Cyber Crooks Target Public & Private Schools
A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities.
On the morning of Aug. 17, hackers who had broken into computers at the Sanford School District in tiny Sanford, Colorado initiated a batch of bogus transfers out of the school's payroll account. Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams.
A school employee spotted the bogus payments on the morning of the 19th, when the school district learned that $117,000 had been siphoned from its coffers by cyber crooks.
Sanford Superintendent Kevin Edgar said the school successfully reversed two of the transfers totaling $18,000, but that rest of the stolen money remains in limbo.
"We've been told that if we do get any more of these reversed, it may take 30 to 45 days to get that money back," Edgar said. Meanwhile, the school district's bank is playing hardball, insisting that the school is at fault for the unauthorized transfers.
The attack could mean fewer resources for the rural school district, which serves just 340 children. "That amount of money comes down to financing projects, such as maybe buying a new school bus, or updating our playground," Edgar said. "Those are the types of things that this missing money will have an impact on."
Technically, the bank is correct. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges. In contrast, organizations and companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.
Some schools that have been hit by similar attacks have been luckier: They happen to bank with institutions that have decided that the potential public relations hit from being stingy with a school district may be more costly that simply eating the cost of the fraud.
Such was the case with the Sand Springs, Okla. school district, which was attacked by a cyber gang the week prior on Aug. 11. Sand Springs Superintendent Lloyd Snow said thieves stole roughly $150,000, after breaking into the company's online bank account and setting up two batches of fraudulent transfers.
Snow said the school was able to prevent about $80,000 worth of those transfer from going through, but that their bank agreed to cover the rest of the losses.
For now, Snow said, the school district is accessing its bank accounts via a dedicated, stand-alone system running a Live CD distribution of Linux, in a bid to minimize the chances that future malware may steal banking credentials (Live CD-based operating systems prevent the installation of rogue software, and automatically wipe all changes when the system is shut down).
"In our business, we're about teaching and learning, and in some cases we get lessons where we're the ones who need to learn a thing or two," Snow said. "This is one of those cases."
Also hit was Marian University, a Catholic university in Fond du Lac, Wisc. On Aug. 5, the thieves stole more than $189,000 by initiating bogus payroll transfers to 20 money mules. Marian Provost Dan Maloney said the school was able to recover just $54,000.
The thefts all appear related in at least one respect. With the help of the victims interviewed in this story, Security Fix was able to track down mules who said they were involved in each of the scams. All said they had been recruited via e-mail to sign up as "financial agents" at a company called Focus Group Inc. According to a write-up by money mule site tracker Bob Harrison, the Focus Group Web site may look legit, but is "just the latest of the numerous highly generic Russian scam websites that has been set up to form a front for a money laundering fraud job advertisement."
No one from Focus Group replied to Security Fix's attempts for comment.
At least two other mules contacted by Security Fix acknowledged receiving sub-$10,000 payments from accounts at the Sycamore Community Unit School District #427 in Sycamore, Ill, in mid-July. Sycamore Superintendent Wayne Riesen confirmed that the school district had experienced a breach at that time, but declined to comment further, except to say that the FBI was investigating the incident.
Update, 11:15 a.m. ET: The Senate Homeland Security and Governmental Affairs Committee is holding a hearing right now on this very topic, how "the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars." The hearing is being streamed live at this link.
Update, Sept. 28, 11:04 p.m. ET: A story today in the Northwest Herald, a local news outlet for the McHenry County, Illinois area, follows up on the Sycamore Schools hack mentioned above, quoting school officials as saying thieves stole about $425,000 with the help of the Clampi Trojan. The school district has recovered some of the stolen funds, but is still out around $300,000.
September 14, 2009; 8:00 AM ET
Categories: Fraud , Latest Warnings , Safety Tips , Small Business Victims | Tags: focus group, money mules
Save & Share: Previous: Patches for Macs, and Advice for Mac Users
Next: Data Breach Highlights Role Of 'Money Mules'
Posted by: mhenriday | September 14, 2009 9:10 AM | Report abuse
Posted by: wiredog | September 14, 2009 9:45 AM | Report abuse
Posted by: BankerGuy | September 14, 2009 12:52 PM | Report abuse
Posted by: GWGOLDB | September 14, 2009 12:56 PM | Report abuse
Posted by: askgees | September 14, 2009 12:56 PM | Report abuse
Posted by: VinceJr | September 14, 2009 1:57 PM | Report abuse
Posted by: kkrimmer | September 14, 2009 2:04 PM | Report abuse
Posted by: akmzrazor | September 14, 2009 2:06 PM | Report abuse
Posted by: iMac77 | September 14, 2009 4:08 PM | Report abuse
Posted by: eteonline | September 14, 2009 4:30 PM | Report abuse
Posted by: ad4hk2004 | September 14, 2009 6:06 PM | Report abuse
Posted by: featheredge99 | September 14, 2009 7:05 PM | Report abuse
Posted by: thardman | September 14, 2009 8:52 PM | Report abuse
Posted by: bendan2000 | September 14, 2009 9:24 PM | Report abuse
Posted by: BankerGuy | September 15, 2009 7:18 AM | Report abuse
Posted by: InfoSecGeek | September 15, 2009 10:26 AM | Report abuse
Posted by: InfoSecGeek | September 15, 2009 10:29 AM | Report abuse
Posted by: firstname.lastname@example.org | September 16, 2009 2:45 AM | Report abuse
Posted by: email@example.com | September 16, 2009 3:01 AM | Report abuse
Posted by: BankerGuy | September 16, 2009 9:46 AM | Report abuse
Posted by: rhsimard | September 19, 2009 10:25 PM | Report abuse
The comments to this entry are closed.