Network News

X My Profile
View More Activity

DC businessman loses thousands after clicking on wrong e-mail

Pay-per-click revenue in the online advertising business may be diminishing for traditional media publishers, but thieves increasingly are earning five- to seven-digit returns when victims click on a booby-trapped link or attachment sent via e-mail.

The latest victim to learn this was Nigel Parkinson, president of D.C.-based Parkinson Construction, a firm with an estimated $20 million in annual revenue that has worked on some of Washington's top gathering places, including the new D.C. Convention Center and the Nationals baseball stadium.


Parkinson said he had an expensive crash course in computer security, when on Nov. 24, he clicked a link in an e-mail purporting to be from the Social Security Administration warning him about potential errors on his Social Security statement. Parkinson fell for the ruse and ended up downloading a copy of the Zeus Trojan, a prolific family of malicious software that criminal gangs have used to great effect to steal tens of millions of dollars from victimized businesses so far this year.

Zeus is primarily a password-stealing Trojan, and in short order the thieves had stolen the credentials Parkinson uses to administer his construction firm's bank account online. From there, the hackers sent $92,000 of Parkinson's cash to nine different money mules, accomplices hired through work-at-home job schemes who are instructed to withdraw the money and wire it overseas (typically minus an eight percent commission).


Parkinson said his bank was able to block some of the transactions after being alerted by an anonymous tipster (perhaps a mule who suddenly realized what he or she was into?). All told, Parkinson said, the hackers made off with about $18,000, because just two of the mules succeeded in their assigned tasks.

"There were two transactions they couldn't stop," Parkinson told Security Fix, of his bank's efforts. "I guess they had already pulled the money out."

One of those two was Alex Moreira, an unemployed, 27-year-old from Cincinnati. Moreira said he was recruited into the scam over the Internet, via a work-at-home solicitation that said he was perfect for the job as a financial manager at a Web site called That site, which bills itself as a company set up in New York in 1990, did not return e-mails seeking comment.

Moreira acknowledged that he sent the $9,400 payment forwarded to him, and that he kept the $750 commission. Moreira said he was desperate for work and wishes now that he had thought more critically about the job he was given.

"Honestly, I needed a job, and I was stupid enough to give them all of my bank account and personal information," Moreira said.

Interestingly, two of the payments transferred through mules were in excess of the usual sub-$10,000 amount. According to the FBI, thieves like to keep the fraudulent transfers below $10,000 to avoid banks' anti-money-laundering reporting requirements. But according to Parkinson and his bank, one of the mules was sent more than $17,000 and another was sent nearly $14,000. Both accomplices have distinctly Eastern European names. Neither man responded to requests for comment.

Why is this notable? According to an alert recently issued by the Federal Deposit Insurance Corporation, one increasingly common component of these money mule scams involve foreign exchange students who are here in the United States under a J-1 Visa program.

From my discussions with various law enforcement sources about these J-1 transactions, it's still not clear why the fraudsters feel more willing to exceed the anti-money laundering reporting thresholds when sending stolen funds to J-1 mules. One law enforcement source familiar with these scams told Security Fix: "Most have student banking accounts and they get the [transfers] right before they leave the country... Mostly it seems they are offered the money as something extra they get before they leave the country."

By Brian Krebs  |  December 1, 2009; 8:40 PM ET
Categories:  Latest Warnings , Nastygram , Safety Tips , Small Business Victims , U.S. Government  | Tags: zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Nastygram: CDC 'swine flu' vaccine scam
Next: to scour shortened links for badness


Its 9-11 all over again.

CAN WE DO IT !!!!!!!!!!

YES WE CAN !!!!!!!!!!!!

YES WE WILL !!!!!!!!!

Posted by: | December 2, 2009 12:30 AM | Report abuse

Posted by:

you are a complete MORAN we all know W did it or was it sister Sarah? Dang I am getting to be wing nut too

Posted by: mikey30919 | December 2, 2009 1:10 AM | Report abuse

Okay have we learned yet?

Use a Separate Computer for Sensitive Transactions!

Don't use Windows on systems used for Sensitive Transactions!

Install Linux on one of your old clunkers and use it for your banking. Who cares if it is too slow to run Flash or play video games?

Old crummy used computers, perfectly suited to the task, can be gotten for $100 or so at any computer repair shop. Get a cheap KVM switch too.

Posted by: frantaylor | December 2, 2009 1:15 AM | Report abuse

Thank you Microsoft for making computer crime so easy.

Posted by: hairguy01 | December 2, 2009 5:52 AM | Report abuse

"Mostly it seems they are offered the money as something extra they get before they leave the country."

Don't present them as victims. It sounds like they know damn well what they're doing, and figured on stealing something big from the people who graciously hosted them for several years so they could get an education not available in their squalid, backwards country.

Posted by: Knee_Cheese_Zarathustra | December 2, 2009 6:19 AM | Report abuse

the ones they caught should be indicted, tried and sent to jail...

Posted by: DwightCollins | December 2, 2009 6:36 AM | Report abuse

Another great piece by Krebs. I am always cautious of online scams generally, but I was not aware of this one.

Posted by: Bitter_Bill | December 2, 2009 6:49 AM | Report abuse

Article indicates that this is a known virusm but there's no mention of whether or not he was running antivirus software.

Posted by: johnson02118 | December 2, 2009 9:11 AM | Report abuse

The most interesting part of the article was the revelation of J-1 visa abuse, whereby apparently foreign students fraudulently cash out as they exit as a big middle finger to the very country they tried to study in. That is deserving of its own article.

Posted by: zippyspeed | December 2, 2009 9:35 AM | Report abuse

@Knee_Cheese_Zarathustra, @zippyspeed:

Don't forget the possibility the ``J1 mules'' are being extorted by the bad guys in their homeland, who might threaten to do them harm upon their return; to harm their families, should they not return with the cash; etc.

Not that that makes it right

Posted by: buckh | December 2, 2009 10:23 AM | Report abuse

I've gotten my share of so called fraudalent emails (does the throw-away accounts qualifies?) as well as job offers that was mentioned in the article but I always know the golden rule, ALWAYS delete them because the thieves are taking advantage of the desperate to score some big bucks. What you have in this article is two or three victims here : the mules (only one spoke) and the victim. The sad part is they will have to change accounts all over again to ensure that it does not happen. Lastly, the Social Security Administration DOES NOT send anyone email about the errors in their statement. It is up to you to go to the SSA to fix the error if you think it is wrong.

Posted by: beeker25 | December 2, 2009 10:30 AM | Report abuse

@johnson02118: typically very few of the existing antivirus programs ever detected the various versions of this infection. Typically was averaging around 4 out of 40, meaning only four of the forty most common antivirus suites would ever positively identify this infection as the Zeus bot. This is repeatedly documented on Gar Warner's blog.

Somebody has to very publicly arrest these scumbags. Also: banks need to take emergency action. This is becoming the most-reported item on this blog and there has not been any kind of large-scale action on behalf of banks to step in and prevent this activity from happening.

SiL / IKS / concerned citizen

Posted by: killspammerz | December 2, 2009 11:24 AM | Report abuse

Online banking is for fools. Stick with the old John Hancock and you won't regret it. And I'm no neanderthal -- I'm just smart enough not to open a portal to my bank account through the Internet...

Posted by: jerkhoff | December 2, 2009 11:33 AM | Report abuse

@johnson -- ikillspammers is correct. based on a huge number of past attacks, AV detections on new Zeus variants are pretty abysmal.

Posted by: BTKrebs | December 2, 2009 11:47 AM | Report abuse

He should have known better! Apparently, people aren’t getting the message.

Maybe the Post should make these types of stories front-page news more often.

Posted by: ummhuh1 | December 2, 2009 12:16 PM | Report abuse

I guess people CAN post anything online.

No thinkin' required!

Posted by: ummhuh1 | December 2, 2009 12:16 PM | Report abuse

Blah Blah Blah, bash Microsoft all you want, but the truth of the matter is that too many people are too ignorant or too lazt to follow simple computer security practices. One easy one that people for some reason find too inconvient to do is create multiple accounts. One with Administator privileges, one for general use. I bet this guy will take the time from now on

Posted by: akmzrazor | December 2, 2009 12:28 PM | Report abuse

This has nothing to do with Windows vs Linux vs Mac... anyone of these can get a bogus email. I get them all the time.

The way you should deal with these is to IGNORE them. If you have a questionable email just take the damn time to call and find out if it's legit. Time.

Posted by: kkrimmer | December 2, 2009 1:02 PM | Report abuse

The simplest thing one can do is use multiple accounts. It still confounds me how many people are unwilling to do this out of minor inconvienence. Create an account with administrator priviledges and then create one with standard user priviledges. This feature has been avialable on Windows for 4 versions now. Standard users don't have the ability to install programs. This will stop 98% of malicious software in its tracks. It amazes me how many people still don't do it, members of my family included. I finally had to put my foot down and refuse to help them unless they followed some basic security practices. This is one of them. If this guy had done it he wouldn't be missing his $18K right now.

Posted by: akmzrazor | December 2, 2009 1:14 PM | Report abuse

Some people are just too cheap to pay for good anti-malware software when they use Windows.

I use a Mac with VMWare and XP for those pesky IE only websites that some of the companies I must work with require... other than that, nothing, especially email is one with Windows, too risky.

Posted by: kkrimmer | December 2, 2009 1:28 PM | Report abuse

Spam called Moron. You j*ck*sses need to look for honest work, and stop the spamming--we don't want your crap. If we want to buy something, we don't need your stupid spam. If these colossal BOZOS are not sociopathically sticking their hands in your electronic pocket, they are out scanning ports. Go to h*ll, you sorry b*st*rds.

Posted by: IIntgrty | December 2, 2009 2:27 PM | Report abuse

I have a problem with the J-1 visa. Why on earth do we have foreign students when there isn't enough space in our colleges and universities for American students? LIKEWISE, why do we have guest worker visas, like the H1-B, when there are 4.5 MILLION U.S. citizens fully capable of filling all of he computer programming, engineering, mathematics, and science openings that exist (actually, they could ship home every H1-B visa holder tomorrow and there would be two U.S. citizens, usually better qualified, for every single job). "Immigration reform" shouldn't be about granting amnesty for illegals, it should be about closing down access to our jobs and schools by foreign nationals if they take places in school or jobs from American's.

Posted by: mibrooks27 | December 2, 2009 2:52 PM | Report abuse

So he wouldn't spend $100 on McAfee to protect him from these mistakes, and now look.

THAT is the cautionary tale here: Do not connect to the internet without strong antivirus including automatic updates.

There is no other way.

Posted by: wjbennettjr | December 2, 2009 3:29 PM | Report abuse

Bomb those eastern european types.... hee hee hee! Sounds like he didn't know to install a 3rd party security and anti-virus software suite. Too bad, that's a tough way to learn. And never open an executable file in any email.

Posted by: dlkimura | December 2, 2009 6:24 PM | Report abuse

@wjb - read the earlier comments. you should not expect anti-virus to save you from clicking on one of these Zeus e-mail attacks. the track record across the industry in detecting new Zeus variants is pretty horrible in the first 24 hours after the messages are spammed out. in the most recent attack, as chronicled by Gary Warner at UAB, there were only about 5 out of 40 AV software brands that detected the sample as malicious.

Posted by: BTKrebs | December 2, 2009 8:22 PM | Report abuse

The domains used in the SSA exploit to which Parkinson Construction fell victim were registered with the same registrar that currently has over 33 domains registered and being used for Chase Bank and IRS scams. This registrar does only minimal if any checking on the validity of the registrant. If the registration policies for domains was made more strict Nigel Parkinson would have received a 'Host Not Found' error message rather than a trojan.
Even without the more strict policies, if the registrar responded in a more timely manner to complaints of domain fraud Mr. Parkinson probably would have been spared this ordeal. Currently this registrar responds only in the morning on workdays, and not at all on weekends. I find the registrars equally complicit in this criminal activity.

Posted by: TheGeezer | December 2, 2009 8:33 PM | Report abuse

The personal computer has become a necessary but dangerous appliance for most people and certainly for business.
No one is required to know electronics to be guaranteed safety from electrical shock from their dvd player.
You should not have to be a computer guru to avoid 'software shock' from your computer either.
If the malevolent domain can't be registered, the trojan can't be delivered. The registrars need to have their focus redirected from bragging about how many domains they've registered to how few malevolent domains they've registered. They are the ones who should be the computer gurus, not victims like Mr. Parkinson.
It doesn't take much of a computer guru to know that the IRS and SSA are not located in Chili or Argentina. Let the Registrar be responsible for the research. That would prevent the majority of these incidents.

Posted by: TheGeezer | December 2, 2009 9:30 PM | Report abuse

"squalid, backwards country"? It's because of inbred rednecks like yourself that most grey matter in the US is being grown today in other countries. Enjoy the benefits your forebears have bestowed upon you, but be honest enough to admit that you got it from raping those countries and doing all you could to keep them backwards, ineffectually though. Try to widen your horizons, learn someting, instead of just being a beer guzzling navel gazing couch potatoe.

Posted by: jorge_mt | December 3, 2009 1:22 PM | Report abuse

What do you mean by an "account?" Can you please explain this to a lay person? I have no idea what you're talking about but would like to do this. I run Vista Business 6.0.

Posted by: quacker | December 4, 2009 8:46 AM | Report abuse

Those of you who admonished users to install and administer their own antivirus software have no pity for those less tech-saavy than yourselves. In reality Microsoft should be protecting its customers instead of sloughing the responsibility off on third-party software providers and us. Don't just blindly accept the world as Microsoft would like it to be, work for change!

Posted by: enhompe | December 4, 2009 12:24 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company