Data Breach Highlights Role Of 'Money Mules'
This blog post refers to an entity calling itself the Entrust Group,
using the Web site name entrust-group.cn, that allegedly helped recruit people to help commit online crime. We were contacted soon after this published by a Reno, Nev. based financial services firm named The Entrust Group (TEG) - with the Web site name theentrustgroup.com - which informed us that people were calling the company under the mistaken impression that the blog posting refers to TEG.
TEG is in no way affiliated with or connected to the fraudulent activities associated with the Entrust Group named in the body of this story. Because fraudsters tend to use generic-sounding names when they create fake corporations, there may be a number of businesses which have names similar to the Entrust Group named in this story that have nothing to do with the perpetrators of this crime.
On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account.
The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws.
"This is something new to us, fortunately, but we have responsibilities under Maine statute to report these things to our customers and employees," said the company's president, John Peters, in an interview with Security Fix. At least 44 other states and the District of Columbia have similar data breach notification laws.
Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer systems, and stole the credentials the company uses to manage its bank accounts online. Then, on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's account to at least 20 individuals around the United States who had no prior business with Downeast Energy.
This type of crime is impossible without the cooperation of so-called "money mules," willing or unwitting individuals typically hired via Internet job search Web sites to act as "local agents" or "financial agents" responsible for moving money on behalf of a generic-sounding international corporation, legal experts say.The mules are then instructed to withdraw the cash and wire it via Western Union or Moneygram to fraud gangs overseas, typically in Eastern Europe.
It is not uncommon for a single cyber robbery to depend on the help of dozens of money mules:
-In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company by initiating a large batch of transfers from Ferma's online bank account to 39 money mules.
-Also in July, attackers stole $415,000 from Bullitt County, Ky. by sending bogus payroll deposits to more than two dozen mules.
-In May, a Texas company was robbed of $1.2 million with the assistance of nearly 40 money mules.
While essential, money mules also are frequently the weakest link in any organized cyber crime ring. Indeed, Peters said the first indications of fraud came when his chief financial officer received a phone call from a bank in Texas, asking whether the company had approved a suspicious transfer to a local resident in the amount of $9,800.
Another individual who received funds from Downeast's account was Kenneth Durastanti, a 24-year-old Ball, La. resident who was recently recruited by a company called Entrust Group Inc. Mr. Durastanti declined to return phone calls seeking comment. Entrust Group also did not respond to requests for comment sent via e-mail. The company claims to be a 19-year-old brokerage firm located in Rochester, N.Y., but there is no listing for a company by that name in the New York State business register. Also, the company's Web site is hosted in China, and its domain name -- www.entrust-groupsvc.cn-- ends with a Chinese country code.
But Kenneth's mother, Dixie Durastanti, said the Entrust Group told her son they had found his resume on Careerbuilder.com, and that Kenneth could make thousands of dollars a month working from home.
"I warned him that the offer sounded too-good-to-be-true, but he didn't want to believe me," Ms. Durastanti told Security Fix. "As soon as my son told me they wanted his ID number and bank account number and wanted to put this large sum into his account, I told him 'You're in trouble, buddy.' "
Not long after that conversation, she said, Downeast Energy's bank called, inquiring into the whereabouts of a $9,589 transfer that was sent to Kenneth on Sept. 2.
Ms. Durastanti said when Kenneth went to wire the money via Western Union to individuals in Ukraine, he made a small but important error.
"He put the money wire in his name and to his own name, and so the transfer came back to him. He ended up giving the money back to the bank," she said. "Thank goodness, I think his stupidity saved him."
Would that the other mules recruited to help spirit away money from Downeast Energy were similarly challenged. Downeast's Peters said the company is still chasing after $150,000 worth of unauthorized transfers connected to the attack.
"I look at this and asked 'What could we have done differently?' " Peters said. "We have appropriate security, firewalls, and even hire outside firms to audit all this stuff on a regular basis, but this just shows that no matter how hard you try, you're still vulnerable."
Capt. Lee Leach, an investigator with the local police department in Alexandria, La., said he spoke with Kenneth a few days before the transfer, at the request of Ms. Durastanti, to try to persuade the woman's son to reconsider working with his new employers at Entrust Group.
Leach said he believes this type of fraud will only grow as more and more people are out of work. Experts say few -- if any -- mules are ever prosecuted.
"It's a situation where a person should have known and any reasonable jury or judge would know there's something not right about getting paid thousands of dollars for not doing any work whatsoever," Leach said. "While this is all an interesting case, and I've never seen one quite like this, I have still not had a reported crime in my jurisdiction. Nobody's come forward to say that this guy scammed me out of money."
September 16, 2009; 8:43 AM ET
Categories: Fraud , Small Business Victims | Tags: downeast energy, entrust group, money mules
Save & Share: Previous: Cyber Crooks Target Public & Private Schools
Next: Microsoft Issues Stopgap Fix for Windows Flaw
Posted by: wilson7 | September 16, 2009 10:46 AM | Report abuse
Posted by: SecurityLuddite | September 16, 2009 11:22 AM | Report abuse
Posted by: wiredog | September 16, 2009 11:22 AM | Report abuse
Posted by: mhenriday | September 16, 2009 11:40 AM | Report abuse
Posted by: edlharris | September 16, 2009 12:06 PM | Report abuse
Posted by: MRGB | September 16, 2009 12:36 PM | Report abuse
Posted by: featheredge99 | September 16, 2009 12:50 PM | Report abuse
Posted by: johndarden1 | September 16, 2009 1:06 PM | Report abuse
Posted by: Kaynice | September 16, 2009 1:32 PM | Report abuse
Posted by: kkrimmer | September 16, 2009 1:38 PM | Report abuse
Posted by: jmrzx | September 16, 2009 1:58 PM | Report abuse
Posted by: Hoku1 | September 16, 2009 4:18 PM | Report abuse
Posted by: littlescraper | September 16, 2009 5:56 PM | Report abuse
Posted by: dc0de | September 16, 2009 8:27 PM | Report abuse
Posted by: jackrussell252521 | September 16, 2009 8:55 PM | Report abuse
Posted by: downie1 | September 16, 2009 9:18 PM | Report abuse
Posted by: mibrooks27 | September 16, 2009 9:25 PM | Report abuse
Posted by: t_joe | September 16, 2009 10:59 PM | Report abuse
Posted by: Hoku1 | September 16, 2009 11:41 PM | Report abuse
Posted by: ad4hk2004 | September 17, 2009 7:47 AM | Report abuse
Posted by: TalkingHorse | September 17, 2009 8:59 AM | Report abuse
Posted by: peterpallesen | September 17, 2009 9:22 AM | Report abuse
Posted by: jo-ker | September 17, 2009 9:52 AM | Report abuse
Posted by: sw11231 | September 17, 2009 10:09 AM | Report abuse
Posted by: sw11231 | September 17, 2009 10:22 AM | Report abuse
Posted by: pulierml | September 17, 2009 11:19 AM | Report abuse
Posted by: spioter | September 17, 2009 11:30 AM | Report abuse
Posted by: angryelectron | September 17, 2009 12:03 PM | Report abuse
Posted by: DrAlex1 | September 17, 2009 2:19 PM | Report abuse
Posted by: cobollives | September 17, 2009 4:10 PM | Report abuse
Posted by: AJohn1 | September 17, 2009 5:23 PM | Report abuse
Posted by: AJohn1 | September 17, 2009 5:25 PM | Report abuse
Posted by: sw11231 | September 18, 2009 11:07 AM | Report abuse
Posted by: AlphaCentauri | September 22, 2009 5:09 PM | Report abuse
Posted by: coiaorguk | October 1, 2009 3:29 PM | Report abuse
The comments to this entry are closed.