Posts Tagged: TD Bank


27
Apr 17

Blind Trust in Email Could Cost You Your Home

The process of buying or selling a home can be extremely stressful and complex, but imagine the stress that would boil up if — at settlement — your money was wired to scammers in another country instead of to the settlement firm or escrow company. Here’s the story about a phishing email that cost a couple their home and left them scrambling for months to recover hundreds of thousands in cash that went missing.

It was late November 2016, and Jon and Dorothy Little were all set to close on a $200,000 home in Hendersonville, North Carolina. Just prior to the closing date on Dec. 2 their realtor sent an email to the Little’s and to the law firm handling the closing, asking the settlement firm for instructions on wiring the money to an escrow account.

The fraudulent wire instructions apparently sent by the hackers via the settlement law firm.

The fraudulent wire instructions apparently sent by the hackers via the settlement law firm.

An attorney with the closing firm responded with wiring instructions as requested, attaching a document that had the law firm’s logo and some bank account information that was represented as the seller’s account number. The Little’s realtor sent the wire on Thursday morning, the day before settlement.

“We went to closing at 1 p.m. on Friday, and after we signed all the papers, we asked the lawyers if we were going to get back the extra money we had sent them, because they hadn’t be able to give us an exact amount in the wiring instructions. At that point they told us they had never gotten the money.”

After some disagreement, both legitimate parties to the transaction agreed that someone’s email had been hacked by the fraudsters, and was used to divert the wired funds to an account the criminals controlled. The hackers had forged a copy of the law firm’s letterhead, and beneath it placed their own Bank of America account information (see screen shot above).

The owner of the Bank of America account appears to have been a willing or unwitting accomplice — also know as a “money mule” — recruited through work-at-home job schemes to receive and forward funds stolen from hacked business accounts. In this case, the money mule wired all but 10 percent of the money (a typical money mule commission) to an account at TD Bank.

Fortunately for the Littles, the FBI succeeded in having the resulting $180,000 wire transfer frozen once it hit the TD Bank account. However, efforts to recover the stolen funds were stymied immediately when the Littles’ credit union refused to give Bank of America a so-called “hold harmless” agreement that the bigger bank wanted as a legal guarantee before agreeing to help.

Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said banks have a fiduciary duty to their customers to honor their requests in good faith, and as such they tend to be very nervous legally about colluding with another bank to reverse payment instructions by one of their own customers. The “hold harmless” agreement is usually sought by the bank which received a fraudulent wire transfer, Castagnoli said, and it requires the responding bank to assume any and all liability for costs that the requesting bank may later incur should the owner of account which received the fraudulent wire decide to dispute the payment reversal.

“When it comes to wire fraud cases the banks have to move very quickly because once the wires make it outside the U.S. to foreign banks, the money is usually as good as gone,” Castagnoli said. “The receiver or transferee usually insists on a hold harmless agreement because they’re moving the money on behalf of their own account holder, kind of going against their own client which is a big ‘no-no’ when you’re a fiduciary.”

But in this case, the credit union in which the Littles had invested virtually all of their money for more than 40 years decided it could not in good faith provide that hold harmless agreement, because doing so would stipulate that the credit union affirms the victim (the Littles) hadn’t willingly and knowing initiated the wire, when in fact they had.

“I talked to the wire dept multiple times,” Mr. Little said of the folks at his financial institution, Atlanta, Ga.-based Delta Community Credit Union (DCCU). “They finally put me through to the vice president of loss prevention at the credit union. I’m not sure they even believed all that was going on. They finally came back and told me they couldn’t do it. Their rules would not allow them to send a hold harmless letter because I had asked them to do something and they had done it. They had a big meeting last week with apparently the CEO of the credit union and several other people. Then they called me on Monday again and told me they would not could not do it.” Continue reading →


21
Jul 16

Canadian Man Behind Popular ‘Orcus RAT’

Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer.

Earlier this week I heard from Daniel Gallagher, a security professional who occasionally enjoys analyzing new malicious software samples found in the wild. Gallagher said he and members of @malwrhunterteam and @MalwareTechBlog recently got into a Twitter fight with the author of Orcus RAT, a tool they say was explicitly designed to help users remotely compromise and control computers that don’t belong to them.

A still frame from a Youtube video showing Orcus RAT's keylogging ability to steal passwords from Facebook users and other credentials.

A still frame from a Youtube video demonstrating Orcus RAT’s keylogging ability to steal passwords from Facebook and other sites.

The author of Orcus — a person going by the nickname “Ciriis Mcgraw” a.k.a. “Armada” on Twitter and other social networks — claimed that his RAT was in fact a benign “remote administration tool” designed for use by network administrators and not a “remote access Trojan” as critics charged. Gallagher and others took issue with that claim, pointing out that they were increasingly encountering computers that had been infected with Orcus unbeknownst to the legitimate owners of those machines.

The malware researchers noted another reason that Mcgraw couldn’t so easily distance himself from how his clients used the software: He and his team are providing ongoing technical support and help to customers who have purchased Orcus and are having trouble figuring out how to infect new machines or hide their activities online.

What’s more, the range of features and plugins supported by Armada, they argued, go well beyond what a system administrator would look for in a legitimate remote administration client like Teamviewer, including the ability to launch a keylogger that records the victim’s every computer keystroke, as well as a feature that lets the user peek through a victim’s Web cam and disable the light on the camera that alerts users when the camera is switched on.

A new feature of Orcus announced July 7 lets users configure the RAT so that it evades digital forensics tools used by malware researchers, including an anti-debugger and an option that prevents the RAT from running inside of a virtual machine.

Other plugins offered directly from Orcus’s tech support page (PDF) and authored by the RAT’s support team include a “survey bot” designed to “make all of your clients do surveys for cash;” a “USB/.zip/.doc spreader,” intended to help users “spread a file of your choice to all clients via USB/.zip/.doc macros;” a “Virustotal.com checker” made to “check a file of your choice to see if it had been scanned on VirusTotal;” and an “Adsense Injector,” which will “hijack ads on pages and replace them with your Adsense ads and disable adblocker on Chrome.”

WHO IS ARMADA?

Gallagher said he was so struck by the guy’s “smugness” and sheer chutzpah that he decided to look closer at any clues that Ciriis Mcgraw might have left behind as to his real-world identity and location. Sure enough, he found that Ciriis Mcgraw also has a Youtube account under the same name, and that a video Mcgraw posted in July 2013 pointed to a 33-year-old security guard from Toronto, Canada.

ciriis-youtubeGallagher noticed that the video — a bystander recording on the scene of a police shooting of a Toronto man — included a link to the domain policereview[dot]info. A search of the registration records attached to that Web site name show that the domain was registered to a John Revesz in Toronto and to the email address john.revesz@gmail.com.

A reverse WHOIS lookup ordered from Domaintools.com shows the same john.revesz@gmail.com address was used to register at least 20 other domains, including “thereveszfamily.com,” “johnrevesz.com, revesztechnologies[dot]com,” and — perhaps most tellingly —  “lordarmada.info“.

Johnrevesz[dot]com is no longer online, but this cached copy of the site from the indispensable archive.org includes his personal résumé, which states that John Revesz is a network security administrator whose most recent job in that capacity was as an IT systems administrator for TD Bank. Revesz’s LinkedIn profile indicates that for the past year at least he has served as a security guard for GardaWorld International Protective Services, a private security firm based in Montreal.

Revesz’s CV also says he’s the owner of the aforementioned Revesz Technologies, but it’s unclear whether that business actually exists; the company’s Web site currently redirects visitors to a series of sites promoting spammy and scammy surveys, come-ons and giveaways. Continue reading →


19
Jul 11

eBanking Theft Costs Town of Eliot, Me. $28k

Organized cyber thieves stole more than $28,000 from a small New England town last week. The case once again highlights the mismatch between the sophistication of today’s attackers and the weak security measures protecting many commercial online banking accounts.

On July 11, 2011, I alerted the town controller of Eliot, Maine that its accounts were probably being raided by computer crooks in Eastern Europe. I had heard from a “money mule,” an individual who was recruited through a work-at-home job scam to help the thieves launder money. He had misgivings about a job he had just completed for his employer. The job involved helping to move almost $5,000 from one of his employer’s “clients” to individuals in Ukraine. The receipt his employer emailed to him along with the money transfer said the client was “Town of Eliot, Ma.”

Norma Jean Spinney, the town controller, said she immediately alerted the town’s financial institution, TD Bank, but the bank couldn’t find any unusual transactions. Spinney said that three days later she received a call from TD Bank, notifying the town of a suspicious batch of payroll direct deposits totaling more than $28,000. TD Bank may have had a chance to stop this robbery, but apparently they dropped the ball.

Nevertheless, the town is not likely to see the stolen money again. Unlike consumers, organizations are not protected against online banking losses from cyber fraud. What’s more, a forensic analysis by a local IT firm showed that Spinney’s PC was infected with at least two banking Trojans at the time of the heist.

TD Bank spokeswoman Jennifer Morneau declined to discuss the incident, citing customer confidentiality policies.

Continue reading →


4
Oct 10

Hackers Steal $600,000 from Brigantine, NJ

Organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials.

The break-in marks the second time this year that hackers have robbed the coffers of an Atlantic County town: In March, a similar attack struck Egg Harbor Township, N.J., which lost $100,000 in a similar intrusion.

Like the Egg Harbor incident and dozens of others documented here, the loot from the Brigantine heist was sent to multiple “money mules,” willing or unwitting people hired through work-at-home job offers to help computer crooks launder stolen cash.

Brigantine City officials said the incident began sometime before 6 p.m. on September 28th, when TD Bank notified city finance officers that multiple wire transfers had been made from its accounts. Brigantine Police’s Lt. James Bennett said in a written statement:

“Unknown person(s) had apparently obtained a user name and password for the city’s main TD Bank account when our finance personnel attempted to login (through either a fake Web page or an undetectable virus). Then several wire transfers were started with amounts ranging from a few thousand to over $300,000, for a total of about $600,000. The last update from TD Bank was that they were able to recall approximately $400,000 in transfers and were working on recalling the remainder. The investigation is being handled by the FBI, New Jersey State Police with the Brigantine Police Department and TD Bank security.”

The attack occurred in the middle of a week in which federal officials announced dozens of arrests and charges against money mules and the organized criminals responsible for orchestrating these types of break-ins. While it’s unclear whether those responsible for the attack on Brigantine were apprehended or charged this week, the method by which the thieves made off with at least some of the loot bears the same fingerprint as past breaches, including the Egg Harbor attack.

Continue reading →