Network News

X My Profile
View More Activity

Hackers attempt to take $1.3 million from D.C. firm

It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies.

On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm.

The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had been stopped. Still, her story is worth telling because it was not a victimless crime, and it shows how attackers are adding yet another layer of complexity to their scams, all in a bid to buy them more time to make off with the loot. In addition, it illustrates how even a security compromise that has been cleaned up can come back to haunt you, and it demonstrates how one weak link in the chain of trust in commercial online banking can be used to attack other organizations.

Most of the fraud against small businesses that I have been chronicling succeeded because the fraudsters were able to steal the victim's online banking credentials and initiate a series of bogus payroll payments directly to so-called money mules, accomplices hired through work-at-home job schemes who are instructed to withdraw the money and wire it overseas (typically minus an eight percent commission).

But according to this woman's bank, the attackers set the unauthorized transfers in motion by using another company's compromised account to initiate a "pull" or withdrawal from her company's bank account. The crooks instructed nearly $1 million to be transferred from the D.C. firm to a company in West Virginia, and about $100,000 was sent to a company in Manteno, Ill. called Bill Anderson Painting.

I caught up with owner Bill Anderson, who acknowledged that his account was the intended recipient of the transfer from the woman's company even though he had never done work for it before. In addition, he said his company was the beneficiary of a large batch of transfers from two other companies that he did not request.

Anderson told Security Fix that his bank suspects that the attackers had used his company's online banking account credentials to initiate the pulls. Once the money was in his account, the criminals then sent some of it in sub-$10,000 chunks to numerous money mules. Anderson said the thieves succeeded in moving about $115,000 out of his account, which is now frozen by his bank pending the outcome of an investigation.

"Now I can't get into it at all, and the balance says negative $115,000," Anderson said. "My bank froze it and closed it. I don't even have access to my own funds anymore."

The system by which organizations move money from one bank account to another is known as the automated clearing house or "ACH" network, and this case is a stellar example of just how automated the ACH network can be, said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.

Pirnie said the ACH system is most typically used for credits - such as when a company wants to directly deposit an employee's paycheck. But it can also be used for debits or pulls, which can be initiated by any entity with access to the ACH network, provided that entity knows the target's account and routing numbers.

"Unfortunately, there is no policing of that activity because it's an electronic environment," Pirnie said. "So instead of pushing money, which is what most of the criminals groups do through the payroll portion of ACH, they're utilizing another option in the service to credit their account and debit someone else's."

Pirnie said it is likely that the thieves knew the account and routing numbers of the Washington, D.C.-based property management firm, but did not have the user name and password that would allow them to push money out of the firm's online bank account directly to the money mules. Rather, she said, they probably used their access to the ACH system to pull the funds to an account they did control.

When asked about this possibility, the woman from the D.C. firm told Security Fix that indeed her company's bank account information had been compromised a few months before this incident: At the time, her firm's bank called to say they'd detected someone logging into the account from an unusual location online. In response, the company was given a new online banking user name and password, and it tossed out the compromised PC. The company's bank account and routing numbers, however, remained the same.

Pirnie said this type of ACH fraud involving unauthorized pulls is becoming more common, citing a recent case she helped investigate involving a $1.7 million loss at a large company in New Jersey. In that case, the thieves initiated a pull from a small veterinary clinic in Ohio whose online banking credentials they had compromised using a password-stealing Trojan horse program.

"In that case, it looks like the criminals only knew how to operate or only had access to one ACH cash management system but not the other," Pirnie said.

Pirnie said organizations can protect themselves from fraudulent pulls by asking their bank to disallow pulls altogether. Still, she said, companies can best protect themselves against ACH fraud by reconciling their accounts daily and by quickly alerting their bank to any fraudulent activity.

By Brian Krebs  |  November 30, 2009; 1:40 PM ET
Categories:  Small Business Victims , Web Fraud 2.0  | Tags: ach fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Eight tips for safe online shopping
Next: Nastygram: Bogus DHL e-mails harbor secret message


There needs to be a whitelist for ACH transfers as a matter of course at all banks. Very very few people or companies do these sorts of transactions randomly. We do them to pay a gasoline bill sometimes. It would be no problem to give our credit union a list of approved recipients for ACH transfers.

In some cases it might work a hardship, but I will take security over convenience in the cyberslum the internet is becoming.

Posted by: eteonline | November 30, 2009 2:08 PM | Report abuse

The problem is that anytime you give anyone a check, you are giving them a piece of paper with the account and routing number.

The only solution I see is that you either need to disallow pulls, or each account needs a whitelist of accounts from which pulls can be initiated. Yeah, it would be a pain, I suppose, but the alternative is worse.

Posted by: jackrussell252521 | November 30, 2009 3:13 PM | Report abuse

What I find shocking is that the puller's bank allowed this transaction.

In Europe, most payments are the equivalent of ACH push transfers (nobody uses checks); pull transfers exist but you need a contract with your bank which limits the amounts (they are typically used for things like newspaper subscriptions).

Since the pull transfers are closely monitored, there's no reason to worry about them - companies routinely put their bank account number on their stationary.

Posted by: nl01 | November 30, 2009 3:56 PM | Report abuse

Aside from other good practices suggested by readers, as long as people/institutions insist on using usernames and passwords instead of other available technologies which are logical and device centric coupled with private and highly secure (greater than 128/256 SSL encryption) VPN's, problems like this will continue to abound.

Posted by: bnachman | December 1, 2009 11:07 AM | Report abuse

These types of attacks seem to be increasing. I would be glad to suffer the inconvience of a white-list if it buys me peace of mind.

Are there any consumer groups that I can join to help bring pressure on the banks to tighten up the ACH processes?

Posted by: fchaffin | December 1, 2009 11:20 AM | Report abuse

Sorry, but I think this article is unclear. Bill Anderson Painting said that he did NOT do any work for the D.C. firm. So how did an attacker "pull" money into his account? And to echo another comment here, this article implies that anyone that has a check of mine (with account and routing number) can complete a "pull" from my account. I'm just having trouble believing that.

Posted by: tchap | December 1, 2009 1:44 PM | Report abuse

They are targeting the property management, real estate, title companies because it's easy to predict when there's likely to be a big balance in those accounts. And that's right at the beginning of the month, when rental payments peak and closed escrows from the prior month are still there.

These companies should always have separate disbursement and working capital accounts at their bank. The account used to refund rental deposits will have its routing/account numbers exposed to the public, thanks to all of the checks written on it. Therefore, you don't keep all of your funds in that account.

A lot of small businesses keep everything in one business checking account. It's easy to track but all of your eggs are now in one basket. You should really have multiple accounts for different purposes. And minimize the balance of the accounts where many people know the routing and account numbers.

Posted by: taskforceken | December 1, 2009 4:06 PM | Report abuse

@tchap: The problem is that if you have access to the ACH system through valid credentials of a company, you can -- if you have the routing and account number of another organization -- initiate a pull on that other organization's account, unless they have some kind of filters in place with their bank or have disabled pulls altogether.

What the thieves are doing is using their access to the ACH system (through compromised online banking accounts) to pull funds from those accounts for which they have account numbers and routing numbers. They are in essence exposing a large hole in the ACH system that is not a very well kept secret.

Posted by: BTKrebs | December 1, 2009 5:15 PM | Report abuse

How is this ACH system different than when you have auto-debit between your bank account and the phone company or your mortgage holder?

I thought that a special connection was needed to transfer money, like a paycheck, into an account or as we now know, debit an account.

Posted by: Beacon2 | December 1, 2009 5:35 PM | Report abuse

@Beacon -- In practice, not too different. But bear in mind there are important differences in the bank to bank transfers as they relate to consumers vs. ACH transfers between businesses. The primary difference is that consumers generally aren't liable for fraud that occurs with their online banking credentials. Businesses, however, assume basically all of the risk from banking online. There are some simple and free security precautions that businesses can take to insulate themselves from this type of fraud, but they have to know to take them.

Posted by: BTKrebs | December 1, 2009 6:06 PM | Report abuse

@tchap - It's not hard to believe at all. Now your check is almost never processed by hand, but s scanned in and an ACH transfer is done, even at Walmart. There are "traps" put in place to detect fraud, but hacks know this, and is why as @taskforceken indicated titles companies are targeted, because large transfers are not atypical.

Posted by: srchasjc | December 1, 2009 10:36 PM | Report abuse

In the ACH world, the ODFI "initiates" the ACH item into the ACH network. The ODFI would either "initiate" an ACH Credit (which at the receiving end would be a deposit into the receivers account at the RDFI-example payroll deposit)OR and ACH Debit (which the receiver would have a deduction from their account at the RDFI-example "bill pay"). In order for the fraudster to "initiate" an ACH they need to be able to utilize credentials of the consumer or business originator for the ODFI (or third party sender) to "initiate" the ACH into the network. The story of the ACH fraud needs to address how the fraudsters were able to get in. Based on the story, it sounds like the fraudster had captured the user name and passwork of the originator(business account). Was dual control being used when the ACH Credit or ACH Debit was entered into the ACH network? Was there static IP address matching? Was a token used? Was their a call back to the business confirming the ACH request prior to entering the ACH Credit or ACH Debit into the ACH network by the ODFI? The key to help prevent this type of ACH fraud is the front-end multifactor authentication layers to prevent the fraudster from having the credentials to "initiate" the ACH activity online. In addition, multi-layers of authentication should also apply if the fraudster calls in, emails, or faxes a request to "initiate" and ACH entry. Remember, the ACH activity always starts at the ODFI (Originating Depository Financial Institution) so this is where we need to have the fire walls in place. The key is the ACH activity always starts at the ODFI from a request from their Originator (business or consumer) customer.

Posted by: risk1 | December 2, 2009 11:36 AM | Report abuse

@tchap: that's exactly right, with a check of yours, someone can initiate a transfer out of your account. This is why people who say "I avoid online banking because it is insecure" don't know what they are talking about--checks are far, far, far less secure, but for some reason people are less scared of them because they are a physical piece of paper. ACH fraud is a huge problem, probably bigger than online banking compromises. Why do online banking issues get more press? 1) computers are scary. 2) it's easier for third party investigators to get insight into what's going on, whereas ACH fraud which doesn't involve malware clients and trackable internet activity is kept quiet.

Posted by: SecurityLuddite | December 3, 2009 11:00 AM | Report abuse

In order for the entity that is sending the transaction via the ACH to do so they must be going through a financial insitution referred to as the ODFI. ODFIs are required to know who they are originating for and they are also required to register any entity that is sending ACH transactions directly to the ACH operator using their routing numbers. It seems to me that someone was asleep at the wheel at the ODFI. In addition, commercial customers can put ACH blocks on their accounts to stop any ACH debits from hitting the account. If your bank doesn't offer this, look for one that does.

Posted by: emilybutler1 | December 4, 2009 4:44 PM | Report abuse

@nl01 -- What's even more shocking is that the "pullers" bank in this case actually was the one who alerted the DC firm to the fraud. The major American bank that served the DC company let *all* of the transactions go through. It was only after the Painter company's bank complained that the fraud was discovered.

Posted by: BTKrebs | December 5, 2009 1:52 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company