Network News

X My Profile
View More Activity

FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms

Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.

According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries like Moldova, Russia and Ukraine.

Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, said criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and medium-sized businesses, and have successfully made off with about $40 million of that money.

Normally, the FBI isn't eager to discuss losses, or even acknowledge the existence of specific cases. What's more, the agency is keen to avoid making any statements that might spook consumers or businesses away from online banking. But Chabinsky said the FBI is taking the unusual step of floating financial loss figures in order to grab the attention of those most at risk so they can adopt safeguards.

"We don't believe there's cause for a crisis of confidence in online banking, but we want to make sure we message this early before this becomes a much larger problem," Chabinsky told Security Fix in an interview Wednesday. "Our concern is that these numbers will grow if we don't educate people now to take precautions, and if we could nip some of this in the bud, not only will it lessen the problem, but it will serve as a deterrent to the extent the bad guys see this as an easy way to make money."

The FBI said the $40 million loss figure stems from some 205 cases that date back to 2004, though it declined to offer a year-by-year breakdown of those cases. Several bank fraud experts interviewed for this story said they were aware of very few reports of this type of cyber crime before the latter half of 2008.

"There may have been a handful of cases of this specific type of crime before 2009, but attacks like this and in this volume really only picked up toward the end of last year," said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.

Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses.

Chabinsky said businesses can insulate themselves from this type of fraud by doing their online banking from a dedicated, locked-down computer that is not used for everyday Web browsing or e-mail. That's because the malicious software that thieves use to steal online banking user names and passwords typically is installed when the recipient of a spam e-mail opens a poisoned attachment or clicks a link that leads to a booby-trapped Web site.

"What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer," Chabinsky said.

While the biggest source of the vulnerability may reside on the customer's end, some fraud experts believe the perpetrators of this type of cyber crime are merely gravitating toward less obvious weaknesses in the commercial online banking system.

Avivah Litan, a financial fraud analyst with Gartner Inc., said many of the largest banks have taken a page from the credit card companies, investing heavily in anti-fraud solutions that look for transaction anomalies and other activity that may indicate a customer's account has been compromised.

But Litan said many companies being victimized by this type of crime bank at small and regional financial institutions that do not have fraud pattern detection technologies in place. Rather, she said, these institutions are relying on additional layers of customer protections, such as security tokens - approaches that can easily be subverted when the customer's computer is under control of the thieves.

"Many [commercial] institutions aren't even looking at new anti-fraud technologies because they don't take the direct loss when their business customers get hit," Litan said. "Banks may be worried about the reputation loss from these kinds of incidents, but so far these attacks aren't widespread knowledge."

Last week, I wrote about Genlabs Corp. a Chino, Calif. chemical manufacturing firm that lost $437,000 last month after thieves broke into the company's bank account and sent transfers to roughly 50 different money mules. The attackers succeeded despite the fact that the company's bank -- California Bank & Trust -- requires the user to enter their password in addition to the output from a key fob that generates a new six-digit number every 60 seconds.

Genlabs was just one of 48 victims I have heard from or reached out to over the past five months. While not everyone was willing to tell me the name of their bank, those that did almost universally named local and regional institutions.

If you review the chart below -- which details how much the thieves tried to steal from each victim and how much they made off with -- you'll notice that several of the figures in the "amount unrecovered" column total $0. In nearly all of those cases, the victim banked at a very small institution, the kind where employees apparently still know their customers by name and by sight.

Take the case of Holdiman Motor, a car dealership in Cedar Falls, Iowa. Earlier this year, hackers tried to initiate a series of bogus payroll transfers totaling $60,000 to several individuals the company has never done business with before. Owner Tom Holdiman said the perpetrators failed because the company's bank -- Lincoln Savings Bank -- noticed that the timing of the transactions was unusual and alerted Holdiman's controller.

"With the other banks you're just a number," Holdiman said. "That's why we're with them."

In the 48 attacks I've confirmed since May, thieves attempted to steal more than $7.3 million from these organizations. In many cases, I was unable to learn how much victims had actually lost. A number of companies told me they did not want to be identified by name, and have not responded to requests for follow-up interviews. Some victim companies that spotted the fraud early enough were able to work with their bank to retrieve some or all of the stolen funds. Other victims recovered nothing, and are in various stages of suing their banks to recover some of the losses.

Nevertheless, it is clear that the stories published here have encouraged more and more victims to come forward. In the month of September alone, I learned of at least 20 previously unpublicized cases in which hackers tried to take a total of more than $3.3 million from small- to mid-sized organizations across the country.

Below is a chart showing the victim entities that I have confirmed over the past five months. That same chart -- including monthly and cumulative dollar loss totals -- is available in Excel and HTML format. Some victims are identified only by their industry or specialty to preserve their anonymity. If a victim's name is hyperlinked, readers can click the link to read a prior Security Fix blog post that includes mention of their specific incident.


By Brian Krebs  |  October 26, 2009; 1:00 PM ET
Categories:  Small Business Victims , Web Fraud 2.0  | Tags: ach fraud, fbi, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Nastygram: 'A new settings file'
Next: 'hack' is a hoax


The problem starts and can end with Western Union , because most of the money is chanelled to the crooks through Western Union . CEO Christina Gold and her General Counsel David Schlapbach are focused on getting out of criminal cases against them by bribing their way out , like what they are doing in Arizona , and bribing Government officials and Judges , like what they are doing in Italy .
Western Union are profiting a lot from the scammers ,and has no interest in blocking them , something that could expose the whole network as flawed , corrupt , and with so many loopholes enabling the cyber crooks , money launderers and human trafickers to do their criminal businesses , with the help and support of Western Union .

Posted by: adnanawadallah | October 26, 2009 3:43 PM | Report abuse

Great article Brian. Keep "raising the flag" and eventually more people will notice, and hopefully action will be taken. I've got to think that a 3-fold response is needed: 1) the banks need to get better at detecting/circumventing this fraud 2) the FBI should try to work more closely with foreign governments to break up these criminal gangs (may not be easy, but in my opinion it's a necessary step.) 3) the end consumer needs to be more careful about online banking, via some type of Linux/live distros you've outlined earlier

Keep up the good fight.

Posted by: wilson7 | October 26, 2009 3:59 PM | Report abuse

I received spam e-mails about scams that involved transferring funds into my checking account more than five years ago. I just deleted them. No one with honest intent transfers money into a stranger's account. Somehow, I figured, the funds would go the other direction, never to be seen again. I would be left with just the authorities' lament that it happens all too often.

Posted by: blasmaic | October 26, 2009 4:00 PM | Report abuse

It's just too bad that we can't put a huge firewall around the former Soviet Union and China.

Posted by: JoStalin | October 26, 2009 5:05 PM | Report abuse

Boy those zooming Northrop Grumman ads are annoying.

Posted by: Rixstep | October 26, 2009 5:38 PM | Report abuse

'It's just too bad that we can't put a huge firewall around the former Soviet Union and China.'

I'm not worried about them, Jo. I'd much rather ban Microsoft Windows from the Internet. Then we'd put the criminals out of business.

Posted by: Rixstep | October 26, 2009 5:40 PM | Report abuse

'We don't believe there's cause for a crisis of confidence in online banking...'

LOL. Yeah $40 million is a drop in the ocean. Big drop, small ocean. People need to wake up. And get past the status quo.

Posted by: Rixstep | October 26, 2009 5:42 PM | Report abuse

@blasmaic Same here, but I know too, somewhere down in my black little heart, that good ethics and good sense might not have been my first thoughts if I was not fully employed and focused at the time. There is no reason, today, that anyone should walk *out* of an unemployment office without having learned about money mules. Same thing for layoffs, and getting out of prison for that matter.

Posted by: gannon_dick | October 26, 2009 5:43 PM | Report abuse

Sorry, forgot those on overseas military deployments, except maybe for those in Korea who find the stateside Internet so slow they don't use it anymore.

I also found it interesting that the Banks formerly known as "too big to fail" were smart enough not to be duped. The Banks too small to PO their customers were ok too. The problem lay with the Banks "thinking too big to care".

Posted by: gannon_dick | October 26, 2009 6:04 PM | Report abuse

I seriously hope that small and mid-sized biz IT people are paying attention to this. Often these are the businesses who have the most trouble dedicating time & effort to security. Thieves are targeting businesses by size in some cases here. There is a profile they are looking for that's both online and offline.

If the answer to questions about if your business is doing the right things start with "But we ..." you probably ought to rethink the safety of the herd. That's what the FBI is saying, and people should listen to them about this. Companies with a small IT footprint due to not being in any sort of IT business sector face increased risks where in the past they might have skated by without criminal interest.

You can add ".cn/" and ".ru/" to your spam filters to block spam redirection to China & somehwat fewer Russian hosts. This won't get anything using redirection to .com hosts & other names, but will get URL's in spam content that redirect to .cn & .ru hosts. *Obviously this would cause more problems than it would solve if you speak these languages, or do business in Russia/China.* It only is useful if you are a person who does not, and then only takes out one assumption of ignorance.

Posted by: timscanlon | October 26, 2009 6:27 PM | Report abuse

I hope they hit the thieving banks with outlandish credit card rates too. Down with Citibank!

Posted by: rcvinson64 | October 26, 2009 9:00 PM | Report abuse

Instead of those key-fob number devices, banks should give their commercial customers an entire locked-down boot-from-ROM netbook for use with their accounts. If it had its own public key encryption ID, the bank could reject any online transaction that doesn't originate from that machine. I'm sure folks can think of lots of other such safeguards.

Given the ever-declining price of PCs, and the ever-increasing theft losses, this could actually be profitable for the banks. Also for whomever can first put this package together and sell it to the banks.

Posted by: iMac77 | October 26, 2009 9:37 PM | Report abuse

is there some sort of breakdown as to which systems were compromised to cause these thefts - windows, mac, linux or others?

Posted by: rm0659 | October 27, 2009 1:26 AM | Report abuse

Western Union can stop the scamming , and prevent the criminality . the Problem is that Western Union , which employs ex FBI and Secret Service agents , is looking in the other direction , and has a big financial and business interest to keep it going on .
Westrn Union will collapse if the criminality will stop , because a clean Western Union doing business correctly and ethicly , and with banking rules , and proper identification and verification of senders and receivers .. will not survive , not in the United states , or any other country .
It is incredibly unbelievable how the regulators in America , and the Financial Authorities are allowing this situation in which Western Union is promoting criminality around the world , the answer is in the heavy lobbying in America , and big covert payments in the pockets of officials around the world .
Today , any Crook , drug Dealer , or Pimp , can be a Western union agent , acting free , as the Bank Owner , Director , and head of operations , moving any money , paying any name , and receiving as they wish .

Posted by: adnanawadallah | October 27, 2009 1:50 AM | Report abuse

How did the company' account, for which using a key fob for entering a new 6 digit number every time one logged in, get compromised?

Was the 6 digit number not used on the bank end or was a key fob lost by a company employee and so got into the hands of a hacker? Or was the log in process somehow messed up at both ends?

Without this explanation, it seems to indicate that using key fobs is not really a secure option and accounts can be hacked inspite of such measures.

Posted by: MouLif | October 27, 2009 9:11 AM | Report abuse

@rm0659 -- the systems that were compromised were all Windows-based PCs. the malware used in these attacks doesn't run on other operating systems. See:

@MouLif - The attackers control the victim's PC. So what they do is manipulate what's displayed in the victim's browser: The victim browses to the bank's site, enters their information -- along with the output from the key fob -- and hits submit. But from there, the information doesn't go to the bank's site: It goes to the hackers, and the user is instead served with a page error or other message about how the site is currently unavailable. That code is then good for next 60 seconds or so, allowing the attackers to log in as the user. Clear?

Posted by: BTKrebs | October 27, 2009 9:53 AM | Report abuse

I would agree, Brian, while you write some great articles sometimes you fail to ask the real penetrating questions, make deeper connections and insights, and TRULY identify the problem and investigate deeper. For example, why is it that a few normal readers are exposing the corruption at Western Union, and other money transfer companies and not yourself. Maybe your not familiar with that area, but that's what research is for. For such an important subject that would make a BLAZING story.

In most instances you FOLLOW the money. Even the most basic of journalists and investigators knows that. What is not included here is other Important detailed information that is NOT included.

For example, the number and nationalities of the money mules, the duration of the fraud, the exact money transfer organizations used, the location of where the money was transferred and the Country, the reason the Money could not be recovered. Possible identification of the exact crime groups responsible.

Now I know that journalists are not exactly in the business or may not have the Balls, to identify crime groups due to personal safety reasons, however other journalists risk life and limb to expose scandal and political corruption, ironically in the former Russian block.

You would go along way towards NAMING the groups and investigating and describing the structure of such groups.

Can you imagine the unbelievable heat that would be generated by exposing these crime groups and their linkages to organized crime groups and the Governments that harbor them? The theory is if you make them HOT enough, your burn them, turn them into celebrities that can't after that get out of the light. No one will work with them because they will be so swamped with Internet mobjustice and private individual researchers snooping in their back yard that they will no longer be effective.

If you think for a minute we dont know who operates these groups or pull the strings, you are deluded. AT the end of the day, it will be the RELEASE, not HOARDING of critical information that will save the day.

You can start with the FBI and then go on over to MD and talk to those boys. And then get a CLUE>

Check out more of my gamechanging ideas @

Keep up the good work Brian, Just go deeper into the rabbit hole if you dare.

Posted by: diocyde | October 27, 2009 10:29 AM | Report abuse

I believe Brian pointed out a vexing hole in securing online transactions: the end users' environment. E.g. for banking institutions, how to ensure their customers' PCs or other endpoints are secure from real-time keyloggers and those that paint (digitally) a picture different than reality? And whereas a bootable ROM disk may help, it certainly isn't scalable nor is it convenient. Rooting out and prosecuting the bad behavior is certainly a good long-term approach.

In the meantime, real-time protection of data "in use" becomes paramount, and it must be delivered on demand via software (protecting both the data as its being entered on the keyboard as well as the veracity of the data you see on your screen).

Tim Brown

Posted by: tim39 | October 27, 2009 1:24 PM | Report abuse

I think this point proves a security researcher is correct: "... the victim banked at a very small institution, the kind where employees apparently still know their customers by name and by sight." Bruce Shcneier has ALWAYS had as part of his security process human beings that are well trained to notice something isn't right. I must hasten to add I have no personal association with Bruce or his organization. But notice how much was lost in these cases - $0. Pick your financial institutions carefully; make them small, and get to know the people personally. Make that secure machine that is used running Linux or Unix if possible. Sometimes it isn't possible because IE is the only browser that will work. But if you have to use IE, make it IE version 8. I would still screw it down tight per Microsoft's instructions. But this is why my blocking hosts file right now has shifted to targeting all of the embedded spam URLs in my spam email right now. I am getting tired of removing hosts whose only crime are they are hosted on web servers that are open for web site to web site attacks through people's unsecured browsers. But I think the people involved here are receiving targeted spam email, not general broadcasted spam (what I usually get).

Posted by: hhhobbit | October 27, 2009 4:12 PM | Report abuse

Cybercriminals do not generally target specific organizations with attacks. Instead they create programs that look for vulnerabilities and then take advantage of them so they expend the least amount of energy for the greatest amount of return. Unfortunately the organizations that are most likely to have vulnerabilities are SMBs because they do not have the resources to properly secure their network. With more than 99% of all businesses in the US being classified as SMBs it is critical that these organizations are able to secure their networks. If they remain as vulnerable as they are today we will see the economy suffer as these businesses continue to be compromised, hurting them financially.

Posted by: drogers1 | October 28, 2009 11:24 AM | Report abuse

The criminal organizations behind these attacks are based world wide. Anyone with a resume on or other places will get emails for the bogus money transfer business I have been getting these since 2005. Craigslist online want ads generate bogus money transfer jobs emails even if you are advertising something for sale.

The fault here lies on the financial industry for not having checks and balances in place and allowing consumer level transfers so easily.

This transfer and mule issue has been around but not recognized since most law enforcement only locally arrests the mule and fails to report it to higher cyber security authorities.

Posted by: econobiker | October 30, 2009 3:48 PM | Report abuse

"Several bank fraud experts interviewed for this story said they were aware of very few reports of this type of cyber crime before the latter half of 2008."

Which means they are not very aware of the scams which have been going on much longer than that...

Posted by: econobiker | October 30, 2009 3:52 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company