The Growing Threat to Business Banking Online
Federal investigators are fielding a large number of complaints from organizations that are being fleeced by a potent combination of organized cyber crooks abroad, sophisticated malicious software and not-so-sophisticated accomplices here in the United States, Security Fix has learned. The attacks also are exposing a poorly-kept secret in the commercial banking business: That companies big and small enjoy few of the protections afforded to consumers when faced with cyber fraud.
Earlier this month, I wrote about Bullitt County, Kentucky, which lost $415,000 after criminals planted malicious software on the county treasurer's PC. That rogue program allowed the crooks to initiate wire transfers to more than two dozen so-called "money mules," people duped into laundering the money and wiring it to the perpetrators in Ukraine.
A few days after that story ran, I heard from a source in federal law enforcement who said the attack against Bullitt County was only the very tip of the iceberg, and that there were many other businesses also losing money in similar cyber attacks. The source, who is familiar with several of these investigations, asked to remain anonymous because he is not authorized to speak with the media.
That same day, news broke that a public school district outside of Pittsburgh, Pa., filed a lawsuit against ESB Bank, a subsidiary of Ellwood City, Pa., based ESB Financial Corp. The Western Beaver School District charges that crooks used malicious software to siphon more than $700,000 from the school's account at ESB. According to the lawsuit, the funds were transferred in 74 separate transactions over a two-day period, to 42 different individuals who had no prior business with the school.
Since then, I heard from the owners of Slack Auto Parts in Gainesville, Ga., which recently was robbed of nearly $75,000. Slack Auto Parts co-owner Henry Slack said that between July 3 and July 7, cyber intruders used malware planted on the controller's Windows PC. From there, they were able to break into the company's bank accounts, create new user accounts at the bank, and then wire nine payments to at least six different money mules around the country.
The thieves also tried to transfer an additional $69,000 from Slack Auto's account to another eight mules across the United States, but the company's bank was able to block those transfers. Slack said the bank had reversed $14,000 worth of the fraudulent wire transfers, and that he is still working with the bank to try to recover the rest of the bogus transfers.
After the fraudulent transfers, a scan by the company's anti-virus software and a hired cyber security expert turned up no evidence of malware. A second opinion by another cyber fraud investigator found that the company controller's PC had been infected with an extremely stealthy Trojan horse program called "Clampi" (a.k.a. "Ligats" and "Rscan"). The expert determined that the keystroke logging Trojan had resided on the company's systems for more than a year before being used by the attackers.
Mules and Mule Recruiters
Slack said one of the money mules -- a woman from Winston-Salem, N.C. -- actually contacted him when the bank reversed the transfer and pulled slightly less than $10,000 out of her account before she could wire it to fraudsters in Eastern Europe, as she'd been instructed.
"She wanted to know why the money she was expecting had been held up by her bank, and I told her 'Ma'am, that's our money, and it was sent to you without our permission,'" Slack recounted. "She was very helpful after that, giving us all of her information, and an explanation of how she got involved."
The mule told Slack she was recruited via e-mail by a company called The Junior Group. The company's Web site, www.junior-group.cn, states the Junior Group consists of 3,000 employees with headquarters in more than 100 countries of the world.
Junior-Group did not respond to multiple requests for comment sent via e-mail.
Maintaining headquarters in more than 100 countries might seem like a misstatement, but fraud experts say it's typical of money mule recruitment sites, which try their best to look official but often include numerous telltale giveaways - such as false contact information, poor grammar, and statements that don't quite add up or appear poorly translated.
Bob Harrison, who maintains Bobbear.co.uk, one of the largest Internet resources dedicated to tracking money mule recruitment sites, says Junior-Group.cn is just the latest of the numerous, highly generic Russian scam Web site set up as a front for money laundering.
"It's a bit slicker than most, but at the end of the day its function is to con you into believing that they are a legitimate company," Harrison wrote.
Interestingly, the banner at the top of the Junior Group's Web site (see above image) includes three catch phrases: "Professional Researches;" "Precise and Impartial Approach;" "Individual Customer Support." These three phrases stuck in my head until I remembered where I'd seen them grouped together before: In a Flash advertisement from 2005, advertising credit card fraud services available at now-defunct Carderplanet.com, which was at one time among the largest Russian online forums for the buying and selling of stolen identities and banking data.
Businesses Lack Protection
Fraud experts say these types of attacks illustrate the stark differences in the legal and financial liability that consumers and businesses assume in the face of cyber crime. Consumers who bank online in the United States are protected by Regulation E, which generally holds that consumers are not liable for unauthorized transactions against their bank accounts (provided they don't go more than 60 days without reporting suspicious or unauthorized charges or debits).
However, this provision does not apply to business account holders. If a company gets hacked and someone manages to clean out that firm's bank account, the company's bank is under no obligation to make that customer whole, said Avivah Litan, a banking fraud analyst with research firm Gartner Inc.
Litan said many commercial banks have very little -- if any -- fraud detection mechanisms in place on their automated clearinghouse (ACH) systems, those used to transfer money in and out of customer accounts. Rather, she said, most commercial banks have chosen to place anti-fraud technologies on the front end, such as one-time token requests and other Web-site based security measures.
"ACH is one of the most vulnerable spots in the system, and very few banks have ACH fraud detection, if any," Litan said. "It's a really big deal because the rights of businesses to get their money back [after an incidence of ACH fraud] are weak. If I was a small business banking online right now, I'd switch my company's account from a business account to a personal account. There are fewer features available, but it's a lot safer."
For its part, Slack Auto won't be banking online anymore, at least not in any way that could enable the transfer of money.
"We've established a new bank account with a bank that has branches in all of our markets, and it's view-only, it can't be used to do any transactions," Slack said. "We just can't afford to let this happen again."
July 20, 2009; 5:26 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Small Business Victims , Web Fraud 2.0 | Tags: ach fraud, bullitt county, slack auto parts
Save & Share: Previous: Firefox Update Plugs Critical Security Hole
Next: Update for Norton Internet Security & Firefox 3.5
Posted by: JkR- | July 20, 2009 7:41 PM | Report abuse
Posted by: BTKrebs | July 20, 2009 8:14 PM | Report abuse
Posted by: email@example.com | July 21, 2009 2:47 AM | Report abuse
Posted by: firstname.lastname@example.org | July 21, 2009 3:07 AM | Report abuse
Posted by: peterpallesen | July 21, 2009 10:18 AM | Report abuse
Posted by: JeffBbiz | July 21, 2009 10:52 AM | Report abuse
Posted by: Garak | July 21, 2009 12:55 PM | Report abuse
Posted by: BTKrebs | July 21, 2009 1:29 PM | Report abuse
Posted by: eiverson1 | July 21, 2009 2:47 PM | Report abuse
Posted by: radix42 | July 21, 2009 4:12 PM | Report abuse
Posted by: LiberalBasher | July 21, 2009 9:19 PM | Report abuse
Posted by: eiverson1 | July 22, 2009 11:57 AM | Report abuse
Posted by: MichaelSeese | July 23, 2009 6:32 PM | Report abuse
Posted by: freeebookmania | July 24, 2009 12:14 PM | Report abuse
Posted by: MichaelsPostingID | July 26, 2009 6:37 PM | Report abuse
Posted by: Rixstep | July 27, 2009 1:28 PM | Report abuse
The comments to this entry are closed.