Target: Small Businesses


14
Nov 11

Title Firm Sues Bank Over $207k Cyberheist

A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.

Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.

The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.

When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.

Capital One declined to comment for this story, citing the ongoing litigation.

Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.

Continue reading →


4
Oct 11

ZeuS Trojan Gang Faces Justice

Authorities in the United Kingdom have convicted the 13th and final defendant from a group arrested last year and accused of running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ZeuS banking Trojan. The news comes days after U.S. authorities announced the guilty plea of the 27th and final individual arrested last year in New York in a related international money-laundering scheme.

Yevhen Kulibaba

Yevhen Kulibaba

According to the Metropolitan Police, the U.K. courts have convicted 13 members of the gang, including four who were profiled last year by KrebsOnSecurity shortly after their initial arrest and charging. The gang is thought to have used the ZeuS Trojan to steal nearly £3 million (USD $4.6M) from banks in the U.K.. They are believed to be responsible for aiding in the theft of at least USD $3 million from U.S. banks and businesses in the past two years.

Karina Kostromina

Among those convicted were the husband-and-wife ringleaders of the gang, 33-year-old Ukrainian property developer Yevhen Kulibaba, and his wife, Karina Kostromina, 34. According to British prosecutors, the two lived a “jet set” lifestyle and spent money on holidays, cars and property. Kostromina was cleared of conspiracy charges but convicted of money laundering, and sentenced this week to two years in prison. Kulibaba is awaiting sentencing on charges of conspiracy to defraud.

Continue reading →


3
Oct 11

Monster Spam Campaigns Lead to Cyberheists

Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heists in the past two weeks, many small to medium sized organizations took the bait.

These fake NACHA lures were mailed the week of Sept. 19, even though the sent date on the message says Aug. 3. Source: Commtouch.

Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Using NACHA’s name as bait is doubly insulting because victims soon find new employees — money mules — added to their payroll. After adding the mules, the thieves use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds (minus a commission) overseas.

On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama. John Ziak, director of information technology at the center, said he suspects the organization’s accounting firm was the apparent source of the compromise. That means other clients may also have been victimized. He declined to name the accounting firm.

Continue reading →


29
Aug 11

Experienced Money Mule, Will Travel

I’ve written a great deal about “money mules,” people looking for part-time employment who unwittingly or willingly help organized cyber thieves launder stolen funds. The most common question I get about money mules is: “Do any of them ever get prosecuted?” The answer is generally “no” because it’s hard to prove that these mules weren’t scammed. But recently, I encountered a mule who made it abundantly clear that he understood exactly what he was doing.

A complicit mule negotiating a new deal.

In June 2011, I was investigating an online banking heist against a company called Jackson Properties. Thieves had broken into Jackson’s computers and stolen the firm’s online banking credentials. They added a half dozen money mules to the company’s payroll account, using mules they’d acquired from a gang I call the Back Office group. This mule gang uses multiple bogus corporate names, and the Back Office front company that supplied the mules in this attack was called AMR Company.

Reginald, a 45-year-0ld Texas resident, was among the mules hired by AMR Company. Reggie communicated with the mule recruiters by logging into a Web site set up by the fake company, and checking for new messages. A source who had figured out how to view the administrator’s account (and hence, all messages on the server) sent me some choice screenshots from several mule communications.

On June 7, the mule recruiters sent Reginald a transfer of $4,910, claiming that Jackson Properties was its client. Reginald was to withdraw the money in cash and wire it overseas, minus a small commission. The payment never landed in his account; it was blocked when Jackson detected the fraudulent transactions and worked with its bank to get them reversed.

But that apparently did not deter our Reginald, who told his recruiter and manager at AMR Company that he understood the whole thing was a scam, and that he had done this sort of thing before. He said he was ready and willing to open additional bank accounts to help with future fraud schemes.

On June 8, Reggie signed into his account at AMR Company and wrote the following to Sarah, his erstwhile boss:

“Let me say from the start. I knew what this was about. I’ve had success working with others like yourself in the past, especially comrades from Russia. I know this game well. If you want to have an ally in the US, I’m your guy. I have more accounts. I’d like us to try again, with another account…Listen Sarah, I am all for making some money. I couldn’t care less about our banking system, anything we can get out [sic] it. Lets [sic] do it. I cant do this without you. I can open up accounts in different names, that’s easy for me. But I have no way of funding them like you do. Think it over and see if there’s a way we can make some money. Even if we only succeed one time…we will still succeeded. I have another account ready to go. Respond to me and I will send you the name, routing, account num, etc.”

Continue reading →


16
Aug 11

eThieves Steal $217k from Arena Firm

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

Lea French, MECA’s chief financial officer, said the trouble began when an employee with access to the organization’s online accounts opened a booby-trapped email attachment containing password-stealing malware.

The attackers used MECA’s online banking credentials to add at least six people to the payroll who had no prior business with the organization. Those individuals, known as “money mules,” received fraudulent transfers from MECA’s bank account and willingly or unwittingly helped the fraudsters launder the money.

French said the attackers appeared to be familiar with the payroll system, and wasted no time setting up a batch of fraudulent transfers.

“They knew exactly what they were doing, knew how to create a batch, enter it in, release it,” she said. “They appear to be very good at what they do.”

Prior to the heist, MECA refused many of the security options offered by its financial institution, First National Bank of Omaha, including a requirement that two employees sign off on every transfer.

“We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,” French said. “We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.”

MECA was able to reverse an unauthorized wire transfer for $147,000 that was destined for a company called Utopia Funding U.S.A. The organization was not as lucky with the remaining transfers.

The funds stolen from MECA were sent to money mules recruited through fraudulent work-at-home job offers from a mule recruitment gang that I call the “Back Office Group.” This gang is one of several money mule recruitment outfits, and they appear to be among the most active. Like many other mule gangs, they tend to re-use the same format and content for their Web sites, but change their company names whenever the major search engines start to index them with enough negative comments to make mule recruitment difficult.

The mules used in the MECA heist were recruited through a Back Office Group front company named AV Company. Mules were told they were helping the company’s overseas software engineers get paid for the work they were doing for American companies. In reality, the mules were being sent payments to transfer that were drawn on hacked accounts from victims like MECA.

More than $9,000 of MECA’s money was sent to Erik Rhoden, a resident of Fleming Island, Fla. Rhoden was recruited in June by the Back Office Group. Rhoden successfully transferred the funds to three individuals in Eastern Europe, but says he didn’t profit from the work. His story matches that of other mules recently recruited by Back Office, and indicates a devious shift in tactics which ensures that mules never receive a payment for their work.

Continue reading →


8
Aug 11

Judge Nixes Patco’s eBanking Fraud Case

A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines.

Sanford, Maine based Patco Construction sued Ocean Bank in 2009, alleging poor security after a $588,000 cyber heist. Patco sued to recover its losses, arguing in part that the bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Patco’s motion for summary judgment and granting the bank’s motion.

On Thursday, the judge presiding over the lawsuit affirmed that recommended decision (PDF), ruling that no further proceedings were necessary. Patco’s attorney Dan Mitchell said the company has 30 days to file an appeal, but that it hasn’t yet decided whether to challenge the decision. Continue reading →


28
Jul 11

Trojan Tricks Victims Into Transferring Funds

It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account.

The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

Continue reading →


25
Jul 11

Calif. Co. Sues Bank Over $465k eBanking Heist

A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.

The plight of Redondo Beach, Calif. based Village View Escrow, first publicized by KrebsOnSecurity last summer, began in March 2010. That’s when organized crooks broke into the firm’s computers and bank accounts, and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Village View’s bank, Professional Business Bank of Pasadena, Calif., relied on third-party service provider NetTeller, which allowed commercial customers to authenticate to the bank’s site with little more than a username and password. Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.

The attack on Village View demonstrates the sophistication of malicious software like the ZeuS Trojan. The thieves disguised a banking Trojan as a UPS shipping receipt, and the company’s owner acknowledged opening the attachment and forwarding it to another employee who also viewed the malware-laced file. Once inside Village View’s systems, the attackers apparently disabled email notifications from the bank.

Nevertheless, Village View’s lawsuit challenges Professional Bank’s claims that its systems used “multi-factor,” and “state-0f-the-art” ebanking systems, and accuses the bank of negligence for not having procedures to help the company recover the fraudulent transfers.

Continue reading →


19
Jul 11

eBanking Theft Costs Town of Eliot, Me. $28k

Organized cyber thieves stole more than $28,000 from a small New England town last week. The case once again highlights the mismatch between the sophistication of today’s attackers and the weak security measures protecting many commercial online banking accounts.

On July 11, 2011, I alerted the town controller of Eliot, Maine that its accounts were probably being raided by computer crooks in Eastern Europe. I had heard from a “money mule,” an individual who was recruited through a work-at-home job scam to help the thieves launder money. He had misgivings about a job he had just completed for his employer. The job involved helping to move almost $5,000 from one of his employer’s “clients” to individuals in Ukraine. The receipt his employer emailed to him along with the money transfer said the client was “Town of Eliot, Ma.”

Norma Jean Spinney, the town controller, said she immediately alerted the town’s financial institution, TD Bank, but the bank couldn’t find any unusual transactions. Spinney said that three days later she received a call from TD Bank, notifying the town of a suspicious batch of payroll direct deposits totaling more than $28,000. TD Bank may have had a chance to stop this robbery, but apparently they dropped the ball.

Nevertheless, the town is not likely to see the stolen money again. Unlike consumers, organizations are not protected against online banking losses from cyber fraud. What’s more, a forensic analysis by a local IT firm showed that Spinney’s PC was infected with at least two banking Trojans at the time of the heist.

TD Bank spokeswoman Jennifer Morneau declined to discuss the incident, citing customer confidentiality policies.

Continue reading →


29
Jun 11

Regulators Issue Updated eBanking Security Guidelines

Federal banking regulators today released a long-awaited supplement to the 2005 guidelines that describe what banks should be doing to protect e-banking customers from hackers and account takeovers. Experts called the updated guidance a step forward, but were divided over whether it would be adequate to protect small to mid-sized businesses against today’s sophisticated online attackers.

The new guidance updates “Authentication in an Internet Banking Environment,” a document released in 2005 by the Federal Financial Institutions Examination Council (FFIEC) for use by bank security examiners. The 2005 guidance has been criticized for being increasingly irrelevant in the face of current threats like the password-stealing ZeuS Trojan, which can defeat many traditional customer-facing online banking authentication and security measures. The financial industry has been expecting the update since December 2010, when a draft version of the guidelines was accidentally leaked.

The document released today (PDF) recognizes the need to protect customers from newer threats, but stops short of endorsing any specific technology or approach. Instead, it calls on banks to conduct more rigorous risk assessments,  to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in banking online.

“Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts,” the FFIEC wrote. “Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls.”

The 2005 guidelines drew little distinction between precautions a bank should take to protect consumer and commercial accounts, but the supplement makes clear that online business transactions generally involve much higher level of risk to financial institutions and commercial customers. It calls for “layered security programs” to deal with these riskier transactions, such as:

-methods for detecting transaction anomalies;

-dual transaction authorization through different access devices;

-the use of out-of-band verification for transactions;

-the use of “positive pay” and debit blocks to appropriately limit the transactional use of an account;

-“enhanced controls over account activities,” such as transaction value thresholds, payment recipients, the number of transactions allowed per day and allowable payment days and times; and

-“enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.”

Continue reading →