Network News

X My Profile
View More Activity

More Business Banking Victims Speak Out

Since our story about Eastern European cyber crooks targeting small to mid-sized U.S. businesses ran last week, I've heard from a few more victims. Eerie similarities in their descriptions of how they were robbed suggest the bulk of this crime may be the work of one or two gangs.

David Johnston, owner of Sign Designs, Inc., a Modesto, Calif.-based company that makes and installs electric signs, said his company lost nearly $100,000 on July 23, when crooks used the company's credentials to log in to its online banking account and initiate a series of transfers to 17 accomplices at seven banks around the country.

"Our daily limit on these transactions was $100,000, and [the thieves] took just $47 short of that amount," Johnston said. "What we're looking at really is the bank robber of 2009. They don't use a gun, they have lots of helpers, their [profits] are huge, and the likelihood anyone will catch them seems to be extremely slim."

It's not certain what malicious software was responsible for the stolen credentials, but the attack bears similarities to methods used in the $415,000 fraud perpetrated against Bullitt County, Ky. in July, which involved a notorious strain of data-stealing malware called "Zeus," or "Zbot."

For one thing, Johnston's bank said all of the fraudulent transactions appeared to have been initiated from the same Internet address the company normally uses to access its accounts online, suggesting that the criminals tunneled through an infected machine on Sign Designs' network. The Zeus variant used in the Bullitt attack -- a custom version known as "Jabberzeus" -- made it easy for attackers to mask their true Internet address in this way.

Many of these scams involve the use of so-called "money mules," willing or unwitting accomplices typically hired through online job search sites to receive the fraudulent transfers, withdraw the money, and then wire it to the fraudsters. As it happens, the ruse with which the money mules were recruited in this attack also was similar to the scam used to enlist the accomplices who helped siphon money out of Bullitt County's coffers.

Johnson shared with Security Fix a breakdown of the fraudulent transactions as provided by his bank, which lists the names and account numbers of the mules who received the fraudulent payments (nearly half of the mules opted to open accounts at the same prepaid debit card institution).


I was able to reach one of the alleged mules, a 37-year-old woman from Miami who said she got involved after responding to a work-at-home ad sent to her via e-mail. Merian Terry said she received an e-mail from a company called Acquaintance Dating Services, which told her that it had found her resume on job search Web site (the information in the e-mail headers indicates, however, that those employment solicitations were not sent through Careerbuilder's Web site).

Initially, Terry said she was hired to edit text files
at a rate of $8 per kilobyte of edited work. After a few weeks of editing these texts and e-mailing them back to her contact at Acquaintance, she inquired about getting paid the $60 that she was owed for her work. In reply, her handler asked if she'd like to be promoted to work as a "local agent," responsible for managing money transfers for the company. All she needed to do was give them a bank account number (the mules used in the Bullitt County heist also were initially hired to edit texts before being asked to assume local agent positions).

Terry said a few days after providing her bank account information, she woke up and found that $9,810 had been deposited into her account, funds that she later learned from her bank were drawn from Sign Designs' account.

"That's when the red flag went off, and I immediately e-mailed [Acquaintance] and said you need to get this money out of my account," Terry said. But, of course, the perpetrators needed her help to do that. Terry declined, leaving the money in the account instead of wiring it to her erstwhile employers in Ukraine, as instructed. That's a good thing, too, because within a few days, the deposit was reversed by her bank: Had she pulled the money out, she might be on the hook for close to $10,000.

Security Fix could not locate a business called Acquaintance Dating Services. And there was no response to an e-mail sent to Terry's contact.

Johnston said he is still waiting for Terry's transaction to be reversed -- a process that can be time-consuming. So far, his company has been able to reverse just a single fraudulent transaction in the amount of $29,900, but only because one accomplice hired to receive the stolen funds gave the perpetrators an apparently incorrect bank routing number.

In all, Johnston said he is still out nearly $70,000 from the incident.

"All I can say is I'm glad it's apparently hard to get reliable money mules these days, or we wouldn't have gotten any money back," Johnston said.

By Brian Krebs  |  September 4, 2009; 9:00 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Small Business Victims , Web Fraud 2.0  | Tags: jabberzeus, money mules, zbot, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Updates Java, Backdates Flash
Next: Microsoft Fixes Eight Security Flaws


Hi Brian,

It would be nice to know if the infected machines had current protection installed or not. How well are we protected if we stay current? Would my Vista/OneCare combo (both with ALL current updates installed) been SAFE...or NOT?

Is the real lesson..."GET CURRENT, STAY CURRENT"...

ALSO - it would be very nice if someone there at the WP would provide an update on the "Fannie Mea Software Time Bomb" story. Does the perp really work at Bank of America as his LinkedIn page states or not?

Posted by: Sadler | September 5, 2009 12:05 AM | Report abuse

sadler- i'm pretty sure i have addressed this question about the fannie mae guy already in these comments, but no, that information is not current. I checked with them 5 months ago and that was not the case then and I can only assume given their awareness of the very public situation that it is not the case now.

RE: protection? do you mean anti-virus? it's useful, and a necessary evil for Windows users, but will it save you all of the time? no.

it's important to keep in mind that the threats i'm discussing in these attacks on businesses very often are targeted attacks. i.e., the victim company publishes the name and email address of their treasurer/controller on their web site and the rest is just getting someone who opens 100 invoices a day to open a poisoned one. not rocket surgery.

that's not to downplay the sophistication of all the machinery of the bad guys that goes into ripping businesses off to the tune of six figures on average. it's interesting to read other experts saying they think this is an isolated problem, that it's under control and that there aren't that many victims.

you can expect to see a flood of these stories here over the next few weeks.

Posted by: BTKrebs | September 5, 2009 1:30 AM | Report abuse

Pardon me, but there seems to be so many ways to fix this from simple things like phone verification of wires to use of RSA tokens. Is it just an aversion to spending the necessary money on the part of the banks that allows this to continue?

Posted by: courry | September 5, 2009 2:07 AM | Report abuse

Thanks for responding Brian.

The link you provided includes: "...used a computer virus to hack into the school board's computer system. Often the malicious software lies right inside the browser..."
Sounds like the point I was making. Are the majority of these "break-ins" due to the business running out-of-date software (OS/Browser/AV & other protection) or something else?

As far as the Fannie Mae guy...where is he now, who is he working for, has he disappeared, has he changed his name, has he left the country, is the FBI keeping and eye on him? The Fannie Mae story is a peek inside the world of malicious code planters (software terrorists).

Posted by: Sadler | September 5, 2009 10:58 AM | Report abuse

And once again, the REAL lesson here is if Sign Designs were run on OSX as opposed to Windows, it wouldn't have this problem.

Posted by: jltnol | September 5, 2009 12:41 PM | Report abuse

The mules who actually allowed their accounts to be used as transit points must be desperate and as dumb as toast.

Is there an insurance market to protect businesses against this other variants of internet based fraud?

Posted by: featheredge99 | September 5, 2009 3:03 PM | Report abuse

The point about out of date antivirus software is incorrect--AV will not protect you from a targeted attack, regardless of how up to date it is. (Increasingly, it doesn't do much for more widespread attacks, either.) Sometimes the malware exploits a vulnerability which should have been patched. Just as often, (maybe more often) though, it exploits a new "zero-day" vulnerability, or simply convinces a person to run the malware manually. (Don't laugh, this happens all the time, even to people who should know better.) This column has already covered the best available defensive measure: dedicate a system to financial transactions (which means do not use it for anything else--no email, no web browsing, no copying files from other computers). That's a real pain, but the state of the art on this is pathetic.

Posted by: SecurityLuddite | September 8, 2009 8:50 AM | Report abuse

What makes you think that spending the money is necessary for the bank? They aren't on the hook for it.

Now, if you changed the banking regulations so that they were, then they would act. But that would have other side effects. Good in the long term, but small businesses would howl in the short term.

Posted by: wiredog | September 8, 2009 10:08 AM | Report abuse

My latest blog post is a live demonstration of a stealth banking trojan in action.

Check it out here:

Posted by: spcorrell | September 8, 2009 6:53 PM | Report abuse

@courry & @wiredog

What I'd like is just one bank to add those "services" and advertise them.

When all of the other banks ran out of customers, maybe we'd see those precautions become commonplace.

Posted by: nothanks42 | September 10, 2009 1:03 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company