Network News

X My Profile
View More Activity

Cyber Thieves Steal $447,000 From Wrecking Firm

Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag.


In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes.

Ferma President Roy Ferrari said he learned of the fraud not from his bank but from a financial institution at which several of the mules had recently opened accounts. Ferma employees worked extensively with that bank and several others to reverse the fraudulent transfers before the mules could withdraw the funds, and Ferrari said they were able to block at least $232,000 worth of bogus transfers.

But Ferrari says his bank is withholding at least $50,000 in additional funds it recovered on its own, until he agrees to sign a document saying he won't sue the bank for for the remaining losses

"We're at a bit of an impasse -- kind of a shoving match -- with our bank," Ferrari said. "We've threatened to sue them, so that's probably one of the things that caused them to raise this indemnity agreement."

The fraudsters were able to slip past two-factor authentication used by Ferma's bank, which requires that -- in addition to their user names and passwords -- customers enter a unique code from a supplied USB key fob that generates a new six-digit code every 60 seconds.

The exact type of malicious software that was used in the attack is unknown (Ferrari said the affected computer's hard drive is currently in possession of the FBI). But Ferma manager Rich Parodi said the company's security software found a banking Trojan horse program on the internal system, which had been hacked by the fraudsters and used to initiate the bogus transfers.

Some types of malware, particularly a type of data-stealing Trojan horse programs known as "Zeus," allow the attackers to change the display of a bank's login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank's domain name in the URL bar) stating that the bank's site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers.

This tactic is remarkably effective: When an unwitting customer waits as instructed, the thieves use those intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.

Parodi recalled that an employee who handles the company's online account had trouble logging in just hours before the fraudulent transfers were discovered.

"The employee eventually had to reset his password, but by the time we figured out what was happening, the hacker had already withdrawn the money," Perodi said.

Over the past few days, I have interviewed nearly two dozen companies, universities and school districts that have been attacked in the same fashion. While their stories were remarkably similar, each seemed to highlight a different weakness in the modern online commercial banking environment. I will be writing about their experiences in the coming days and weeks, but in the meantime I'd like to offer a few basic security tips for companies that bank online.

-Reconcile your accounts daily. The victimized companies I have interviewed so far that have been most successful in retrieving stolen funds have by and large been those who quickly spotted the fraudulent transfers.

-Ask your bank if you can set up a notification procedure - perhaps approval by phone -- for any transfers that fall outside of your normal online banking activity.

-For employees who need to access your accounts online, consider setting them up with a Mac or Linux system -- or perhaps even a Live CD Distribution of Linux - to minimize the chances of data-stealing malware swiping your company's crown jewels.

Further reading:

More Business Banking Victims Speak Out

Tighter Security Urged for Businesses Banking Online

Businesses Reluctant to Report Online Banking Fraud

Eastern European Cyber Gangs Target Small U.S. Firms, Group Says

The Growing Threat to Business Banking Online

PC Invader Costs Ky. County $415,000

Clampi Trojan: The Rise of Matryoshka Malware

By Brian Krebs  |  September 9, 2009; 11:30 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Small Business Victims  | Tags: ACH fraud, ferma corp, money mules, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Future Firefox to Nag Users on Insecure Plug-ins
Next: Updates Plug iPhone, QuickTime Security Holes


Nice piece of journalism. Sincerely.

I look forward to your future articles regarding this issue. I wasn't aware of the Zeus trojan being able to change the bank login page like that.

It seems that anti-virus programs can do very little these days based on the number of infections and what the cyber thieves can do once a PC is infected.

I'm not sure I agree with the move to a Mac, we've been seeing more and more rumblings about Macs being more of a target.

Nice work.

Posted by: traef06 | September 10, 2009 5:28 AM | Report abuse

Very nice article, although I'm not sure about the Mac comments. The Live CD is solid and a nice recommendation, especially if the distribution prevents communication with the hard drive.

Posted by: pga6 | September 10, 2009 11:48 AM | Report abuse

I agree with Brian's Mac comment.

The current threats for Macs require someone intentionally installing trojan infested software -- usually downloaded from P2P networks in order to avoid paying for it legitimately.

Compare that with the countless drive-by vulnerabilities on Windows, and the difference in obvious.

Posted by: Annorax | September 10, 2009 2:08 PM | Report abuse

Nice article. Good suggestions. With Netbooks running like $300 bucks buying one with a proprietary OS for only that could be helpful or running a live CD.

Is there any 411 more about the two-factor authentication. If this was tightened down wouldn't that help.. maybe not solve but help. For example allow access from one IP within a 5 minute window to a given account or attempted login. If you start the process with your login/password which initates the 5 minute counter then asks for the token's data that would seem to help. I guess if somebodies jacked your system all bets are off... they could let you login then just steal control or make it look like you signed out when you really didn't. Maybe Banks should be more cautious with transactions like this... hey and maybe even give you a read only USB drive to boot off... :) Said it might be cheaper them some of their tokens.

By the way Annorax about your Mac comment they targeted a guy using a digital two-factor token?? Just food for thought. It would really be something if they target a guy with a hashing token where the login presents a code that your token hashes/encrypts and that is your response.

Posted by: dward__ | September 10, 2009 2:41 PM | Report abuse

Solid recommendations. I would add one other (not the most robust, but it provides a more familiar environment):

provide the online banking employee(s) with an old Windows (re-imaged) with explicit guidelines to ONLY use it for the banking, AND, unplug its Ethernet cable (wireless, unless one runs a locked-down IPSec client, forget it!) when NOT in use.

At the risk of sounding, well, gleeful over this unfortunate incident, I am somewhat relieved that this story illustrates that two-factor authentication does NOT always deter these attacks. I was recently speaking with a potential customer that looked at me cynically when I told him of this. Now, he can see this article and know I wasn't inventing this threat to sell security software.

Posted by: eiverson1 | September 10, 2009 2:53 PM | Report abuse

FYI - PandaLabs produced a video demonstrating how the banking Trojan works to change a bank's login page:

Posted by: swalsh1 | September 10, 2009 3:02 PM | Report abuse

This type of attack would not be possible if the banks had issued more advanced RSA tokens - the kind that generates a code to sign each transaction. I've got one (from a bank in Europe) where you have to enter two numbers on the token: the second one is the euro amount of the transaction, so I'd certainly notice a large transaction.
And that is just for a private account - beats me why banks here don't issue them for corporate customers.

Posted by: nl01 | September 10, 2009 10:40 PM | Report abuse

Attacks like this against online banking sessions are on the rise. Out-of-band authentication, which uses a separate channel to authenticate the user's login is really the only way to protect against them. And to take it one step further, it’s best to authentication specific transactions not just session logins, particularly for high risk transactions.

The PhoneFactor solution does both using an automated out-of-band telephone call.

Sarah, PhoneFactor

Posted by: sfender | September 11, 2009 11:18 AM | Report abuse

Some motherboards support a separate Linux OS launch at startup. Asus comes to mind. Once could do banking on this OS and then start Windows for whatever else one wants to do.

Posted by: chrisp339 | September 11, 2009 12:52 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company