Network News

X My Profile
View More Activity

Cyber Gangs Hit Healthcare Providers

Organized cyber thieves that have stolen millions from corporations and schools over the past few months recently defrauded several health care providers, including a number of non-profit organizations that cater to the disabled and the uninsured.

The victims are the latest casualties of an online crime wave being perpetrated against U.S.-based organizations at the hands of cyber thieves thought to be based out of Eastern Europe.

On Sept. 9, crooks stole $30,000 from the Evergreen Children's Association (currently doing business as Kids Co.), a non-profit organization in Seattle that provides on-site childcare for public schools.

Kids Co. chief executive and founder Susan Brown said the attackers tried to send an additional $30,000 batch payment out of the company's account, but that her bank blocked the transfer at her request.

"Now we're in this battle with our bank, because my staff accountant checks the account every day, and we notified the bank before this money was stolen and the transfer still went out," Brown said.

Then last week, criminals targeted Medlink Georgia Inc., a federally qualified, not-for-profit health center that serves the uninsured and under-insured. The thieves stole the user name and password to Medlink's online banking account, and used that access to send more than $44,000 to at least five different "money mules," people wittingly or unknowingly recruited via online job scams to help criminals launder stolen funds. The mules typically are told to wire most of the funds they receive to the criminals abroad (minus a small commission).

Gary Franklin, MedLink Georgia's chief financial officer, said the company's bank reversed some of the fraudulent transfers, but that it looks like transfers to two of the mules - worth $15,000 -- may never be recovered.

Also last week, unknown hackers stole nearly $200,000 from Steuben ARC, a Bath, N.Y., based not-for-profit that provides care for developmentally disabled adults. The fraudulent transfers were sent in two batches to at least 20 different money mules around the nation. Steuben's bank blocked the second batch, for a total of $103,000, and a portion of the $93,000 worth of bogus transfers from the second batch.

Steuben's director of finance, Anita Maroscher, said the company is still trying to recover some $42,000 in stolen funds.

Bob Haley, Steuben's director of information technology, told Security Fix that the thieves were able to steal the company's online banking credentials through a keystroke logging piece of malware disguised as a shipping invoice that was sent via e-mail to one of Steuben's accountants.

"It went through this lady's computer, there was a file called '' that she mentioned having opened while checking her Web mail at work," Haley said. "She said there wasn't anything she recognized in [that invoice], but there was a Trojan horse in it."

The Trojan horse in question was none other than Clampi, by many accounts one of the most sophisticated pieces of malware in distribution today. Clampi is so complex and clever that some of the smartest security researchers out there are still trying to decode all of its functionality and features. Researchers at Symantec last week just posted what they say will be the first in a series of writeups discussing various aspects of Clampi.

Further reading:

Money Mule Recruitment Network Exposed

Maine Firm Sues Bank After $588,000 Cyber Heist

Data Breach Highlights Role of Money Mules

Cyber Crooks Target Public and Private Schools

Cyber Thieves Steal $447,000 from Wrecking Firm

More Business Banking Victims Speak Out

Clamping Down on the Clampi Trojan

PC Invader Costs Ky. County $415,000

The Growing Threat to Business Banking Online

Tighter Security Urged for Business Banking Online

European Cyber-Gangs Target Small U.S. Firms, Group Says

Clampi Trojan: The Rise of Matryoshka Malware

Just Say No to Work-at-Home Money Mule Scams

By Brian Krebs  |  September 28, 2009; 3:15 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Small Business Victims , Web Fraud 2.0  | Tags: ach fraud, kids co., medlink, money mules, steuben arc  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Don't Get Web 2.0wned
Next: New IRS Scam E-mail Could Be Costly


I guess that Total Cost of Ownership for PCs running Windows isn't look so good.

I wonder when we'll start holding school boards etc responsible for the losses from their (many, not all) insistence upon Windows "because that's what everybody uses".

However, this will equalize when insurance costs are factored in.

Posted by: vdev | September 28, 2009 4:58 PM | Report abuse

How dumb do you have to be to keep running a Microsoft OS when you end up being an unending target of criminals for doing so?

It's a poor quality product, and the ubiquity of the applications is not nearly what it's presented to be. The one thing that is ubiquitous about it is that if you run it, you're going to have serious security trouble.

Use _any_ other operating system and you will be more secure out of the box, and stay that way, than you will running Windows.

Posted by: timscanlon | September 28, 2009 9:31 PM | Report abuse

Clampi uses a built-in virtual machine to make life difficult for Anti Virus analysts. Therefore, I assume that it will decline, or be unable to run inside a VM. Another reason to surf from inside a dedicated VM.

And 2 different VMs would be a good idea: one for secure sites, and one for general surfing.

Posted by: moike | September 28, 2009 10:34 PM | Report abuse

Do you really want your medical records accessible over the Internet? Even the comments of the Dr. in Pasco who couldn't pronounce your name?

Posted by: n7uno | September 29, 2009 12:48 AM | Report abuse

Granted, Windows is far in the way the most targeted platform per cyber criminals. And yes, a dedicated LiveCD for the conduct of online banking transaction would be ideal. Just remember, to lock it down to prevent visits to other websites (assume employees will think it harmless--it isn't!).

That said, businesses are not implementing the practical-prevention measures that drop their risks dramatically.

First thing, stop relying soley on security software from the big vendors. Look elsewhere. There are free 30 day trial products anyone can try that deliver better protection.

Second, implement the patches for client software quicker. BTW, some security software products effectively render client software vulnerabilities moot, at the very least, buy IT folk extra time.

Third, the web browser provides cyber criminals the most attack surface on typical computers. This summer we learned matters are worse than most believed:

Fourth, and these four recommendations apply to those that do NOT utilize LiveCd's as recommended by Brian and others. Use two or more different web browsers. One should be dedicated to sensitive activities and with maximum security settings. This should NOT be your default web browser!!! One or more other web browsers should be used for general browsing, and perhaps other sensitive but not super sensitive activities. This compartmentalizes browser comm. Malware prevention is key, however, to keeping out PC-wide keyloggers and such.

Posted by: eiverson1 | September 29, 2009 11:02 AM | Report abuse

@ vdev & timscanlon

BULL! There is no secure OS in existance today! I work for the DoD feds and we use windows. These companies are not using security properly. THAT is the problem! Firewall, antivirus, encryption and employee education is at minimum required!

What I can't understand is... the money is transferred to these mules. How can they NOT track them down. Something is not complete on this article...

Posted by: darbyohara | September 30, 2009 7:09 AM | Report abuse

@darbyohara -- if you read the piece I wrote a few days ago about how these mules are managed and recruited, you'd see that the money -- once sent to the mules -- is only in their account for a few hours, typically. after that, it's wired via western union or moneygram. so, there is a very short window there in which tracking them down does any good.

sure you can prosecute them, but good luck convincing a jury that the mules weren't simply victims themselves.

Posted by: BTKrebs | September 30, 2009 8:25 AM | Report abuse

So where's the news?You can read these stories every day. Users, vendors, analysts and yes writers have become complacent;just waiting for the next big announcement from some legacy security vendor, about the next version of bloatware that still won't stop these kind of attacks. This is a market ripe for innovation, but we continue to fall back on McAfee, Symantec, et al. Where's the innovation? Show me something new.

Posted by: novaITguy | September 30, 2009 11:36 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company