Cyber Thieves Steal $447,000 From Wrecking Firm
Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag.
In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes.
Ferma President Roy Ferrari said he learned of the fraud not from his bank but from a financial institution at which several of the mules had recently opened accounts. Ferma employees worked extensively with that bank and several others to reverse the fraudulent transfers before the mules could withdraw the funds, and Ferrari said they were able to block at least $232,000 worth of bogus transfers.
But Ferrari says his bank is withholding at least $50,000 in additional funds it recovered on its own, until he agrees to sign a document saying he won't sue the bank for for the remaining losses
"We're at a bit of an impasse -- kind of a shoving match -- with our bank," Ferrari said. "We've threatened to sue them, so that's probably one of the things that caused them to raise this indemnity agreement."
The fraudsters were able to slip past two-factor authentication used by Ferma's bank, which requires that -- in addition to their user names and passwords -- customers enter a unique code from a supplied USB key fob that generates a new six-digit code every 60 seconds.
The exact type of malicious software that was used in the attack is unknown (Ferrari said the affected computer's hard drive is currently in possession of the FBI). But Ferma manager Rich Parodi said the company's security software found a banking Trojan horse program on the internal system, which had been hacked by the fraudsters and used to initiate the bogus transfers.
Some types of malware, particularly a type of data-stealing Trojan horse programs known as "Zeus," allow the attackers to change the display of a bank's login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank's domain name in the URL bar) stating that the bank's site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers.
This tactic is remarkably effective: When an unwitting customer waits as instructed, the thieves use those intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.
Parodi recalled that an employee who handles the company's online account had trouble logging in just hours before the fraudulent transfers were discovered.
"The employee eventually had to reset his password, but by the time we figured out what was happening, the hacker had already withdrawn the money," Perodi said.
Over the past few days, I have interviewed nearly two dozen companies, universities and school districts that have been attacked in the same fashion. While their stories were remarkably similar, each seemed to highlight a different weakness in the modern online commercial banking environment. I will be writing about their experiences in the coming days and weeks, but in the meantime I'd like to offer a few basic security tips for companies that bank online.
-Reconcile your accounts daily. The victimized companies I have interviewed so far that have been most successful in retrieving stolen funds have by and large been those who quickly spotted the fraudulent transfers.
-Ask your bank if you can set up a notification procedure - perhaps approval by phone -- for any transfers that fall outside of your normal online banking activity.
-For employees who need to access your accounts online, consider setting them up with a Mac or Linux system -- or perhaps even a Live CD Distribution of Linux - to minimize the chances of data-stealing malware swiping your company's crown jewels.
September 9, 2009; 11:30 PM ET
Categories: Fraud , Latest Warnings , Safety Tips , Small Business Victims | Tags: ACH fraud, ferma corp, money mules, zeus
Save & Share: Previous: Future Firefox to Nag Users on Insecure Plug-ins
Next: Updates Plug iPhone, QuickTime Security Holes
Posted by: traef06 | September 10, 2009 5:28 AM | Report abuse
Posted by: pga6 | September 10, 2009 11:48 AM | Report abuse
Posted by: Annorax | September 10, 2009 2:08 PM | Report abuse
Posted by: dward__ | September 10, 2009 2:41 PM | Report abuse
Posted by: eiverson1 | September 10, 2009 2:53 PM | Report abuse
Posted by: swalsh1 | September 10, 2009 3:02 PM | Report abuse
Posted by: nl01 | September 10, 2009 10:40 PM | Report abuse
Posted by: sfender | September 11, 2009 11:18 AM | Report abuse
Posted by: chrisp339 | September 11, 2009 12:52 PM | Report abuse
The comments to this entry are closed.