PC Invader Costs Ky. County $415,000
Cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky this week. The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks.
Bullitt County Attorney Walt Sholar said the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country (some individuals received multiple payments). On June 29, the county's bank realized something was wrong, and began requesting that the banks receiving those transfers start reversing them, Sholar said.
"Our bank told us they would know by Thursday how many of those transactions would be able to be reversed," Sholar said. "They told us they thought we would get some of the money back, they just weren't sure how much."
Sholar said the unauthorized transfers appear to have been driven by "some kind computer virus." Security Fix has been communicating with a cyber crime investigator who is familiar with the case. What follows is a description of the malicious software used, a blow-by-blow account of how the attackers worked the heist, as well interviews with a couple of women hired to receive the stolen funds and forward the money on to fraudsters in Ukraine. This case also serves as an example of how e-mail scams can be used to dupe unknowing victims in serving as accomplices in their plan.
According to my source, who asked not to be identified because he's still investigating different sides of this case, the criminals stole the money using a custom variant of a keystroke logging Trojan known as "Zeus" (a.k.a. "Zbot") that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware, the investigator said, is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection.
Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives. By connecting through the victim's PC or Internet connection, the bad guys can avoid raising any suspicions.
Also, the process of creating and approving outgoing wire transfers from the county's account could not be completed without two different authorized users signing off on the transaction. In the case of Bullitt County, that checks-and-balances system was designed to be carried out by the county treasurer and a local judge.
Finally, if for whatever reason the bank's system noticed that either account was being used from a PC with an unknown fingerprint, that login attempt would fail, and that user would be prompted to check their e-mail account for a special, one-time passphrase that would need to be re-entered along with the username and password, in order to gain access to the account.
According to the investigator, the attack against Bullitt County's bank account went down like this:
- The attackers somehow got the Zeus Trojan on the county treasurer's PC, and used it to steal the username and password the treasurer needed to access e-mail and the county's bank account.
- The attackers then logged into the county's bank account by tunneling through the treasurer's Internet connection.
- Once logged in, the criminals changed the judge's password, as well as e-mail address tied to the judge's account, so that any future notifications about one-time passphrases would be sent to an e-mail address the attackers controlled.
- They then created several fictitious employees of the county (these were the 25 real-life, co-conspirators hired by the attackers to receive the stolen funds), and created a batch of wire transfers to those individuals to be approved.
- The crooks then logged into the county's bank account using the judge's credentials and a computer outside of the state of Kentucky. When the bank's security system failed to recognize the profile of the PC, the bank sent an e-mail with the challenge passphrase to an e-mail address the attackers controlled.
- The attackers then retrieved the passphrase from the e-mail, and logged in again with the judge's new credentials and the one-time passphrase. Once logged in, the crooks were able to approve the batch of wire transfers.
When asked to comment on this version of events, County Attorney Sholar said he was limited in what he could say, because the FBI had asked him not to discuss details of the case. But he did say that "We know there were initiations and approvals for wire transfers that were both generated and sent to the bank by computers that were physically located outside of the state of Kentucky."
The Role of the Money Mules - Scammed Into Serving
With the help of the cyber crime investigator, I was able to reach two of the 25 so-called "money mules" who were hired to act as intermediaries in this scam. Both were females under the age of 35 who initially were contacted after placing their resumes on Careerbuilder.com. Each received e-mails from a company calling itself Fairlove Delivery Service. Both women agreed to speak with Security Fix on the condition of anonymity.
Both were hired by Fairlove to edit documents for grammar and flow, and promised a pay of $8 for each kilobyte of data they processed (see the initial Careerbuilder scam e-mail here). The documents they were hired to edit often were full of grammatical errors and faulty or missing punctuation. Both money mules said it appeared that whoever wrote the letters was not a native English speaker.
It's not clear whether the cyber scammers first enlisted the mules as text editors in order to test their trustworthiness, or because they really needed their help making their scam letters look more believable. What is clear from looking at copies of the letters they were asked to edit, is that they were editing missives that would be sent to recruit and scam other mules. Have a look at some of those yet-to-be-edited messages sent to our anonymous mules, viewable at this link here.
The first person I spoke with, a 34 year-old woman from Miami, had been editing texts e-mailed to her by Fairlove representatives for a couple of weeks. Shortly after she inquired about when she would be paid for her work, she received an e-mail asking if she'd be interested in a position as a "local agent," for the company. The Fairlove representative who contacted her via e-mail said something about how the company often had trouble getting money to its clients overseas as quickly as they needed it, and desperately needed help speeding up that process (at least they were honest on that claim). A description of the local agent job position, as sent to this woman, is available here.
Last Thursday, she received a deposit of more than $9,900, with instructions to wire all but about $500 (her 5 percent "commission") via Western Union to a bank account in Ukraine. The woman said she began to grow suspicious that "something wasn't right about the whole thing," and only wired $3,000 of the money. After being contacted by Security Fix about the scam, she learned from her bank that her account was frozen. Her bank assured her if she could come in and produce the e-mails showing she'd been caught up in a scam, they might be able to work something out.
The second woman I spoke with, a 27-year-old single mom, also from Florida, was not so lucky. She had more than $9,700 transferred into her checking account from Bullitt County's bank by the fraudsters on Monday. She pulled nearly all of that amount out of her bank almost immediately, wiring nearly $9,200 to the scammers in the Ukraine. Shortly after that, her bank reversed the initial $9,700 deposit at the request of Bullitt County's bank. Her bank now says she is on the hook for that amount: her checking account balance is now almost $9,000 in the red.
Here are a couple of observations and tips so you don't get scammed, however obvious they may be:
- Avoid responding to job offers sent via e-mail. If you use job search Web sites like Monster.com and CareerBuilder.com, at least be aware that criminal gangs use these sites also, to recruit the desperate, unwary, and the greedy.
- If you get in bed with a company that you haven't even researched on Google, expect to regret that decision: A search on Fairlove Delivery Service returns little but page after page of complaints from other job searchers scammed by these criminals.
- Avoid clicking on links in e-mails that you are not expecting, and be particularly wary of any e-mail that warns of dire consequences unless you act or respond immediately. The malware used to infect Bullitt County's computers was part of a huge Zeus/Zbot spam campaign that has been ongoing for the past several weeks now, variously disguised as alerts about greeting cards, package tracking numbers, and security updates from Microsoft.
- The last time I wrote about money mule scams, some readers wrote in to say, in effect: "The mules were stupid: They should have just taken ALL of the money." These readers miss the fundamental point about these scams that the bad guys understand all too well: it's all about the timing. The bank will always recall the deposit. It's just a matter of when.
- Be extremely wary -- nay, run away from -- any transaction in which the other party asks you to convert a revocable transaction into an irrevocable one. Hard cash sent via Western Union, Moneygram and other wire transfer services, is an example of an irrevocable transaction: Once it's done, there's no undoing it. On the other hand, checks can be canceled, and deposits can be reversed.
July 2, 2009; 5:14 PM ET
Categories: Fraud , Safety Tips , Small Business Victims , Web Fraud 2.0 | Tags: $415000, bullitt county kentucky, zeus
Save & Share: Previous: Spam Rates Recovering From 3FN Takedown
Next: Microsoft: Attacks on Unpatched Windows Flaw
Posted by: Ospatt | July 2, 2009 6:35 PM | Report abuse
Posted by: yrral | July 2, 2009 7:31 PM | Report abuse
Posted by: dfolk1 | July 2, 2009 9:49 PM | Report abuse
Posted by: hairguy01 | July 2, 2009 10:26 PM | Report abuse
Posted by: BTKrebs | July 2, 2009 10:49 PM | Report abuse
Posted by: Dawny_Chambers | July 3, 2009 4:56 AM | Report abuse
Posted by: Sadler | July 3, 2009 7:32 AM | Report abuse
Posted by: TwoCentsWrth | July 3, 2009 10:28 AM | Report abuse
Posted by: Sadler | July 3, 2009 11:03 AM | Report abuse
Posted by: williehorton | July 3, 2009 12:11 PM | Report abuse
Posted by: sw11231 | July 3, 2009 1:13 PM | Report abuse
Posted by: nikolasblack | July 3, 2009 4:54 PM | Report abuse
Posted by: xAdmin | July 3, 2009 7:58 PM | Report abuse
Posted by: DupontJay | July 3, 2009 11:45 PM | Report abuse
Posted by: taskforceken | July 4, 2009 2:20 AM | Report abuse
Posted by: myfakeid | July 4, 2009 4:17 AM | Report abuse
Posted by: buckdharma | July 4, 2009 5:48 AM | Report abuse
Posted by: Tojo1 | July 4, 2009 9:54 AM | Report abuse
Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | July 4, 2009 11:59 AM | Report abuse
Posted by: jonsolo11 | July 4, 2009 3:01 PM | Report abuse
Posted by: ietf2000 | July 4, 2009 3:36 PM | Report abuse
Posted by: alexofindy | July 4, 2009 5:25 PM | Report abuse
Posted by: featheredge99 | July 5, 2009 2:18 AM | Report abuse
Posted by: Hoku1 | July 5, 2009 4:10 PM | Report abuse
Posted by: firstname.lastname@example.org | July 5, 2009 10:21 PM | Report abuse
Posted by: dward__ | July 6, 2009 12:33 PM | Report abuse
Posted by: db16 | July 6, 2009 1:13 PM | Report abuse
Posted by: trash3 | July 6, 2009 5:37 PM | Report abuse
Posted by: Beacon2 | July 6, 2009 7:32 PM | Report abuse
Posted by: frantaylor | July 7, 2009 7:58 PM | Report abuse
Posted by: frantaylor | July 7, 2009 8:22 PM | Report abuse
Posted by: jood1 | July 8, 2009 2:28 AM | Report abuse
Posted by: jood1 | July 8, 2009 2:30 AM | Report abuse
Posted by: ryansa09 | July 8, 2009 2:06 PM | Report abuse
Posted by: ryansa09 | July 8, 2009 2:10 PM | Report abuse
Posted by: cfricke | July 9, 2009 1:31 PM | Report abuse
The comments to this entry are closed.