whether to throw out the case or continue to trial or whatever. 2 is after they’ve won (or lost) their case and they’re determining damages. It’s very rarely 100%/0%.

  7. xlr82sas

    These Banks should require payroll access to be 2 factor token based authentication besides having adequate monitoring for out of pattern transactions.

  8. Yosef

    So how do you detect ZeuS (SpyEye or Citadel) or know that it is present? Live CDs should work, are Macs a reasonably safe solution? Do the bad guys get a machine infected with a common virus and then infect it with a customized virus that will not be detected since it is unique?

    1. Ben

      Customers are commonly specifically targeted using phishing and social engineering. When they click the link in the email, a specialized version of the malware is loaded on their computer to avoid detection from scanners.

      More and more often now, companies are being scouted by local agents and then specifically targeted.

      Live CD’s are still one of the most cost-effective ways to prevent compromise, except when customers then use the Live CD to check their email before they log in to the bank (yes, it happens.)

  9. Phil Agcaoili

    Cyber liability insurance is a good idea for many small-to-medium businesses.

    More importantly, bank and financial services security aren’t elite as many believe. Most of their regulations and audits (i.e. FFIEC, FDIC, NCUA, OCC, CFPB, FTC, IRS, Treasury, SEC, FINRA, Guarantors, etc.) are based only on:
    1. Access Controls and
    2. Segregation of Duties.

    Any reasonably mature organization is way beyond the simplistic controls embodied in the Financial Services Sector audit and regulatory regimes.

    Auditors don’t understand security. They test the basics mentioned above (ONLY Access Controls and Segregation of Duties).

    They aren’t worried about inside attackers and totally miss external attackers.

    The Financial Services Sector audit and regulatory regimes need reform and hope that the Presidential EO on cybersecurity changes their security posture and maturity level for the better so that the Financial Services Sector can actually protect their portion of cyberspace, stop wasting time trying to provide meaningless security attestations for a myopic problem set (Access Controls and Segregation of Duties), and evolve beyond meaningless regulatory audits that are all seeking to answer the same question–
    “Are the bank’s practices safe to do business with?”

    Security assurance for all sectors will continue to heat up with cybersecurity.

    Here’s what we did at the Cloud Security Alliance with the American Institute for CPAs (AICPA) to help define simpler, but more rigorous security and privacy attestations for cloud service providers.
    https://blog.cloudsecurityalliance.org/2013/02/25/csa-drafts-new-position-paper-on-aicpa/
    https://cloudsecurityalliance.org/research/collaborate/#_aicpa

    Previously the SAS 70 attestation was used for this, and we’ve bolstered and added a more trusted security and privacy attestation through the SOC 2 attestation (and SOC 3 for public use) using the Cloud Controls Matrix (CCM) as supporting material.

    1. Mr Auditor

      “Auditors don’t understand security.” You are wrong Phil. Most auditors do understand security that includes reviews for firewalls and malware prevention/detection such as Trusteer. I think your statement is to drum up business to your links. 🙂

      1. DD

        I don’t know if I’d say that most auditor’s understand security. But I wouldn’t say they don’t understand it either.

        Auditor’s understand what their clients (internal or external) pay them to understand. If the client wants an assessment that only cover basic authentication controls then that’s what they get.

        If you want companies to have better security, you could start by having required audits that took a deeper dive into security controls. You can’t blame auditors for the rules of the game though – because they don’t have anything to do with making the rules.

      2. KathyB

        I agree with Mr Auditor. The auditor doing vulnerability assessments, GLBA Compliance, and security management audits where I work is a white hat hacker with impeccable credentials. I have found the IT auditor the FDIC sends when undergoing a safety and soundness exam isn’t as savvy as I’d like to see.

      3. Richard Steven Hack

        I think the consensus of hardcore infosec experts is that auditing and auditors aren’t terribly effective.

        It is true that auditors are frequently constrained by management as to WHAT they are allowed to audit and how deeply. In the end, the buck stops with management – always.

        But auditing that isn’t the equivalent of a full-scale red team test basically isn’t going to provide real security. At best it’s going to, as your post said, check the firewalls and the antimalware setup – which is far from adequate when confronted by today’s hackers.

        1. Mr Auditor

          Show us support for your comment “I think the consensus of hardcore infosec experts is that auditing and auditors aren’t terribly effective.” Do you have a valid survey link? Or are you trying to drum up business too?

          1. Richard Steven Hack

            Just review the literature and the infosec conference videos. I’ve never heard much good spoken of auditing, especially PCI auditors.

            Security is HARD to do. An auditor’s job really should be just to come in and verify that what’s been claimed to be done has been done. Leave the really difficult work of DOING IT to the experts.

            1. Mr Auditor

              Your statement “I’ve never heard much good spoken of auditing, especially PCI auditors.”

              Thanks Richard. Auditors will remember what you said when the Auditors need assistance. 🙂

  10. Bill

    Upgrade? Did they start encoding the six digit number with one time use pads? Add a third factor of authentication?

    I know. . . require entry of data delivered by carrier pigeon as a third token. How hard is it to misdirect a pigeon to landing on the wrong building?

    @CooloutAC: Most stacks will only allow you to change the MAC address to start with 4200 (4000 on token ring). If the address you tried did not start with that, it would change the fist 4 digits for you. At least that used to be the case when I last played with manual MAC addresses.

    1. voksalna

      You can change your MAC address to whatever you want to change it to; whether your Operating System (ie its drivers) and your networking card/cards are compatible, however, depends on what you are using. Most modern kernels support this for all of the standard chipsets (and many of the non-standard ones). We don’t live in 1997. 🙂

      1. CooloutAC

        yes only possible for wired connections. I mean i guess basically if you get all the info off the victims computers these hackers can spoof it all. . To me any sort of hardware identification is not a good security solution.

        1. CooloutAC

          or i guess they can just take control of the pc too. I think we need more creative ways to enter passwords and receive activation codes….

          of course better encrypted connections would help to.

  11. voksalna

    “had just upgraded its security system a month prior to the cyberheist. Before the upgrade, the company’s controller had to enter a login ID, password and then enter a six-digit code that was read by an automated system at the bank that would call them.”
    “Also, it used to be we could only access the bank’s site from my computer,”… “The way [the bank] changed it, anybody anywhere could access it as long as they had my login”

    ‘Upgraded’ here is humour at its finest. With banks considering this an ‘upgrade’, I wonder what they would consider a downgrade.

    Brian, I have often wondered if somebody passes you server info from the mule sites and helped you get in touch with law enforcement and the mules in question. Generally these servers are not too well protected aside from DDOS and takedown (if what I have read elsewhere is true, of course). I have long assumed you and Xylibox and the other ‘people who hack ‘hackers” are in close contact. I do not suppose we will find out about your methods here?

  12. Ronm

    I have noticed that some banks are charging a lot for little companies to check up their account. I can imagine that little companies don’t want to check their accounts every day. So banks actually are supporting criminal behaviour by not supporting companies to keep an eye on their assets.

    I think it would be a win-win sitation if banks would allow their (little) customers to keep track on their saldo and only charge them for really making use of the service of banks to pay their creditors…

    Maybe they (the banking sector) would deliver their clients (untangeable) devices with which they could securely order financial transactions.

    But I guess this is a bit too ideal to become true, though I would challenge hardware manufacturers to develop such devices and to acquire sales teams which could sell them to the banking sector.

    (Imaging little terminals, with which you would order transactions like you would in a store, also for personal use?)… Just an idea 🙁

    Disclaimer: I am not native english, please don’t react on my language. But if you want to discuss the contents or intents, please do!

    1. voksalna

      Quite a lot of banks nowadays offer SMS notification (not two-factor authentication, though some offer that also) for transactions and balances. Generally this costs the customer little to nothing (provided the bank offers it).

  13. Ronm

    Addenum

    Why doesn’t the banking sector offer customers terminals (LCD screens) completly dedicated to order financial transactions.

    Just setup a protocol, a standardizing organisation and supply their customers with a dedicated (trusted) terminal…

    Forget the websites and the compliance to all kind of webbrowsers. Get payment transactions completly out off the realm of personal computers…

    I just have a little too much imagination…

    1. Rick Zeman

      “Just setup a protocol, a standardizing organisation and supply their customers with a dedicated (trusted) terminal…”

      A dedicated trusted terminal….like an ATM is?

      Oh wait…..

      1. Ronm

        Haha, yeah just like a kind of ATM…

        But only for personal use, crafted (physically) anticipating all kinds of intrusion or deception… Examples enough 😉

        And I am talking about little companies and private customers.
        Big companies could make use of the same idea but then not with a manual input…

        My idea behind this is to create hardware devices (according some standards) which could safely supply customers to communicate with their financial service providers.

        Let’s face it, a multifunctional webbrowser with all it’s convenience, never will be secure enough!

    2. Derek

      Not sure how developing a dedicated hardware system for SMB banking would fly. Banks would not give it away because the development and support costs would exceed their liabilities under the current system. SMB customers would not buy it because it would cost more than what they perceive their risk to be. If they understood the risk, then it would just be cheaper to build a dedicated Live CD-based PC per Brian’s recommendations (easily under US$1,000).

  14. john senchak

    The problem I have here is that Employer’s Mutual Casualty Company has to pay a claim for the banks lack of proper authentication before the money was transferred to the money mules . This means all companies who have policies with E.M.C.C. will now have to pay higher rates for company liability insurance because the actions of cyber-criminals.

    1. Rick Zeman

      I’ve been thinking that bankers/LE should be doing the old “trojan horse” approach. We all know that money mules are the key link in this business. We all know how they’re hired (work at home scams, secret shoppers, etc). What’s to stop some good guys (the more the merrier) from signing up and thus knowing instantly when a haul is going down when $9,000 hits their monitored account.
      I’d imagine there’d need to be some sort of industry-wide indemnification, but what would happen if the thieves didn’t know whom they could or could not trust? I’d like to think that their model would shatter after a while.

    2. Richard Steven Hack

      This is why “cyber-insurance” will not work.

      Because cybercrime is ubiquitous and becoming more so, eventually the insurance companies will have to do one or both of two things:

      1) Raise premiums to the point where the client might as well have paid for decent security in the first place, or…

      2) Require companies to pay for decent security before issuing the policy – in which case the client might as well have paid for decent security in the first place.

      Cybercrime is not like rare events like fires which can be covered by insurance – it’s too common.

  15. Random client

    Peoples Bank notified all their clients several times via email to the changes. I find it hard to beleive they missed this. I personally received at leat 6 email on it.

  16. JK

    Seems like if this bank (or any bank) took security seriously, the solution isn’t that hard. Give the customer a USB smartcard containing a private crypto key. The bank keeps the public key. No one can login and take money out of the account unless they possess the USB device with the private key. Require the customer to use this USB device whenever they move money out of the account, or else no liability on the part of the bank. What’s so hard about that??

    In general, ACH has no security. Anyone who knows your bank routing number and account number can put through an ACH transaction to drain your account. There are plenty of websites that will put through a payment if the customer can provide take information. There’s no additional authentication. How do banks get away with this?

    1. Richard Steven Hack

      A USB smartcard won’t help you if your machine is compromised. The private key could probably be accessed.

      Any bank transaction security absolutely requires a dedicated machine of some sort that is never connected to the Internet or used for any other purpose than bank transactions. And which cannot be physically accessed within the company either except by authorized personnel.

      The suggestion that banks develop and deploy dedicated devices is a good one, The problem is who will pay for them?

      There have been discussions on Bruce Schneier’s blog on how such devices could be constructed to be relatively cheap and reasonably secure.

  17. Yaya

    It’s a shame that more companies don’t use a dedicated machine for bank access. It isn’t like computers are all that expensive anymore…especially not when compared with $800K.

    I wonder why more banks don’t just offer a dedicated terminal to their commercial clients. Netbooks are sub-$300 and could be customized and locked-down to one use. They also could bundle this with some kind of cyber-heist insurance to cover the cost.

Comments are closed.