Network News

X My Profile
View More Activity

Data Breach Highlights Role Of 'Money Mules'

Clarification:
This blog post refers to an entity calling itself the Entrust Group,
using the Web site name entrust-group.cn, that allegedly helped recruit people to help commit online crime. We were contacted soon after this published by a Reno, Nev. based financial services firm named The Entrust Group (TEG) - with the Web site name theentrustgroup.com - which informed us that people were calling the company under the mistaken impression that the blog posting refers to TEG.
TEG is in no way affiliated with or connected to the fraudulent activities associated with the Entrust Group named in the body of this story. Because fraudsters tend to use generic-sounding names when they create fake corporations, there may be a number of businesses which have names similar to the Entrust Group named in this story that have nothing to do with the perpetrators of this crime.

On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account.

The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws.

"This is something new to us, fortunately, but we have responsibilities under Maine statute to report these things to our customers and employees," said the company's president, John Peters, in an interview with Security Fix. At least 44 other states and the District of Columbia have similar data breach notification laws.

Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer systems, and stole the credentials the company uses to manage its bank accounts online. Then, on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's account to at least 20 individuals around the United States who had no prior business with Downeast Energy.

This type of crime is impossible without the cooperation of so-called "money mules," willing or unwitting individuals typically hired via Internet job search Web sites to act as "local agents" or "financial agents" responsible for moving money on behalf of a generic-sounding international corporation, legal experts say.The mules are then instructed to withdraw the cash and wire it via Western Union or Moneygram to fraud gangs overseas, typically in Eastern Europe.

It is not uncommon for a single cyber robbery to depend on the help of dozens of money mules:

-In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company by initiating a large batch of transfers from Ferma's online bank account to 39 money mules.

-Also in July, attackers stole $415,000 from Bullitt County, Ky. by sending bogus payroll deposits to more than two dozen mules.

-In May, a Texas company was robbed of $1.2 million with the assistance of nearly 40 money mules.

While essential, money mules also are frequently the weakest link in any organized cyber crime ring. Indeed, Peters said the first indications of fraud came when his chief financial officer received a phone call from a bank in Texas, asking whether the company had approved a suspicious transfer to a local resident in the amount of $9,800.

entrust1.JPG

Another individual who received funds from Downeast's account was Kenneth Durastanti, a 24-year-old Ball, La. resident who was recently recruited by a company called Entrust Group Inc. Mr. Durastanti declined to return phone calls seeking comment. Entrust Group also did not respond to requests for comment sent via e-mail. The company claims to be a 19-year-old brokerage firm located in Rochester, N.Y., but there is no listing for a company by that name in the New York State business register. Also, the company's Web site is hosted in China, and its domain name -- www.entrust-groupsvc.cn-- ends with a Chinese country code.

But Kenneth's mother, Dixie Durastanti, said the Entrust Group told her son they had found his resume on Careerbuilder.com, and that Kenneth could make thousands of dollars a month working from home.

"I warned him that the offer sounded too-good-to-be-true, but he didn't want to believe me," Ms. Durastanti told Security Fix. "As soon as my son told me they wanted his ID number and bank account number and wanted to put this large sum into his account, I told him 'You're in trouble, buddy.' "

Not long after that conversation, she said, Downeast Energy's bank called, inquiring into the whereabouts of a $9,589 transfer that was sent to Kenneth on Sept. 2.

Ms. Durastanti said when Kenneth went to wire the money via Western Union to individuals in Ukraine, he made a small but important error.

"He put the money wire in his name and to his own name, and so the transfer came back to him. He ended up giving the money back to the bank," she said. "Thank goodness, I think his stupidity saved him."

Would that the other mules recruited to help spirit away money from Downeast Energy were similarly challenged. Downeast's Peters said the company is still chasing after $150,000 worth of unauthorized transfers connected to the attack.

"I look at this and asked 'What could we have done differently?' " Peters said. "We have appropriate security, firewalls, and even hire outside firms to audit all this stuff on a regular basis, but this just shows that no matter how hard you try, you're still vulnerable."

Capt. Lee Leach, an investigator with the local police department in Alexandria, La., said he spoke with Kenneth a few days before the transfer, at the request of Ms. Durastanti, to try to persuade the woman's son to reconsider working with his new employers at Entrust Group.

Leach said he believes this type of fraud will only grow as more and more people are out of work. Experts say few -- if any -- mules are ever prosecuted.

"It's a situation where a person should have known and any reasonable jury or judge would know there's something not right about getting paid thousands of dollars for not doing any work whatsoever," Leach said. "While this is all an interesting case, and I've never seen one quite like this, I have still not had a reported crime in my jurisdiction. Nobody's come forward to say that this guy scammed me out of money."

By Brian Krebs  |  September 16, 2009; 8:43 AM ET
Categories:  Fraud , Small Business Victims  | Tags: downeast energy, entrust group, money mules  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Cyber Crooks Target Public & Private Schools
Next: Microsoft Issues Stopgap Fix for Windows Flaw

Comments

Brian, though the mules may not be prosecuted per se, they CAN be held responsible for the money siphoned from the bank, correct?

Posted by: wilson7 | September 16, 2009 10:46 AM | Report abuse

The bigger question than whether they CAN be held responsible is whether the mules have sufficient assets to make pursuing them worthwhile, especially for a small business with limited resources which has already suffered a major loss.

Posted by: SecurityLuddite | September 16, 2009 11:22 AM | Report abuse

@wilson7,
Sure, in theory they can be held civilly liable. Just find a lawyer who will take the case for less than the value of the money taken.

Assuming, of course, the mule doesn't just look at a bill (from the victim) for several thousand dollars and file bankruptcy.

Posted by: wiredog | September 16, 2009 11:22 AM | Report abuse

Thanks for blogging on this matter, Brian ! The story of the Durastanti family exemplifies the suspicions regarding «work from home managing email» offers found on various groups and lists on the web about which I posted to an earlier blog. We need to do much more to educate people concerning the dangers of responding to enticing advertisements offering large incomes for «working at home from your dator»....

Henri

Posted by: mhenriday | September 16, 2009 11:40 AM | Report abuse

I think we need to look at banks.
As someone who doesn't deal with transfers of large sums, I don't know how hard it would be to live with a lower threshold, say, $4000.

And along the same lines, wasn't Eliot Spitzner caught because he converted $4000 of assets??

Posted by: edlharris | September 16, 2009 12:06 PM | Report abuse

Why can't we monitor all wired money transfers going overseas?

Posted by: MRGB | September 16, 2009 12:36 PM | Report abuse

The web page is interesting. Never encountered 'depositary' before. It's a person to whom money or valuables are entrusted. Then there are the alternate languages: German, Danish, Bulgarian--an odd suite. German is indicated by the adjective for 'German,' and Bulgarian and Danish are presented in English. The effect is disjointed.

The alternate languages raise a question, though. Is this scam being run on comparable size institutions in other countries? One commenter in a previous discussion mentioned that European encrytion was tighter.

Posted by: featheredge99 | September 16, 2009 12:50 PM | Report abuse

Maybe banks should allow businesses to set up white lists of individuals/accounts that can receive transfers, with the bank seeking confirmation before sending funds to non-white-listed accounts. This would be too impractical for large businesses but should improve security for smaller businesses.

Posted by: johndarden1 | September 16, 2009 1:06 PM | Report abuse

I think this latest incident illustrates just how UNSAFE and UNSECURE banking on-line is and that maybe businesses should just bank the old fashion way, in person.

Posted by: Kaynice | September 16, 2009 1:32 PM | Report abuse

If the FBI and CIA went after and extinguished these gangs in Eastern Europe (supposedly where they reside) or where they are it would be OK with me... the same people are going to have the capability to take down our infrastructure (like electrical and telecom). Better take them down first.

Posted by: kkrimmer | September 16, 2009 1:38 PM | Report abuse

To continue with what featheredge99 was saying, if you were a perspective employee of this company and went to their website, wouldn't the poor English grammar (seems to be obviously written by someone whose primary language is not English) be another warning sign, in addition to their asking for your bank account information, etc.?

Posted by: jmrzx | September 16, 2009 1:58 PM | Report abuse

Would booting with a Linux live CD before accessing bank accounts online prevent these kinds of issues with keyloggers?

Posted by: Hoku1 | September 16, 2009 4:18 PM | Report abuse

So what happens now that the criminals are out $10k and they know Kenneth is responsible?

There must be a threat of reprisal, which at minimum involves some sort of damage to Kens's personal info, etc. and could possibly involve a unpleasant visit from some Ukrainian thugs.

If there wasn't, what's to stop savvy but unscrupulous individuals from becoming mules and keeping the money...

Posted by: littlescraper | September 16, 2009 5:56 PM | Report abuse

"I look at this and asked 'What could we have done differently?' " Peters said. "We have appropriate security, firewalls, and even hire outside firms to audit all this stuff on a regular basis, but this just shows that no matter how hard you try, you're still vulnerable."

Well, you could request that your bank and/or financial institution have two factor authentication. You could require that the banks notify you of EVERY transaction made on the account via secure email. You could do MANY things. However, the banks don't want to put these tools in place.

The ONLY place I've seen significant movement towards two factor authentication is for PAYPAL, and they're not even a bank.

Shame on all you "financial institutions"... get with the times.

Posted by: dc0de | September 16, 2009 8:27 PM | Report abuse


I wonder if it would help if companies and banks were to require the use of something like a smartcard or an eToken to access their bank accounts..

Posted by: jackrussell252521 | September 16, 2009 8:55 PM | Report abuse

What this story tells us is that you should always listen to your mother.

Posted by: downie1 | September 16, 2009 9:18 PM | Report abuse

I'm wondering when someone will point out that these thieves, all of them, originate with former or present H1-B guest workers here (at the taxpayers expense). China, India, Russia, and the Ukraine are where these criminal gangs live and those are the places where H1-B guest workers come from. With 4.5 million of our own well qualified engineers, computer programmers, technician's, mathematician's, and scientists unemployed, displaced by these corporat sponsoied crooks, you'd thin Congress and the Whitehouse might take a look at doing away with these visas. You would be wrong, of course, because he hi-tech corporations own Congress and Obama, body and soul.

Posted by: mibrooks27 | September 16, 2009 9:25 PM | Report abuse

I, too, was wondering when someone would come along to shoehorn a wacky, uninformed, xenophobic rant in the discussion.

Posted by: t_joe | September 16, 2009 10:59 PM | Report abuse

@t_joe He might be Xena-phobic too.

Posted by: Hoku1 | September 16, 2009 11:41 PM | Report abuse

The immediate solution is simple - too simple apparently for these sophisticated corporations...
1. Program the software so that the final transfer command requires a series of mouseclicks on the screen which are very difficult for malware to capture, not keystrokes which can easily be recorded by malware...
2. Require that the mouseclicks include a PIN input... Said PIN to come from a one time use, crypto card that a human has in their hand... The PIN changes every time it is used.. The crypto sequence is also changed regularly (this is how governments pass information openly, that cannot be decoded)

Some corporation should pay me a million bucks to secure their accounts!

dr. o

Posted by: ad4hk2004 | September 17, 2009 7:47 AM | Report abuse

Actually, two factor ID is catching on, if slowly. Schwab recently provided token devices (virtually identical to those of PayPal) for its online brokerage accounts. The entire federal government is well along the process of converting all of its individual PCs to require readers of its HSPD-12 smart ID cards to authenticate logins.

Posted by: TalkingHorse | September 17, 2009 8:59 AM | Report abuse

LOL @ downie1! :-))

I'm trying to understand how this phenomenon is different from the bank robber who gets a bystander to drive the getaway car?

Also, I find it incredibly hilarious (and sad) that the only thing our law enforcement community apparently can do is pester the poor small business victim to comply with breach disclosure and notification laws.

Why can't we come up with laws that allow us to go after the creators, no matter where - similar to "hot pursuit" laws now on the books?

Posted by: peterpallesen | September 17, 2009 9:22 AM | Report abuse

[quote]Would booting with a Linux live CD before accessing bank accounts online prevent these kinds of issues with keyloggers?[/quote]

Yes, it would for two reasons:

1) Linux is much harder to crack than Windows.

2)Since the disk would only be in there for a very limited time, it would be very hard to break into the Linux OS.

Posted by: jo-ker | September 17, 2009 9:52 AM | Report abuse

As a small business owner, these stories make me sick to my stomach. If somebody were to clean out my business account like that, I think I would have a complete breakdown. That would be far, far worse than if someone were to clean out my personal account.

Brian, thank you for your continuing coverage of these stories. It is so very important.

I have been trying to switch my business accts to a bank that uses two factor authentication, but I can't find one in Virginia. Recommendations anyone?

Posted by: sw11231 | September 17, 2009 10:09 AM | Report abuse

Just printed out this article. I'm walking it over to my bank branch right now.

Posted by: sw11231 | September 17, 2009 10:22 AM | Report abuse

sw11231 wrote: I have been trying to switch my business accts to a bank that uses two factor authentication, but I can't find one in Virginia. Recommendations anyone?

Maybe UBHC is in VA. Online sign-in requires two passwords, one via clicking, which may be too much for most "keylogger" programs.

Posted by: pulierml | September 17, 2009 11:19 AM | Report abuse

Two factor is the way to go.

Bank fraud and ID theft really get me steamed.

Is anyone lobbying to mandate 2-factor? Can't the FDIC rules mandate that banks offer it? Then they could offer the banks immunity for fraud that was committed using two factor and put that on the individual user.

Are banks lobbying against such mandates?

In the absence of financial institutions and businesses to stepping up we need federal laws mandating that these institutions be held responsible for all fraud when 2-factor is not used.

It is impossible for individuals to protect their information - there is too much data about us in 3d party databases beyond our control.

In addition to two factor for banks, we need the 3 credit bureaus to offer opt-in two factor authentication for credit score requests - this would make it harder for id thieves from opening new accounts.

Basically, if i register my SSN with them, then all requests for my credit score must be validated by a PIN through the user's registered device (cell phone sms, any phone via IVR, email address, etc.)

Posted by: spioter | September 17, 2009 11:30 AM | Report abuse

While banks could and should look for new methods to secure their online banking sites it can only go so far: If the client endpoint is pwned the game is largely over.

Two factor auth using tokens sounds great...oops read Brian's "Cyber Thieves Steal $447,000 From Wrecking Firm" article. The victims bank used true two factor auth like an RSA token and still got taken. My recommendations:

1. use Linux or a Mac. Not that either is so much more secure but it's a numbers game, more folks use Windows so most malware targets Windows.

2. If you use Windows then patch. Everything. Often. Use something like Secunia's PSI to make sure 3rd party apps like java, flash and quicktime are patched. Use Firefox with NoScript- iframe drivebys using obsfucated JavaScript are irrelevant if JavaScript is disabled.

3. For God's sake stop clicking on attachments in emails. The most hardened box in the world is instantly owned if you willing install malware.

Posted by: angryelectron | September 17, 2009 12:03 PM | Report abuse

Those of us who've been networking consultants and engineer since before The Internet, continually wonder when folks will finally wise up that The Internet was intentionally designed without security in mind -- free, unquestioned access.

Unlike telephone calls, there's no identity verification in The Internet -- no way to positively identify and tap a transmitter of packets. When folks deride "snail mail", and "land lines", they fool themselves, just the way scammers want. But when they want uncle Joe's inheritance, they get it by certified mail after phoning Joe's estate's executor -- email & web are no good for very important things.

After all the millions of hacking events, anyone who still uses The Internet for bank-account accesses and other important financial data deserve what he/she gets.

Yes, there are folks working around the world on adding identity validation to Internet accesses. Maybe, some day, something will happen. Until then, for significant $ transactions -- in-person, phone & mail!

Posted by: DrAlex1 | September 17, 2009 2:19 PM | Report abuse

So, what's wrong with giving unemployed high tech American workers jobs at the expense of H1-B guest workers? It is a fact that corporate America that needs to keep human resource costs down by substituting expensive American labor with high quality inexpensive foreign labor, without outsourcing it offshore.

The result is a company with a more efficient labor force and an incentive for the remaining American workers to be more competitive by accepting less salary while increasing productivity. What better incentive to be competitive is there? It is good for the American workers because they get to keep their jobs and it is good for the company stockholders because profits increase. Everyone wins!

As far as displaced unemployed workers are concerned, well that's their problem.

Posted by: cobollives | September 17, 2009 4:10 PM | Report abuse

Those folks talking about reducing H1B visas as a way of of slowing cyber crime are deluding themselves.

These are script kiddy attacks directed at small corporations that only MAY be more sophisticated in their security than the average home user.

The CFO or CEO probably just clicked the wrong attachment on his email

Posted by: AJohn1 | September 17, 2009 5:23 PM | Report abuse

I forgot to add that the attack could be conducted by anyone with a healthy level of computer savvy.... no need for an engineering or computer science degree from a top school anywhere, let alone in the US.

Posted by: AJohn1 | September 17, 2009 5:25 PM | Report abuse

It is time to starting holding our own local banks in DC accountable - by NAME.

I have already contacted my bank, Chevy Chase Bank, and asked them to outline what steps they have taken to protect their customers against these attacks. I will post their response here.

So far, they have assured me that they "use 128-bit encryption, the most secure commercial encryption available". Obviously, that does not defend against these attacks. I again asked their IT dept to respond specifically to the threats outlined in these articles.

If they respond with any additional information, I will post it here. If they fail to resond at all, I will post that information here as well.

Nothing is going to change unless you, dear reader, take ACTION.

Posted by: sw11231 | September 18, 2009 11:07 AM | Report abuse

The money mules are the weakest link in a number of ways. Why aren't we exploiting that?

The criminals make no secret of their recruitment attempts. My email inbox gets several spams daily for these "work at home" scams. Like most spam, I'm sure the scammers literally send out millions of them every day just to get a few gullible people to respond.

Since they send out so many invitations, why can't fraud investigators create a large number of imaginary money mules with accounts controlled by the banks? The number of fake money mules could easily outnumber the real ones if they wanted to do it. Then there would be an automatic early warning system of a scheme like this being put into action. If any of the fake money mules receives a transfer, an emergency response team would freeze the assets of anyone else who received a similar transfer before that real money mule could withdraw it.

It would require cooperation among financial institutions, who currently have the attitude that they are only responsible for protecting their own assets. It would require them paying into a common fund to finance the system, or else a government program to run it. (It's not like the taxpayers aren't already paying for this fraud through higher prices and service fees already.) But cooperation to help other corporate victims would end up protecting each company's own assets far better than the current every-man-for-himself system.

Posted by: AlphaCentauri | September 22, 2009 5:09 PM | Report abuse

New World Order - the computer spy

A Microsoft auto-update puts the hacker installer - webfldrs.msi on your computer so that an encrypted external connection can access and upload your files.

Get rid of it by using 'run' with the command

msiexec /x c:\windows\system32\webfldrs.msi

Always set your computer to download updates and manually install.

Posted by: coiaorguk | October 1, 2009 3:29 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company