Target: Small Businesses


22
May 19

Legal Threats Make Powerful Phishing Lures

Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some variation of the following message:

{Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.} <legal@wpslaw.com>

Hi,

The following {e-mail | mail} is to advise you that you are being charged by the city.

Our {legal team | legal council | legal departement} has prepared a document explaining the {litigation | legal dispute | legal contset}.

Please download and read the attached encrypted document carefully.

You have 7 days to reply to this e-mail or we will be forced to step forward with this action.

Note: The password for the document is 123456

The template above was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message.

Yes, the spelling/grammar is poor and awkward (e.g., the salutation), but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out.

According to both Fortinet and Sophos, the attached Word documents include a trojan that is typically used to drop additional malware on the victim’s computer. Previous detections of this trojan have been associated with ransomware, but the attackers in this case can use the trojan to install malware of their choice.

Also part of the phishing kit was a text document containing some 100,000 business email addresses — most of them ending in Canadian (.ca) domains — although there were also some targets at companies in the northeastern United States. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers. Continue reading →


14
Aug 15

Cyberheist Victim Trades Smokes for Cash

Earlier this month, KrebsOnSecurity featured the exclusive story of a Russian organized cybercrime gang that stole more than $100 million from small to mid-sized businesses with the help of phantom corporations on the border with China. Today, we’ll look at the stranger-than-fiction true tale of an American firm that lost $197,000 in a remarkably similar 2013 cyberheist, only to later recover most of the money after allegedly plying Chinese authorities with a carton of cigarettes and a hefty bounty for their trouble.

wirefraudThe victim company — an export/import firm based in the northeastern United States — first reached out to this author in 2014 via a U.S. based lawyer who has successfully extracted settlements from banks on the premise that they haven’t done enough to protect their customers from cyberheists. The victim company’s owner — we’ll call him John — agreed to speak about the incident on condition of anonymity, citing pending litigation with the bank.

On Christmas Eve 2013, the accountant at John’s company logged on to the bank’s portal to make a deposit. After submitting her username and password, she was redirected to a Web page that said the bank’s site was experiencing technical difficulties and that she need to provide a one-time token to validate her request.

Unbeknownst to the accountant at the time, cybercrooks had infected her machine with a powerful password-stealing Trojan horse program and had complete control over her Web browser. Shortly after she supplied the token, the crooks used her hijacked browser session to initiate a fraudulent $197,000 wire transfer to a company in Harbin, a city on the Chinese border with Russia.

The next business day when John’s company went to reverse the wire, the bank said the money was already gone.

“My account rep at the bank said we shouldn’t expect to get that money back, and that they weren’t responsible for this transaction,” John said. “I told them that I didn’t understand because the bank had branches in China, why couldn’t they do anything? The bank rep said that, technically, the crime wasn’t committed against us, it was committed against you.” Continue reading →


25
Sep 14

$1.66M in Limbo After FBI Seizes Funds from Cyberheist

A Texas bank that’s suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that’s been frozen by the federal government as part of an FBI cybercrime investigation.

robotrobkbIn late June 2012, unknown hackers broke into the computer systems of Luna & Luna, LLP, a real estate escrow firm based in Garland, Texas. Unbeknownst to Luna, hackers had stolen the username and password that the company used to managed its account at Texas Brand Bank (TBB), a financial institution also based in Garland.

Between June 21, 2012 and July 2, 2012, fraudsters stole approximately $1.75 million in three separate wire transfers. Two of those transfers went to an account at the Industrial and Commercial Bank of China. That account was tied to the Jixi City Tianfeng Trade Limited Company in China. The third wire, in the amount of $89,651, was sent to a company in the United States, and was recovered by the bank.

Jixi is in the Heilongjiang province of China on the border with Russia, a region apparently replete with companies willing to accept huge international wire transfers without asking too many questions. A year before this cyberheist took place, the FBI issued a warning that cyberthieves operating out of the region had been the recipients of approximately $20 million in the year prior — all funds stolen from small to mid-sized businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies (PDF) on the border with Russia.

Luna became aware of the fraudulent transfers on July 2, 2012, when the bank notified the company that it was about to overdraw its accounts. The theft put Luna & Luna in a tough spot: The money the thieves stole was being held in escrow for the U.S. Department of Housing and Urban Development (HUD). In essence, the crooks had robbed Uncle Sam, and this was exactly the argument that Luna used to talk its bank into replacing the missing funds as quickly as possible.

“Luna argued that unless TBB restored the funds, Luna and HUD would be severely damaged with consequences to TBB far greater than the sum of the swindled funds,” TBB wrote in its original complaint (PDF). TBB notes that it agreed to reimburse the stolen funds, but that it also reserved its right to legal claims against Luna to recover the money.

When TBB later demanded repayment, Luna refused. The bank filed suit on July 1, 2013, in state court, suing to recover the approximately $1.66 million that it could not claw back, plus interest and attorney’s fees. Continue reading →


13
Aug 14

Tenn. Firm Sues Bank Over $327K Cyberheist

An industrial maintenance and construction firm in Tennessee that was hit by a $327,000 cyberheist is suing its financial institution to recover the stolen funds, charging the bank with negligence and breach of contract. Court-watchers say the lawsuit — if it proceeds to trial — could make it easier and cheaper for cyberheist victims to recover losses.

teciIn May, 2012, Kingsport, Tenn.-based Tennessee Electric Company Inc. (now TEC Industrial) was the target of a corporate account takeover that saw cyber thieves use a network of more than four dozen money mules to siphon $327,804 out of the company’s accounts at TriSummit Bank.

TriSummit was able to claw back roughly $135,000 of those unauthorized transfers, leaving Tennessee Electric with a loss of $192,656. Earlier this month, the company sued TriSummit in state court, alleging negligence, breach of contract, gross negligence and fraudulent concealment.

Both companies declined to comment for this story. But as Tennessee Electric’s complaint (PDF) notes (albeit by misspelling my name), I called Tennessee Electric on May 10, 2012 to alert the company about a possible cyberheist targeting its accounts. I’d contacted the company after speaking with a money mule who’d acknowledged receiving thousands of dollars pulled from the firm’s accounts at TriSummit.

According to the complaint, the attackers first struck on May 8, after Tennessee Electric’s controller tried, unsuccessfully, to log into the bank’s site and upload that week’s payroll batch (typically from $200,000 to $240,000 per week). When the controller called TriSummit to inquire about the site problems, the bank said the site was probably undergoing maintenance and that the controller was welcome to visit the local bank branch and upload the file there. The controller did just that, uploading four payroll batches worth $202,664.47.

[SIDE NOTE: When I spoke with Tennessee Electric’s controller back in 2012, the controller for the company told me she was asked for and supplied the output of a one-time token upon login. This would make sense given the controller’s apparent problems accessing the bank’s Web site. Cyber thieves involved in these heists typically use password-stealing malware to control what the victim sees in his or her browser; when a victim logs in at a bank that requires a one-time token, the malware will intercept that token and then redirect the victim’s browser to an error page or a “down for maintenance” message — all the while allowing the thieves to use the one-time token and the victim’s credentials to log in as the legitimate user.]

On May 9, Tennessee Electric alleges, TriSummit Bank called to confirm the $202,664.47 payroll batch — as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone. But according to Tennessee Electric, the bank for some reason had already approved a payroll draft of $327,804 to be sent to 55 different accounts across the United States — even though the bank allegedly never called to get verification of that payment order.

Tennessee Electric alleges that the bank only called to seek approval for the fraudulent batch on May 10, more than a day after having approved it and after I contacted Tennessee Electric to let them know they’d been robbed by the Russian cyber mob.

ANALYSIS

This lawsuit, if it heads to trial, could help set a more certain and even standard for figuring out who’s at fault when businesses are hit by cyberheists (for better or worse, most such legal challenges are overwhelmingly weighted toward banks and quietly settled for a fraction of the loss).

Consumers who bank online are protected by Regulation E, which dramatically limits the liability for consumers who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement).

Businesses, however, do not enjoy such protections. States across the country have adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

Under state interpretations of the UCC, the most that a business hit with a cyberheist can hope to recover is the amount that was stolen. That means that it’s generally not in the business’s best interests to sue their bank unless the amount of theft was quite high, because the litigation fees required to win a court battle can quickly equal or surpass the amount stolen. Continue reading →


20
Jun 14

Oil Co. Wins $350,000 Cyberheist Settlement

A California oil company that sued its bank after being robbed of $350,000 in a 2011 cyberheist has won a settlement that effectively reimbursed the firm for the stolen funds.

oilmoneysmallTRC Operating Co. Inc., an oil production firm based in Taft, Calif., had its online accounts hijacked after an account takeover that started late in the day on Friday, November 10, 2011. In the ensuing five days, the thieves would send a dozen fraudulent wires out of the company’s operating accounts, siphoning nearly $3.5 million to accounts in Ukraine.

The oil firm’s financial institution, Fresno-based United Security Bank, successfully blocked or recalled all but one of the wires – for $299,000. Nevertheless, TRC  later sued its bank to recover the remaining wire amount, arguing that USB failed to offer a commercially reasonable security procedure because the bank offered little more than a user name and password to help secure the account.

“For all intents and purposes, they got a user name and password, but were never offered any other security,” said Julie Rogers, an attorney for the Dincel Law Group, the San Jose firm that represented TRC in the dispute (as well as another California cyberheist victim that successfully sued its bank for $400,000 in 2012).  “TRC had a cash management liaison assigned to them by the bank who assured them that this was all safe and reliable.”

Last week, just days before the case was set to go to trial, the insurance company for the bank settled the lawsuit, agreeing to cut a check for $350,000 to the oil company and with neither side admitting fault in the incident. Under California law, the most that any business can recover from a cyber fraud lawsuit is the amount stolen from its accounts — plus interest. Continue reading →


16
Jun 14

Ruling Raises Stakes for Cyberheist Victims

A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institution’s legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases.

Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.

“It’s a good opinion for banks [and] it’s definitely more pro-bank than pro-consumer,” said Dan Mitchell, a lawyer who chairs the data security practice at Bernstein Shur in Portland, Maine. “The appellate court found the same thing as the basic court. The customer was offered dual controls — that two people should be required to sign off on all transactions — and they were informed that it was important for them to take advantage of this. So, when [Choice Escrow] made an informed decision in writing not to use dual controls, the bank was careful to document that.”

Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm. Continue reading →


8
Jan 14

Firm Bankrupted by Cyberheist Sues Bank

A California escrow firm that was forced out of business last year after a $1.5 million cyberheist is now suing its former bank to recoup the lost funds.

casholeA state-appointed receiver for the now defunct Huntington Beach, Calif. based Efficient Services Escrow has filed suit against First Foundation Bank, alleging that the bank’s security procedures were not up to snuff, and that it failed to act in good faith when it processed three fraudulent international wire transfers totaling $1,558,439 between December 2012 and February 2013.

The lawsuit, filed in the Superior Court  for Orange County, is the latest in a series of legal battles over whether banks can and should be held more accountable for losses stemming from account takeovers. In the United States, consumers have little to no liability if a computer infection from a banking Trojan leads to the emptying of their bank accounts — provided that victims alert their bank in a timely manner. Businesses of all sizes, however, enjoy no such protection, with many small business owners shockingly unaware of the risks of banking online.

As I wrote in an August 2013 story, the heist began in December 2012 with a $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.

This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.

Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.

Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut the company down. As a result, Efficient was forced to lay off its entire staff of nine employees.

On Dec. 6, the lawyer appointed to be Efficient’s receiver sued First Foundation in a bid to recover the outstanding $1.1 million on behalf of the firm’s former customers. The suit alleges that the bank’s security procedures were not “commercially reasonable,” and that the bank failed to act in “good faith” when it processed international wire transfers on behalf of the escrow firm.

Like most U.S. states, California has adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

As evidenced by the dozens of stories in my series, Target: Small Businesses, companies do not enjoy the same protections as consumers when banking online. If a banking Trojan infection results in cyber thieves emptying the bank accounts of a small business, that organization is essentially at the mercy of their financial institution, which very often in these situations disavows any responsibility for the breach, and may in fact stonewall the victim company as a result. That can leave victim organizations in a quandary: They can swallow their pride and chalk it up to a learning experience, or opt to sue the bank to recover their losses. Of course, suing your bank can be cost-prohibitive unless the loss is significantly larger than the amount the victim might expect to spend hiring lawyers to pursue the case on the often long road to settlement or trial.

The plaintiffs in this case allege that part of the reason the bank’s security procedures were not commercially reasonable was that one component of the bank’s core security protection — the requirement that customers enter a code generated by a customer-supplied security token that changes every 32 seconds — had failed in the days leading up to the fraudulent transfers. I would argue that security tokens are a mere security speed bump whose effectiveness is easily bypassed by today’s cyber thieves. But in any case, this lawsuit claims that rather than address that failure, the bank simply chose to disable this feature for Efficient Services.

First Foundation did not return calls seeking comment. But the bank did produce an incident report that is now public record, thanks to this lawsuit (see the “Exhibit J” section of this PDF case document). The document states that the company had previously performed international wire transfers, and so it saw nothing unusual about half-million-dollar transfers to China. According to the plaintiffs, however, Efficient escrow had merely inquired about the possibility of international wires, yet had not actually performed wire transfers outside of the United States previously.

Continue reading →


14
Nov 13

Feds Charge Calif. Brothers in Cyberheists

Federal authorities have arrested two young brothers in Fresno, Calif. and charged the pair with masterminding a series of cyberheists that siphoned millions of dollars from personal and commercial bank accounts at U.S. banks and brokerages.

Photo: Fresnorotary.org

Adrian, left, and Gheorghe Baltaga (right). Photo: Fresnorotary.org

Taken into custody on Oct. 29 were Adrian and Gheorghe Baltaga, 25 and 26-year-old men from Moldova. Documents unsealed by the U.S. District Court for the Northern District of California laid out a conspiracy in which the brothers allegedly stole login credentials for brokerage accounts of Fidelity Investments customers, and then set up fraudulent automated clearing house (ACH) links between victim accounts and prepaid debit card accounts they controlled.

From there, according to the government, the men then used the debit cards to purchase money orders from MoneyGram and the U.S. Postal Service, which were deposited into different accounts that they could pull cash from using ATM cards. An attorney for the Baltaga brothers did not respond to multiple requests for comment.

According to interviews with investigators, the Baltaga indictments (PDF) reveal surprisingly little about the extent of the cybercrimes that investigators believe these men committed. For example, sources familiar with the investigation say the Baltaga brothers were involved in a 2012 cyberheist against a Maryland title company that was robbed of $1.7 million.

In April 2012, I was tracking a money mule recruitment gang that had hired dozens of people through bogus work-at-home jobs that were set up to help cybercrooks launder funds stolen from hacked small businesses and retail bank accounts. One of the mules I contacted said she’d just received notification that she was to expect a nearly $10,000 transfer to her bank account, and that she should pull the money out in cash and wire the funds (minus her 8 percent commission) to three different individuals in Ukraine and Russia.

The mule said she’d been hired by a software company in Australia, and that her job was to help the firm process payments from the company’s international clients. This mule told me the name of her employer’s “client” that had sent the transfer, and a Google search turned up a Washington, D.C.-area title firm which asked not to be named in this story out of concern that company’s competitors would use it against them.

Baltaga residence in Fresno.

Baltaga residence in a Fresno gated community.

That title firm was unaware of it at the time, but fraudsters had recently installed the ZeuS Trojan on an employee’s computer and were using it to send wire transfers and ACH payments to money mules and to bank accounts controlled by the bad guys. In many cases, victim companies will react with hostility when alerted to such crimes by a reporter, but in this case the company quickly contacted their bank and discovered that the thieves had already pushed through more than $700,000 in fraudulent wires and ACH payments. Just minutes before I contacted the title firm, the crooks had initiated a fraudulent wire transfer of $1 million.

The company and its bank were ultimately able to block the $1 million wire and claw back about half of the $700,000 in wires and fraudulent ACH transfers. The firm and its bank seemed doomed to battle it out in court over the remaining amount, but earlier this year the two sides reached a confidential settlement.

Continue reading →


7
Aug 13

$1.5 million Cyberheist Ruins Escrow Firm

A $1.5 million cyberheist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds.

casholeThe heist began in December 2012 with a roughly $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.

This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.

Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.

Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut it down.

Up until the past few weeks, the firm’s remaining funds have been tied up in a conservatorship established by the state, effectively barring the company’s owners from accessing any of its money. In early July, the state appointed a receiver to help wind up the company’s finances.

The court-appointed receiver — Peter A. Davidson of Ervin Cohen & Jessup LLP in Beverly Hills — said he and the company are contemplating their options for recovering more of the lost funds from the bank — Irvine, Calif. based First Foundation.

“We’re exploring what choices we have to recover funds for those who had escrows and are owed money,” Davidson said. “We filed a claim with the insurance company and we’re looking at our options for possibly dealing with the bank.”

Davidson said the bank’s business customer logins were protected by a username, password and a dynamic token code, but that the one-time token wasn’t working at the time of the fraud.

First Foundation did not respond to requests for comment.

Efficient’s co-owner Daniel J. Crenshaw said the bank produced a report shortly after the heist concluding that the missing funds were stolen not in a cyberheist but instead embezzled by an employee of Efficient Services. Crenshaw said the bank later backed away from that claim, after the state appointed a local forensics expert to examine the controller’s computer; sure enough, they discovered that the system had been compromised by a remote access Trojan prior to the heist.

Continue reading →


23
May 13

NC Fuel Distributor Hit by $800,000 Cyberheist

A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter.

jtaOrganized cyber thieves began siphoning cash from Mooresville, N.C. based J.T. Alexander & Son Inc. on the morning of May 1, sending money in sub-$5,000 and sub-$10,000 chunks to about a dozen “money mules,” people hired through work-at-home job scams to help the crooks launder the stolen money. The mules were paid via automated clearing house (ACH) payment batches that were deducted from J.T. Alexander’s payroll account.

The attackers would repeat this process five more times, sending stolen funds via ACH to more than 60 money mules. Some of those mules were recruited by an Eastern European crime gang in Ukraine and Russia that I like to call the “Backoffice Group.” This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a nonprofit hospital in Washington state.

David Alexander, J.T. Alexander & Son’s president, called the loss “pretty substantial” and “painful,” and said his firm was evaluating its options for recouping some of the loss. The company has just 15 employees that get paid by ACH payroll transactions every two weeks. At most, J.T. Alexander’s usual payroll batch is around $30,000. But in just five days, the thieves managed to steal more than a year’s worth of employee salaries.

The company may be able to recoup some of the loss through insurance: J.T. Alexander & Son Inc.’s policy with Employer’s Mutual Casualty Company (EMC) includes a component that covers cyber fraud losses, but the coverage amount is far less than what the victim firm lost.

Continue reading →