More Business Banking Victims Speak Out
Since our story about Eastern European cyber crooks targeting small to mid-sized U.S. businesses ran last week, I've heard from a few more victims. Eerie similarities in their descriptions of how they were robbed suggest the bulk of this crime may be the work of one or two gangs.
David Johnston, owner of Sign Designs, Inc., a Modesto, Calif.-based company that makes and installs electric signs, said his company lost nearly $100,000 on July 23, when crooks used the company's credentials to log in to its online banking account and initiate a series of transfers to 17 accomplices at seven banks around the country.
"Our daily limit on these transactions was $100,000, and [the thieves] took just $47 short of that amount," Johnston said. "What we're looking at really is the bank robber of 2009. They don't use a gun, they have lots of helpers, their [profits] are huge, and the likelihood anyone will catch them seems to be extremely slim."
It's not certain what malicious software was responsible for the stolen credentials, but the attack bears similarities to methods used in the $415,000 fraud perpetrated against Bullitt County, Ky. in July, which involved a notorious strain of data-stealing malware called "Zeus," or "Zbot."
For one thing, Johnston's bank said all of the fraudulent transactions appeared to have been initiated from the same Internet address the company normally uses to access its accounts online, suggesting that the criminals tunneled through an infected machine on Sign Designs' network. The Zeus variant used in the Bullitt attack -- a custom version known as "Jabberzeus" -- made it easy for attackers to mask their true Internet address in this way.
Many of these scams involve the use of so-called "money mules," willing or unwitting accomplices typically hired through online job search sites to receive the fraudulent transfers, withdraw the money, and then wire it to the fraudsters. As it happens, the ruse with which the money mules were recruited in this attack also was similar to the scam used to enlist the accomplices who helped siphon money out of Bullitt County's coffers.
Johnson shared with Security Fix a breakdown of the fraudulent transactions as provided by his bank, which lists the names and account numbers of the mules who received the fraudulent payments (nearly half of the mules opted to open accounts at the same prepaid debit card institution).
I was able to reach one of the alleged mules, a 37-year-old woman from Miami who said she got involved after responding to a work-at-home ad sent to her via e-mail. Merian Terry said she received an e-mail from a company called Acquaintance Dating Services, which told her that it had found her resume on job search Web site Careerbuilder.com (the information in the e-mail headers indicates, however, that those employment solicitations were not sent through Careerbuilder's Web site).
Initially, Terry said she was hired to edit text files
at a rate of $8 per kilobyte of edited work. After a few weeks of editing these texts and e-mailing them back to her contact at Acquaintance, she inquired about getting paid the $60 that she was owed for her work. In reply, her handler asked if she'd like to be promoted to work as a "local agent," responsible for managing money transfers for the company. All she needed to do was give them a bank account number (the mules used in the Bullitt County heist also were initially hired to edit texts before being asked to assume local agent positions).
Terry said a few days after providing her bank account information, she woke up and found that $9,810 had been deposited into her account, funds that she later learned from her bank were drawn from Sign Designs' account.
"That's when the red flag went off, and I immediately e-mailed [Acquaintance] and said you need to get this money out of my account," Terry said. But, of course, the perpetrators needed her help to do that. Terry declined, leaving the money in the account instead of wiring it to her erstwhile employers in Ukraine, as instructed. That's a good thing, too, because within a few days, the deposit was reversed by her bank: Had she pulled the money out, she might be on the hook for close to $10,000.
Security Fix could not locate a business called Acquaintance Dating Services. And there was no response to an e-mail sent to Terry's contact.
Johnston said he is still waiting for Terry's transaction to be reversed -- a process that can be time-consuming. So far, his company has been able to reverse just a single fraudulent transaction in the amount of $29,900, but only because one accomplice hired to receive the stolen funds gave the perpetrators an apparently incorrect bank routing number.
In all, Johnston said he is still out nearly $70,000 from the incident.
"All I can say is I'm glad it's apparently hard to get reliable money mules these days, or we wouldn't have gotten any money back," Johnston said.
September 4, 2009; 9:00 AM ET
Categories: Fraud , From the Bunker , Latest Warnings , Small Business Victims , Web Fraud 2.0 | Tags: jabberzeus, money mules, zbot, zeus
Save & Share: Previous: Apple Updates Java, Backdates Flash
Next: Microsoft Fixes Eight Security Flaws
Posted by: Sadler | September 5, 2009 12:05 AM | Report abuse
Posted by: BTKrebs | September 5, 2009 1:30 AM | Report abuse
Posted by: courry | September 5, 2009 2:07 AM | Report abuse
Posted by: Sadler | September 5, 2009 10:58 AM | Report abuse
Posted by: jltnol | September 5, 2009 12:41 PM | Report abuse
Posted by: featheredge99 | September 5, 2009 3:03 PM | Report abuse
Posted by: SecurityLuddite | September 8, 2009 8:50 AM | Report abuse
Posted by: wiredog | September 8, 2009 10:08 AM | Report abuse
Posted by: spcorrell | September 8, 2009 6:53 PM | Report abuse
Posted by: nothanks42 | September 10, 2009 1:03 PM | Report abuse
The comments to this entry are closed.