Earlier this month, KrebsOnSecurity featured the exclusive story of a Russian organized cybercrime gang that stole more than $100 million from small to mid-sized businesses with the help of phantom corporations on the border with China. Today, we’ll look at the stranger-than-fiction true tale of an American firm that lost $197,000 in a remarkably similar 2013 cyberheist, only to later recover most of the money after allegedly plying Chinese authorities with a carton of cigarettes and a hefty bounty for their trouble.
The victim company — an export/import firm based in the northeastern United States — first reached out to this author in 2014 via a U.S. based lawyer who has successfully extracted settlements from banks on the premise that they haven’t done enough to protect their customers from cyberheists. The victim company’s owner — we’ll call him John — agreed to speak about the incident on condition of anonymity, citing pending litigation with the bank.
On Christmas Eve 2013, the accountant at John’s company logged on to the bank’s portal to make a deposit. After submitting her username and password, she was redirected to a Web page that said the bank’s site was experiencing technical difficulties and that she need to provide a one-time token to validate her request.
Unbeknownst to the accountant at the time, cybercrooks had infected her machine with a powerful password-stealing Trojan horse program and had complete control over her Web browser. Shortly after she supplied the token, the crooks used her hijacked browser session to initiate a fraudulent $197,000 wire transfer to a company in Harbin, a city on the Chinese border with Russia.
The next business day when John’s company went to reverse the wire, the bank said the money was already gone.
“My account rep at the bank said we shouldn’t expect to get that money back, and that they weren’t responsible for this transaction,” John said. “I told them that I didn’t understand because the bank had branches in China, why couldn’t they do anything? The bank rep said that, technically, the crime wasn’t committed against us, it was committed against you.”
SMOKING OUT THE THIEVES
In April 2011, the FBI issued an alert warning that cyber thieves had stolen approximately $20 million in the year prior from small to mid-sized U.S. companies through a series of fraudulent wire transfers sent to Chinese economic and trade companies located on or near the country’s border with Russia.
In that alert, the FBI warned that the intended recipients of the fraudulent, high-dollar wires were companies based in the Heilongjiang province of China, and that these firms were registered in port cities located near the Russia-China border. Harbin, where John’s $197,000 was sent, is the capital and largest city of the Heilonjiang province.
Undeterred, John’s associate had a cousin in China who was a lawyer and who offered his assistance. John said that initially the Harbin police were reluctant to help, insisting they first needed an official report from the FBI about the incident to corroborate John’s story.
In the end, he said, the Chinese authorities ended up settling for a police report from the local cops in his hometown. But according to John, what really sealed the deal was that the Chinese lawyer friend met the Harbin police officers with a gift-wrapped carton of smokes and the promise of a percentage of the recovered funds if they caught the guy responsible and were able to recover the money.
Two days later, the Harbin police reportedly located the business that had received the money, and soon discovered that the very same day this business had just received another international wire transfer for 900,000 Euros.
“They said the money that was stolen from us came in on a Tuesday and was out a day later,” John said. “They wanted to know whether we’d pay expenses for the two police guys to fly to Beijing to complete the investigation, so we wired $1,500 to take care of that, and they froze the account of the guy who got our money.”
In the end, John’s associate flew with her husband from the United States to Beijing and then on to Harbin to meet the attorney, and from there the two of them arranged to meet the cops from Harbin.
“They took her to the bank, where she opened up a new account,” John said. “Then they brought her to a hotel room, and three people came into that hotel room and online they made the transfer [of the amount that the cops had agreed would be their cut].”
Getting the leftover $166,000 back into the United States would entail another ordeal: John said his handlers were unable to initiate a direct wire back to the United States of such a sum unless his company already had a business located in the region. Fortunately, John’s firm was able to leverage a longtime business partner in Singapore who did have a substantial business presence inside China and who agreed to receive the money and forward it on to John’s company, free of charge.
I like John’s story because I have written over 100 pieces involving companies that have lost six-figures or more from cyberheists, and very few of them have ever gotten their money back. Extra-legal remedies to recoup the losses from cybercrime are generally few, unless your organization has the money, willpower and tenacity to pursue your funds to the ends of the earth. Unfortunately, this does not describe most victim businesses in the United States.
U.S. consumers who bank online are protected by Regulation E, which dramatically limits the liability for consumers who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement).
Businesses, however, do not enjoy such protections. States across the country have adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
Do you run your own business and bank online but are unwilling to place all of your trust in your bank’s security? That’s a sound conclusion. If you’re wondering what you can do to protect your accounts, consider adopting some of the advice I laid out in Online Banking Best Practices for Businesses and Banking on a Live CD.