Monday, December 14, 2009
Hackers attempt to take $1.3 million from D.C. firm
Hackers attempt to take $1.3 million from D.C. firm
It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies.
On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm.
The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had been stopped. Still, her story is worth telling because it was not a victimless crime, and it shows how attackers are adding yet another layer of complexity to their scams, all in a bid to buy them more time to make off with the loot. In addition, it illustrates how even a security compromise that has been cleaned up can come back to haunt you, and it demonstrates how one weak link in the chain of trust in commercial online banking can be used to attack other organizations.
Most of the fraud against small businesses that I have been chronicling succeeded because the fraudsters were able to steal the victim's online banking credentials and initiate a series of bogus payroll payments directly to so-called money mules, accomplices hired through work-at-home job schemes who are instructed to withdraw the money and wire it overseas (typically minus an eight percent commission).
But according to this woman's bank, the attackers set the unauthorized transfers in motion by using another company's compromised account to initiate a "pull" or withdrawal from her company's bank account. The crooks instructed nearly $1 million to be transferred from the D.C. firm to a company in West Virginia, and about $100,000 was sent to a company in Manteno, Ill. called Bill Anderson Painting.
I caught up with owner Bill Anderson, who acknowledged that his account was the intended recipient of the transfer from the woman's company even though he had never done work for it before. In addition, he said his company was the beneficiary of a large batch of transfers from two other companies that he did not request.
Anderson told Security Fix that his bank suspects that the attackers had used his company's online banking account credentials to initiate the pulls. Once the money was in his account, the criminals then sent some of it in sub-$10,000 chunks to numerous money mules. Anderson said the thieves succeeded in moving about $115,000 out of his account, which is now frozen by his bank pending the outcome of an investigation.
"Now I can't get into it at all, and the balance says negative $115,000," Anderson said. "My bank froze it and closed it. I don't even have access to my own funds anymore."
The system by which organizations move money from one bank account to another is known as the automated clearing house or "ACH" network, and this case is a stellar example of just how automated the ACH network can be, said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Pirnie said the ACH system is most typically used for credits - such as when a company wants to directly deposit an employee's paycheck. But it can also be used for debits or pulls, which can be initiated by any entity with access to the ACH network, provided that entity knows the target's account and routing numbers.
"Unfortunately, there is no policing of that activity because it's an electronic environment," Pirnie said. "So instead of pushing money, which is what most of the criminals groups do through the payroll portion of ACH, they're utilizing another option in the service to credit their account and debit someone else's."
Pirnie said it is likely that the thieves knew the account and routing numbers of the Washington, D.C.-based property management firm, but did not have the user name and password that would allow them to push money out of the firm's online bank account directly to the money mules. Rather, she said, they probably used their access to the ACH system to pull the funds to an account they did control.
When asked about this possibility, the woman from the D.C. firm told Security Fix that indeed her company's bank account information had been compromised a few months before this incident: At the time, her firm's bank called to say they'd detected someone logging into the account from an unusual location online. In response, the company was given a new online banking user name and password, and it tossed out the compromised PC. The company's bank account and routing numbers, however, remained the same.
Pirnie said this type of ACH fraud involving unauthorized pulls is becoming more common, citing a recent case she helped investigate involving a $1.7 million loss at a large company in New Jersey. In that case, the thieves initiated a pull from a small veterinary clinic in Ohio whose online banking credentials they had compromised using a password-stealing Trojan horse program.
"In that case, it looks like the criminals only knew how to operate or only had access to one ACH cash management system but not the other," Pirnie said.
Pirnie said organizations can protect themselves from fraudulent pulls by asking their bank to disallow pulls altogether. Still, she said, companies can best protect themselves against ACH fraud by reconciling their accounts daily and by quickly alerting their bank to any fraudulent activity.
It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies.
On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm.
The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had been stopped. Still, her story is worth telling because it was not a victimless crime, and it shows how attackers are adding yet another layer of complexity to their scams, all in a bid to buy them more time to make off with the loot. In addition, it illustrates how even a security compromise that has been cleaned up can come back to haunt you, and it demonstrates how one weak link in the chain of trust in commercial online banking can be used to attack other organizations.
Most of the fraud against small businesses that I have been chronicling succeeded because the fraudsters were able to steal the victim's online banking credentials and initiate a series of bogus payroll payments directly to so-called money mules, accomplices hired through work-at-home job schemes who are instructed to withdraw the money and wire it overseas (typically minus an eight percent commission).
But according to this woman's bank, the attackers set the unauthorized transfers in motion by using another company's compromised account to initiate a "pull" or withdrawal from her company's bank account. The crooks instructed nearly $1 million to be transferred from the D.C. firm to a company in West Virginia, and about $100,000 was sent to a company in Manteno, Ill. called Bill Anderson Painting.
I caught up with owner Bill Anderson, who acknowledged that his account was the intended recipient of the transfer from the woman's company even though he had never done work for it before. In addition, he said his company was the beneficiary of a large batch of transfers from two other companies that he did not request.
Anderson told Security Fix that his bank suspects that the attackers had used his company's online banking account credentials to initiate the pulls. Once the money was in his account, the criminals then sent some of it in sub-$10,000 chunks to numerous money mules. Anderson said the thieves succeeded in moving about $115,000 out of his account, which is now frozen by his bank pending the outcome of an investigation.
"Now I can't get into it at all, and the balance says negative $115,000," Anderson said. "My bank froze it and closed it. I don't even have access to my own funds anymore."
The system by which organizations move money from one bank account to another is known as the automated clearing house or "ACH" network, and this case is a stellar example of just how automated the ACH network can be, said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Pirnie said the ACH system is most typically used for credits - such as when a company wants to directly deposit an employee's paycheck. But it can also be used for debits or pulls, which can be initiated by any entity with access to the ACH network, provided that entity knows the target's account and routing numbers.
"Unfortunately, there is no policing of that activity because it's an electronic environment," Pirnie said. "So instead of pushing money, which is what most of the criminals groups do through the payroll portion of ACH, they're utilizing another option in the service to credit their account and debit someone else's."
Pirnie said it is likely that the thieves knew the account and routing numbers of the Washington, D.C.-based property management firm, but did not have the user name and password that would allow them to push money out of the firm's online bank account directly to the money mules. Rather, she said, they probably used their access to the ACH system to pull the funds to an account they did control.
When asked about this possibility, the woman from the D.C. firm told Security Fix that indeed her company's bank account information had been compromised a few months before this incident: At the time, her firm's bank called to say they'd detected someone logging into the account from an unusual location online. In response, the company was given a new online banking user name and password, and it tossed out the compromised PC. The company's bank account and routing numbers, however, remained the same.
Pirnie said this type of ACH fraud involving unauthorized pulls is becoming more common, citing a recent case she helped investigate involving a $1.7 million loss at a large company in New Jersey. In that case, the thieves initiated a pull from a small veterinary clinic in Ohio whose online banking credentials they had compromised using a password-stealing Trojan horse program.
"In that case, it looks like the criminals only knew how to operate or only had access to one ACH cash management system but not the other," Pirnie said.
Pirnie said organizations can protect themselves from fraudulent pulls by asking their bank to disallow pulls altogether. Still, she said, companies can best protect themselves against ACH fraud by reconciling their accounts daily and by quickly alerting their bank to any fraudulent activity.
# posted by raveneye @ 11:13 AM 
