Case study joined

KnowBe4, LLC | 601 Cleveland Street, Suite 930, Clearwater, FL 33755 | Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | Email: [email protected]© 2011 KnowBe4, LLC. All rights reserved. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies.

SITUATIONCyber criminals have moved beyond simple identity theft. They are now targeting small and medium businesses and local banks, using specialized banking malware for cyber heists, using mainly the Zeus botnet. These small and medium organizations represent good targets for organized cybercrime as they often lack the sophistication and knowledge of the Fortune 1000 to prevent cyber attacks.

CASE IN POINT – SANFORD DECEMBER 3, 2009 Patco Construction �led suit in York County Superior Court Sept. 18, seeking the return of $345,000 not recovered from $588,851 in funds hackers were able to transfer to bank accounts out of the country from Patco’s Ocean Bank. The illegal transfers began on May 7, when thieves hijacked the company's online banking credentials, moving $56,594 to several individuals that had no prior business relationship with Patco. The transfers continued, and Patco o�cials only learned the fraud was occurring because some of the funds were transferred to invalid bank accounts. The company �led suit, alleging the bank was negligent in allowing cybercriminals to break through the security system.

DIGITAL CRIME OUTPACES REAL-WORLD ROBBERIESDigital crime now outpaces real-world bank robberies in terms of losses. In 2009, there were 8,818 bank robberies netting criminals an average of $4,029 -- a total of about $35.5 million, according to the FBI's Uniform Crime Reporting (UCR) program. However, 60 percent of bank robbers were caught, often very quickly.

Compare that to fraud statistics of Automatic Clearing Houses (credit card processors). The recent arrests connected with Zeus accounted for some 390 reported cases where $70 million was stolen from accounts. The criminals had attempted to steal some $220 million. The investigation mainly netted the lowest ranks of the criminal network -- the so-called money mules that remove stolen funds from their accounts and transfer the money to international accounts abroad. In general, the money mules are people who are duped into believing they are working for a legitimate company processing payments.

ANALYSISThe Internet is the crime scene of the 21st century. Cyber theft is one of the biggest challenges facing our society today. We can no longer remain ignorant and hope it will go away. Banks and customers alike must educate themselves and give employees Internet Security Awareness Training, including procedures and necessary security measures. Accounts must be monitored by companies on a regular basis and questionable transactions queried immediately. Simultaneously, banks must use the highest level of security to protect their customers. The �nancial relationship is at stake – trust is of utmost importance. Today that trust must be earned on both sides.

Cyber Criminals Now Target Small And Medium Enterprises

“Lacking sophistication and

appropriate security, SMEs make

great targets for cyber gangs.

Cyber crime has moved beyond

simple identity theft and is now

specializing in cyber heists:

emptying the bank accounts of

small and medium enterprises.”

Case in Point: Patco Construction

in Sanford, Maine �led suit

against its own bank seeking the

return of $345,000 that was

stolen by cyber criminals.


SITUATIONIn illegal commerce vernacular, a mule is someone who carries the contraband from one location to another. Recent history is full of stories of people carrying drugs across borders secreted on their person. Today’s mules are money mules and are often innocent dupes who move money from bank to bank.

CASE IN POINT – THE MONEY MULES When hackers steal from banks and other business structures they are left with a major problem – what to do with the money? Stealing hundreds of thousands of dollars at a time requires a strategy so that when the funds are distributed these criminal deposits don’t raise any red �ags. This means that deposits cannot be in more than $5,000 increments or it is reported to the government. Therefore the stolen funds have to be laundered at lower levels. Hackers bust into the accounts, using Trojans, keyloggers and other malicious software but then what do they do?

Taking a page from their drug dealing friends, the money mules were invented. But instead of smuggling drugs, these mules are recruited to open sham bank accounts to receive the money stolen from victim accounts. They then withdraw the funds from the shell accounts and transfer the money to overseas bank accounts operated by the gang leaders. This is all done in increment amounts that could elude detection by banks and law enforcement o�cials. The mules retain somewhere between eight and ten percent as their cut of the illegal proceeds. There are hundreds if not thousands of mules operating in the United States currently.

With the rise in unemployment and current economic conditions, recruitment of mules is not a problem. Online job sites such as Careerbuilder have been used to �nd people. They run ads and hire recruiters to �nd new mules. The mules end up having to do the dirty work like their drug carrying brethren. They have to do the actual “dangerous” business of going into

banks, setting up new accounts and withdrawing the money for transfer. In the meantime their “Money Lords” (like “Drug Lords”) remain hidden in the background safe from scrutiny.


Compare that to fraud statistics of Automatic Clearing Houses (credit card processors). The recent arrests connected with Zeus accounted for some 390 reported cases where $70 million was stolen from accounts. The criminals had attempted to steal some $220 million. The investigation mainly netted the lowest ranks of the criminal network -- the so-called money mules that remove stolen funds from their accounts and transfer the money to international accounts abroad. In general, the money mules are people who are duped into believing they are working for a legitimate company processing payments.

ANALYSISIt is more than interesting to note that these thefts are �rst initiated through a phishing attack that enabled the malware to enter the computer network. This phishing started with a susceptible employee who through his or her own ignorance clicked where they should not have clicked. Giving Internet Security Awareness Training to employees and executives (really anyone who even remotely touches a computer) , could prevent such massive thefts from happening, and is an essential part of ‘defense-in-depth’.

These Mules Move Money

“Digital crime now outpaces

real-world bank robberies in

terms of losses. In 2009, there

were 8,818 bank robberies

netting criminals an average of

$4,029 -- a total of about $35.5

million, according to the FBI's

Uniform Crime Reporting (UCR)

program. However, 60 percent of

bank robbers were caught, often

very quickly.”


SITUATIONOrganized cybercrime has shifted its focus to small healthcare providers. After having stolen millions from corporations and schools, greedy eyes have moved on to other “easy pickings” – to non-pro�t organizations that service the uninsured and the disabled. Is it because their defenses are so poor or are they not educated enough about cyber-heists?

CASE IN POINT – PUGET SOUND SEPTEMBER 9, 2010On the morning of September 9, 2010 the sta� accountant at the Evergreen Children's Association woke up to �nd $30,000 missing from their bank account. No one at the organization had written a check or authorized a transfer for that amount or anything close to it. Evergreen was in mystery as to how so much money had virtually disappeared overnight. Virtual was the key word as cyber-thieves had been hard at work ripping o� this Seattle based non-pro�t organization to the tune of $30K. Evergreen provides childcare service on-site for public schools in the Puget Sound area.

According to Chief Executive Susan Brown, the thieves tried to steal more money – another batch of $30,000 when the bank blocked the transfer at her behest. Of course the bank blames Evergreen and Evergreen blames the bank. Evergreen is still �ghting with the bank to have the money reimbursed. Who is really to blame? Read our analysis below.


Compare that to fraud statistics of Automatic Clearing Houses (companies in charge of electronic funds transfers and credit card payment processing. The recent arrests connected with Zeus accounted for some 390 reported cases where $70 million was stolen from accounts. The criminals had attempted to steal some $220 million. The investigation mainly netted the lowest ranks of the criminal network -- the so-called money mules that remove stolen funds from their accounts and transfer the money to international accounts abroad. In general, the money mules are people who are duped into believing they are working for a legitimate company processing payments.

ANALYSISThere is a distinctive pattern as to how these bank account invasions take place. First a targeted e-mail is typically sent to the company's accountant or controller. The communication appears to be innocuous, but it is far from that. The message contains either a virus-laden attachment or a link that -- when opened -- surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then hacks the online banking accounts and initiate a series of wire transfers.

The real culprit is ignorance. This is not a matter of just technology, it is just as much a matter of education. Someone clicked when they should not have clicked. Someone did not have adequate security software installed or it was not up-to-date. Think before you click! Security is everyone’s’ job, and Internet Security Awareness Training has become urgent at this point.

Is Your Health-Care In Danger From Cyber-Gangs?

“According to Chief Executive

Susan Brown, the thieves tried to

steal more money – another

batch of $30,000 when the bank

blocked the transfer at her

behest. Of course the bank

blames Evergreen and Evergreen

blames the bank. Evergreen is

still �ghting with the bank to

have the money reimbursed. ”


SITUATIONOrganized cybercrime has shifted its focus to small healthcare providers. After having stolen millions from corporations and schools, their greedy eyes have moved on to local community based health-care providers. Could poorly or untrained employees be at the root of these attacks being successful?

CASE IN POINT – NORTHEAST GEORGIA SEPTEMBER 2, 2010MedLink is a fully sta�ed year-round primary care organization with a central administrative o�ce and clinic sites throughout northeast Georgia. In early September, 2010 cyber-criminals attacked the accounts of this healthcare provider. Hackers got access to the login and password to Medlink’s online bank account and the cyber-heist was well over $40K. Using a team of “money mules”, the attackers sent $44,000 to their own banks which was then rapidly wired to organized crime accounts in Eastern Europe. The mules got their commission and the gang lords got the bulk of the transfer.

Per Gary Franklin, MedLink Georgia's chief �nancial o�cer, the company's bank reversed some of the fraudulent transfers, but apparently transfers valued at $15,000 were not accounted for and may not be recovered.


Compare that to fraud statistics of Automatic Clearing Houses (companies in charge of electronic funds transfers and credit card payment processing). The recent arrests connected with Zeus accounted for some 390 reported cases where $70 million was stolen from accounts. The criminals had attempted to steal some $220 million. The investigation mainly netted the lowest ranks of the criminal network -- the so-called money mules that remove stolen funds from their accounts and transfer the money to international accounts abroad. In general, the money mules are people who are duped into believing they are working for a legitimate company processing payments.




“Using a team of “money mules”,

the attackers sent $44,000 to

their own banks which was then

rapidly wired to organized crime

accounts in Eastern Europe. The

mules got their commission and

the gang lords got the bulk of

the transfer.“

Per Gary Franklin, MedLink

Georgia's chief �nancial o�cer,

the company's bank reversed

some of the fraudulent transfers,

but apparently transfers valued

at $15,000 were not accounted

for and may not be recovered.


SITUATIONOrganized cybercrime has shifted its focus to small healthcare providers. After having stolen millions from corporations and schools, their greedy eyes have moved on to local community based health-care providers. Could poorly or untrained employees be at the root of these attacks being successful?

CASE IN POINT – NORTHEAST GEORGIA SEPTEMBER 2, 2010MedLink is a fully sta�ed year-round primary care organization with a central administrative o�ce and clinic sites throughout northeast Georgia. In early September, 2010 cyber-criminals attacked the accounts of this healthcare provider. Hackers got access to the login and password to Medlink’s online bank account and the cyber-heist was well over $40K. Using a team of “money mules”, the attackers sent $44,000 to their own banks which was then rapidly wired to organized crime accounts in Eastern Europe. The mules got their commission and the gang lords got the bulk of the transfer.

Per Gary Franklin, MedLink Georgia's chief �nancial o�cer, the company's bank reversed some of the fraudulent transfers, but apparently transfers valued at $15,000 were not accounted for and may not be recovered.






“Using a team of “money mules”,

the attackers sent $44,000 to

their own banks which was then

rapidly wired to organized crime

accounts in Eastern Europe. The

mules got their commission and

the gang lords got the bulk of

the transfer.“

Per Gary Franklin, MedLink

Georgia's chief �nancial o�cer,

the company's bank reversed

some of the fraudulent transfers,

but apparently transfers valued

at $15,000 were not accounted

for and may not be recovered.


SITUATIONSmall businesses are notorious for lack of security procedures. Little or no IT sta�, busy owners, inadequately trained sta� and lax procedures open the door to cybercrimes. In fact the door is wide open. And to make matters worse, banks are refusing to be the fall-guy and accuse account holders of poor security practices. Small businesses thus become easy targets for cyber-attacks with few �nancial or technical resources to stop them. Often times, the banks involved are small as well. Small-town banking just does not have the same security resources as the bigger banks. Moreover, companies simply do not have legal protection from identity fraud, unlike individual consumers, and are forced to absorb the losses caused by cyber theft.

But who is really to blame?

CASE IN POINT – MODESTO, CALIFORNIA FEBRUARY 8, 2010When David Johnston woke up that morning, the last thing on his mind was cybercrime. But unfortunately, his company Sign Designs Inc., an electric-sign maker in Modesto, California was on a hacker’s mind. And then there was the phone call from their bank, Bank of Stockton, inquiring about a $9,670 electronic payment to a Chase customer in Michigan. Sign Designs con�rmed it hadn't set up the payment and the banks halted the transaction.

However, they were a little late on the chain. Close to $100,000 had been transferred out of their account and distributed to 17 money mules. The Bank of Stockton responded as rapidly as they could once they discovered the online deception. They managed to secure a little more than half of the absconded funds but $48,000 was already in the hands of the hackers.

Naturally, Bank of Stockton declares no responsibility since its security systems were never actually penetrated. The bad guys had planted malicious software on the computer of Sign Designs' controller and used it to steal his online-banking credentials. The bank also says Sign Designs failed to take advantage of security measures that might have averted losses, such as requiring two sta� members to sign o� on every payment.



ANALYSISSmall business and regional banking attacks are on a major upswing. As indicated both lack creditable security procedures and open themselves up to attack. However, in this case it was proven once again that the �nancial attack was the result of an earlier malicious program attack. This program did not insert itself onto the controller’s computer. He had to have done something to initiate the attack. Ignorance not maliciousness was the culprit. Sign Designs President David Johnston argues that Bank of Stockton should cover the losses because it didn't �ag the highly unusual account activity nor did it bar two computers—the controller's and hacker's—from accessing the account with the same credentials at the same time. "I don't think they should o�er a service that is not safe," Mr. Johnston says. "Do you expect I'm going to solve this? I'm going to take on these Russian thieves? Clearly I'm not going to be able to do it."Actually, Mr. Johnston with all due respect, you can take them on. Educate your sta�. Don’t let them fall for �shing expeditions.

Cyber Birds Of Prey Hunt Small Business

“Small-town banking just does

not have the same security

resources as the bigger banks.

Moreover, companies simply do

not have legal protection from

identity fraud, unlike individual

consumers, and are forced to

absorb the losses caused by

cyber theft. ”


SITUATIONDo banks have su�cient safeguards to prevent unauthorized electronic transfers? In particular does your bank double verify before sending your money to a criminal organization? It may sound harsh but this is the current state of a�airs for small businesses in particular. Have you checked out your bank’s security procedures? Have you told them to not allow electronic transfers over a certain amount without checking with you personally? There are simple procedures to red �ag an account for unauthorized transfer – make sure your bank is employing them. Not everyone has been so lucky.

CASE IN POINT – MASSAPEQUA, NEW YORK FEBRUARY 15, 2010On Monday, February 15, 2010, Karen McCarthy's life was literally turned upside down, when her business bank account at TD Bank was electronically looted. The usual suspects (Eastern European criminals) removed $164,000 in what has become an epidemic of commercial bank account thefts. Utilizing the infamous ZeuS virus, criminals were able to ferret out her logon and password. The rest is history, except for one thing – did TD Bank employ the necessary security lockdown procedures as mandated by the FDIC?

Ms. McCarthy immediately noti�ed the bank when she saw the transfers from her Little & King company account. She had never previously made an electronic transfer. TD Bank did not put a freeze on her account until the next day despite the call from McCarthy. Furthermore, the bank did not notify her of any unusual activity, something that would seem to be commonplace per online banking agreements. It is a simple matter to setup online alerts such as this, yet TD Bank seemingly failed to do so.TD Bank has stated that they were not responsible, that the fraud was “not related to any breach on the part of TD Bank.”

Determined to get to the bottom of this fraudulent activity, McCarthy discovered some interesting things about TD Bank including lack of certain security protocols.

1. TD Bank did not comply with the regulatory guidance they have been receiving from FFIEC and FDIC starting in 2005. Indeed, TD Bank’s CEO received an FDIC Special Alert (LINK) almost six months prior to the Little & King incident that exactly described the attack that cleaned out her account. The alert instructed the bank to institute appropriate security measures to prevent losses due to malicious software. 2. This FDIC Alert informed service providers where to look for guidance and gave them information on authentication and information about security for high risk transactions. These documents included: • FFIEC Guidance Authentication in an Internet Banking Environment • Authentication in an Internet Banking Environment Frequently Asked Questions • FFIEC Information Security Examination Handbook • FFFIEC Retail Payment Systems Examination Handbook • FDIC Guidance on Mitigating Risks from Spyware 3. Previous FFIEC guidance instructed TD Bank to institute “layers” of fraud controls such as checks on Internet addresses used and for unusual patterns of account activity.

4. TD Bank did nothing to secure their online banking facility, disregarding all the explicit warnings from federal agencies, plus industry analysts such as Avivah Litan and computer security specialists such as Bruce Schneier. 5. And this is in spite of the fact that many di�erent proven, inexpensive, fast-to-implement, easy-to-integrate, and customer-friendly bank security solutions that defeat these attacks have been available in the commercial marketplace for over half a decade.

TD Bank maintains that because the hackers used her correct username and password to make the transfers, TD Bank bears no responsibility whatsoever for the breach. Furthermore, because her computer was infected with ZeuS, Little & King bears responsibility for the fraudulent transfers.



ANALYSISIs it possible that TD Banks’ online banking services required no more authentication than a simple user name and password and did not require any further enhanced authentication before transferring large sums of money? Did they make it easy for hackers to access Little & Kings’ bank account and wipe it out without no more than a cyber-handshake?

It seems that our local and regional banks have made it clear that until they are forced to take full �nancial responsibility (as they are today with retail - consumer - accounts) for allowing these attacks to succeed, they simply will not follow the guidance that their regulators have o�ered them to prevent those successful attacks. If and only when banks like TD Bank are required to reimburse commercial depositors for losses from cyber theft that they could have thwarted they will then institute the security measures that they could and should have instituted long ago.

Make sure your bank is employing the proper protocols and procedures to prevent this from happening to you.

Looking At The Bank’s Role In Cybertheft

“Ms. McCarthy immediately

noti�ed the bank when she saw

the transfers from her Little &

King company account. She had

never previously made an

electronic transfer. TD Bank did

not put a freeze on her account

until the next day despite the

call from McCarthy.

Furthermore, the bank did not

notify her of any unusual

activity, something that would

seem to be commonplace per

online banking agreements. It is

a simple matter to setup online

alerts such as this, yet TD Bank

seemingly failed to do so.”


SITUATIONDo you have a corporate policy regarding clicking on attachments or downloading from sites or email? If you don’t you better get on it. There is a new covert trick running around that implants your computer with malicious software, just because you downloaded an applicant’s resume.

CASE IN POINT – SOMEWHERE IN THE UNITED STATES JANUARY 2011Recently, The U.S. Federal Bureau of Investigation issued a warning regarding a new M.O. ACH, I.e., Automated Clearing House fraud. As you have noted in these case studies, cybercriminals install malicious software on unsuspecting computers which is then used to burrow into their �nancial information logins and passwords. Once they have access to the account they start transferring sums through fake employees, payees, etc. The money mules then move the company to accounts that are out of the U.S. In a matter of hours, hackers can move hundreds of thousands of dollars from your account should it become infected. Small businesses and regional banks are often the targets for these 21st Century gangsters and they usually are not as technically sophisticated. Access to the victimized computer is granted through sophisticated phishing techniques that take advantage of employee computer security ignorance.

The FBI released information on the latest iteration of the hack where the cybercriminals look for companies that are hiring online and then send them the malware through the so-called job application. One unnamed U.S. Company recently lost $150,000 according to the FBI's Internet Crime Complaint Center. "The malware was embedded in an e-mail response to a job posting the business placed on an employment website," the FBI reported.

In this case the malware, a variant of the Bredolab Trojan, "allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct �nancial transactions within the company." The typo-�lled Trojan looked like a Word document and read: "Hello! I have �gured out that you have an available job. I am quiet interested in it. So I send you my resume, Looking forward to your reply. Thank you."

The Trojan was used to transfer money to Ukraine and two other U.S. bank accounts. "The FBI recommends that potential employers remain vigilant in opening the e-mails of prospective employees," the FBI said.



ANALYSISOnce again we �nd that lack of computer security training to be the culprit. We live in a highly technically uncivilized world. The Internet is the modern version of the Wild Wild West. You have to be armed and ready to protect your company from serious gun�re. One of them of course, is to not open email attachments. The safest bet is to delete the attachment and write back to the sender asking for a plain text version. Interestingly, another option is opening the document in Google Gmail if you have an account to check the legitimacy of the application or resume. You can set up a special Gmail account just for recruitment to safeguard your network.

Job Applications Open Door To Cybertheft

The FBI released information on

the latest iteration of the hack

where the cybercriminals look

for companies that are hiring

online and then send them the

malware through the so-called

job application. One unnamed

U.S. Company recently lost

$150,000 according to the FBI's

Internet Crime Complaint Center.

"The malware was embedded in

an e-mail response to a job

posting the business placed on

an employment website," the FBI

reported.


SITUATIONHow open is your company’s Internet access? Does your sta� go online when no one is looking? Do you have patrons or customers that have access as well? What security safeguards do you have in place? What are your rules for using the Internet? Small businesses tend to be pretty lax in this area. Isn’t it time that you had �rm policy on using the Internet in your business? You could save yourself a lot of trouble not to mention – money.

CASE IN POINT – DELRAY BEACH, FLORIDA JANUARY 7, 2010Somebody was cooking the books at the Delray Beach Public Library – suddenly $160,000 went missing and was nowhere to be found. Hackers created faux employees and paid them from the library’s bank account. Overnight, the library “hired” 16 new employees and their “earnings” were taken through direct deposit payroll. The money was paid out in allotments of under $10,000 so as to not raise red �ags.

Unfortunately for the hackers and fortunately for the library someone was taking care of the books. The fraud was discovered rapidly and the bank was able to reverse most of the fraudulent transfers. Their bank actually refunded the balance to them. This is not the usual case for commercial banks.

The library’s phantom employees were recruited with work-at-home o�ers. They received their ill-gotten gains wired the majority o� and kept a commission. The transfers are under $3,000 each which appear to be a threshold beneath any controls or checks the transfer company might have. Western Union and Moneygram are supposed to have fraud controls in place to prevent this type of racket but they do not appear to be working.



ANALYSISWho knows how the malicious software got into the Delray Beach Library’s network. All they know is that it did. Publishing a set of computer security best practices that can be used by library sta� and patrons would be a good start. Training the sta� to keep security in and the bad guys out would be even better.

Hackers Crack Library Without A Card: Making WithdrawalsWithout A Library Card

Digital crime now outpaces








program.

However, 60 percent of bank

robbers were caught, often very

quickly.


SITUATIONSo you think you know the ins and outs of Internet banking. You make up strong passwords and you even remember to change them once in a while. You have “normal” security in place (you hid the sticky with your password and login on it – it’s no longer on your monitor).

CASE IN POINT – TAMPA BAY, FLORIDA MAY 10, 2010There was nothing typical about this Monday morning for Bradenton attorney Kimberly Graus. It may have started out bright and sunny, but this Monday turned out to be a dark day for one of the trust accounts she administers. $35,000 was missing and she could not account for it. Her computer had been hacked and the money was �nding its way to Eastern European criminals.

According to her bank, her own IP address was the source of the wire transfer orders and after further study by computer forensic experts, the culprits were found. The criminals had made four wire transfers from Graus’ trust account. Fortunately, Kimberley spotted it fast enough so she could notify Superior Bank and they were able pull back three of the orders but the fourth for $9,500 had already been transferred to the Ukraine.

And Graus was lucky that just that morning she had wired $400,000 to pay o� client mortgages. The hackers struck in the afternoon; otherwise they might have gotten a much bigger haul and potentially bankrupted her practice.

Aside from the $9,500.00 loss, there were signi�cant other costs in both time and money including a new laptop to be used for banking purposes only, the cost of the forensic investigation and not to mention the time costs involved in closing and setting up new bank accounts. There is also the potential loss of trust she has had with her clients and other business associates including her bank. Superior Bank of course, is adamant that it bears no responsibility for the theft.

Computer consultants told Graus that the malware on her system most likely came in the form of a email phishing attempt that she clicked on. The malware was able to capture passwords and logins and took

over her accounts, despite the presence of standard anti-virus software.


Compare that to fraud statistics of Automatic Clearing Houses (companies in charge of electronic funds transfers and credit card payment processing). The recent arrests connected with notorious Zeus malware accounted for some 390 reported cases where $70 million was stolen from accounts. The criminals had attempted to steal some $220 million. The investigation mainly netted the lowest ranks of the criminal network -- the so-called money mules that remove stolen funds from their accounts and transfer the money to international accounts abroad. In general, the money mules are people who are duped into believing they are working for a legitimate company processing payments.

ANALYSISIf you are a business doing online banking and are only relying on the bank’s security and safeguards, you may be bound for major trouble. Commercial accounts do not have the same FDIC insurance as personal accounts! Before you use online banking, read the rules carefully. Check all online accounts daily, and make sure your corporate defense-in-depth is in good shape.

One simple thing we strongly recommend is that your company instructs the bank that no outside transfers are made without the bank having hard-copy written authorization signed by an account signatory for any transfer request. That, and having a formal Internet Security Awareness Training program in place for all employees. The bad guys are bypassing the antivirus on workstations by making users click on something and infect the PC with malware so that they can hack the network.

Losing The Trust In A Trust Fund









program.



quickly.


SITUATIONHere you are in the far Western part of Pennsylvania, a comparatively modest school district and your payroll suddenly expands by 42 employees from California and Puerto Rico during Christmas break. Would that not strike you as unusual? On top of that your bank receives 74 wire transfer requests over a four-day period, when you very rarely ever ever wire transfer. Shouldn’t your bank take notice of that fact? Wouldn’t it strike them as unusual especially since schools and administrative o�ces were closed for the holiday? Well, that is what happened in Western Beaver Country, PA.

CASE IN POINT – WESTERN BEAVER COUNTY, PENNSYLVANIA JANUARY 2, 2009Western Beaver County School District administrators were not very happy with their Christmas present this year. They woke up to �nd out that hackers not Santa Claus had made away with over $700,000 from their bank accounts. To their credit, ESB Bank managed to reverse some of the wire transfers, however, the Pennsylvania school district was out more than $441,000.

A few months later Western Beaver tried to sue ESB and recover their money, but as in other instances, the bank had protected itself with procedures and policy. As we know commercial accounts do not receive the same level of protection as personal accounts which are only liable up to $50. Court �lings showed that the criminals used malicious software to gain control of Western Beaver’s computers and thus their bank accounts.

The bad guys set up the new payees and transferred the money to them -- with routing number and account number in hands, the money was transferred to the money mules who made out quite well for the holidays.



ANALYSISOnce again criminals made use of the Automated Clearing House (ACH) Network to get their prize. Should banks take note of an unusual number of transfers? They sure should and no excuse that there are so many transactions that they could not keep track of them. It is not exactly rocket science to program an account to put up a red �ag. Should Western Beaver School District be monitoring their accounts on a regular basis? Absolutely, nothing is better than vigilance and nothing worse than negligence. It would be interesting to discover how well-protected their computer networks are.

School’s Out For Christmas, Hackers Get Presents









program.



quickly.


SITUATIONJust when you thought you heard everything, here comes this new weapon from the bad guys – ‘telephony denial-of-service’. Imagine you cannot use your telephones, land, mobile, home, work, etc. because gangsters have engaged in a bombardment of calls to those numbers while at the same time they systematically drain your bank accounts. You bank might even be trying to call you and get your approval or alert you to the transfers coming from your account.

CASE IN POINT – ST. AUGUSTINE, FLORIDA, DECEMBER 2009So there you are doing what dentists do, drilling and �lling, when you get a phone call featuring a 30-second promotion for a sex hotline. You just might think that was unusual but when they persist and literally barrage your phone lines, you just might think something unsavory was going on in your life. This, indeed, was what happened to Florida Dentist Robert Thousand Jr., who by the way is semi-retired. Almost $400,000 was drained from his Ameritrade Retirement Account.

The FBI said attacks like this are growing, Last November, Robert Thousand Jr., a semi-retired dentist in Florida, received a �ood of calls to several phones. When he answered them, he heard a 30-second recording for a sex hotline, according to the St. Augustine Record.

The bad guys had this dentist coming and going. In December, he discovered that $399,000 had been drained from his Ameritrade retirement account shortly after he’d received the calls. About $18,000 was transferred from his account on Nov. 23, with an $82,000-transfer following two days later. Five days after that, another $99,000 was drained, followed by two transfers of $100,000 each on Dec. 2 and 4. The thieves withdrew the money in New York.Per the FBI, the phone calls were a diversionary tactic tying up Thousand’s line so that Ameritrade could not get hold of him and authenticate the money transfers.

But before they did that, they still had to access Dr. Thousand’s account information. No surprise, malicious software was embedded in his system most likely after a phishing expedition. They then went on to raid, pillage and loot his account.While his account was being plundered, the battery of phone calls began. In the meantime the thieves posing as Dr. Thousand called Ameritrade demanding that the transfers be sent through. When questioned, they acknowledged having phone problems as to why they did not respond to previous calls. Dr. Thousand was most fortunate in that Ameritrade did return his funds. Had they been in a business account he would not have been so fortunate.



ANALYSISIf you suddenly are barraged with porn phone calls, realize something is amiss check with your bank and other �nancial institutions. Change your phone number. But do something. Also of course make sure your anti-malware software is up-to-date. The money you save may be your own!

Dentist Gets Drilled

The bad guys had this dentist

coming and going. In December,

he discovered that $399,000 had

been drained from his

Ameritrade retirement account

shortly after he’d received the

calls. About $18,000 was

transferred from his account on

Nov. 23, with an

$82,000-transfer following two

days later. Five days after that,

another $99,000 was drained,

followed by two transfers of

$100,000 each on Dec. 2 and 4.

The thieves withdrew the money

in New York.


SITUATIONYou enjoy buying online and �nd many a bargain. But sometimes those prices just might be too good to be true. This is especially so when buying a limited distribution item like an Apple Computer. This might just be one apple that you should not take a bite from.

CASE IN POINT – TAMPA BAY, FLORIDA OCTOBER 14, 2007Rebecca Renner was in the market for a new computer for her Tampa-based company, Creative Minds, a print and design service. An ad on Craigslist.org for a MacBook Pro with an Intel processor and 17-inch screen caught her eye, as did the price: $1,700. The seller, Je�rey Murray, claimed to be from the Bronx, N.Y., but was living in London because of his job.

Via e-mails, Murray instructed Renner to pay by wiring money to a third-party payment service and provided a link to the payment Web site. Only problem was once Renner wired the money she never received the computer. Murray or whatever his name is disappeared with her wire transfer and presumably the computer she ostensibly purchased.



ANALYSISOn the Internet as in life, take nothing for granted. If something looks too good to be true, chances are it is not what you should be seeking. What should Ms. Renner done instead of resorting to impulse and buy a computer that was just priced too inexpensively? Well, she should have recognized it was too cheap for that make and model and rejected it to begin with. Renner said she was taken in by the idea that Murray was part of the Mac community and therefore had to be a good guy.

Wrong again, Murray could have been anywhere in the world, maybe even running a tidy little Nigerian scam. And last but not least you don’t pay someone you don’t know by wire transfer, not without having the goods in your hands �rst. This is a big No No. Lesson learned look before you pay.

An Apple A Day Didn’t Keep This Thief Away









program.



quickly.


SITUATIONSomeone once said that you can’t �ght city hall. Well, online criminals have changed this equation. They have found the means to not only �ght city hall but take it to the cleaners. It seems there has been a rash of online heists of small town bank accounts. It seems like quite a few of these organizations do not have the resources to employ the proper safeguards or su�cient education.

CASE IN POINT – SUMMIT, ILLINOIS MARCH 11, 2010The Village of Summit, Illinois is tiny when compared to most towns with a population topping o� at around 10,000. Nevertheless, it was a ready target for cyber-thieves who made o� with a grand haul of close to $100,000.

According to ace security reporter Brian Krebs, “Summit is just the latest in a string of towns, cities, counties and municipalities across America that have seen their co�ers cleaned out by organized thieves who specialize in looting online bank accounts. Recently, crooks stole $100,000 from the New Jersey township of Egg Harbor; $130,000 from a public water utility in Arkansas; $378,000 from a New York town; $160,000 from a Florida public library; $500,000 from a New York middle school district; $415,000 from a Kentucky county (this is far from a comprehensive list).” The cyber criminals are taking it to city hall big time.

The assistant to the town’s administrator logged in to the town bank account at Bridgeview Bank and was hit with a redirect explaining there were technical di�culties. Someone had hacked into their network and was rapidly using the credentials she had entered to access the online account. The thieves even gave her a phone number for customer support. When the assistant called the number it was a residence. So she called the bank and was told there were not problems. Should have raised a red �ag, don’t you think?

We guess not because the next thing you know there are ACH transfers of $70K and a wire transfer of $30,000. The wire transfer was stopped by the bank but the 70,000 was long gone



ANALYSISSomeone needs a lesson on online security, don’t you think? Red �ags were �ying; the assistant even called the bank and was told there were no problems. Shouldn’t the assistant and the bank have realized something was wrong and immediately taken precautions to protect the account? There was obvious cyber-skullduggery in place here but truth is a bit of common sense could have prevented a $70,000 disaster.

Vandals Go To Town On Small Towns

Recently, crooks stole $100,000

from the New Jersey township of

Egg Harbor; $130,000 from a

public water utility in Arkansas;

$378,000 from a New York

town; $160,000 from a Florida

public library; $500,000 from a

New York middle school district;

$415,000 from a Kentucky

county (this is far from a

comprehensive list).” The cyber

criminals are taking it to city hall

big time.


SITUATIONWe have seen some acts from cyber bad guys, especially those that take advantage of disasters and catastrophes, but looting a charity’s bank account seems especially low even for them. In the world of these criminals, nothing is sacred or holy.

CASE IN POINT – BOSTON, MASSACHUSETTS JANUARY, 2010The United Way is one of the good guys in society. The funds they raise are put back in the community to help those who require help. But in January, 2010, it was the United Way needing the help.

The bad guys used the Internet to break into the United Way in Massachusetts bank account and looted it to the tune of $150,000 or so they thought. They were pretty clever in using the unauthorized payroll routine (putting bogus workers on the payroll and then distributing the funds electronically to them). This was for $110,000 and then attempted to transfer $40,000 to a money mule in New York. Neither of the schemes worked out as the United Way and their bank was able to block or reverse the transactions. This is not always the case, very often a substantial amount cannot be retrieved because it has disappeared to eastern Europe.

DIGITAL CRIME OUTPACES REAL-WORLD ROBBERIESDigital crime now outpaces real-world bank robberies in terms of losses. In 2009, there were 8,818 bank robberies netting criminals an average of $4,029 -- a

total of about $35.5 million, according to the FBI's Uniform Crime Reporting (UCR) program. However, 60 percent of bank robbers were caught, often very quickly.


ANALYSISEither the United Way got very lucky or someone was on their toes monitoring the bank accounts. Whatever it was, one of the good things about this was the organization was able to work with their bank to prevent the fraud. Perhaps this is a good time to have a talk with your favorite banker and �nd out what they are doing to prevent online fraud. While you are there work out an airtight policy to make sure it never happens to you.

Cybercrime Attacks Charities - How Criminal Is That?











very quickly.


SITUATIONIn a cyber-twist, a bank is targeted and (possibly a lot) more than $100K removed from its co�ers. The bank won’t say how much. Most of our case studies involve businesses who wake up one morning to �nd their bank accounts emptied of accumulated cash. This time a bank felt the sting of the cyber-gang. So for once it was not the small businessman that was hit but the bank itself. Makes you wonder how many other banks have found themselves the victim of cyber-theft. This is especially relevant when you hear about banks that for legal reasons are not able to take responsibility for their clients when they have been defrauded. There is irony in all of this, especially when you take into consideration a federal credit union.

CASE IN POINT – SALT LAKE CITY, UTAH MAY 20, 2010The Treasury Credit Union is a �nancial facility servicing federal employees and the families of the U.S. Treasury Department in Utah. On a sunny Thursday in May, somewhere around 70 wire transfers were made from one of the bank’s own accounts. The transfers were made at low increment amounts of under $5,000 to money mules for a total in the low six �gures. Some of the money was returned.

How did the criminals in�ltrate this supposedly well-protected �nancial institution? Just like they do any other business; a bank employee’s login and password was stolen, by malicious software most likely via phishing and the Trojan horse was inserted into the computer. This was accomplished despite the fact that the computer and network was well-protected by an antivirus. The Trojan horse was not detected; no wonder when you consider the user went to the phishing site and literally invited the malware in. Last July, organized thieves used money mules to steal tens of thousands of dollars from Huntington, W.V. based First Sentry Bank.



ANALYSISIt just goes to show you that despite sophisticated security, the weak link even in a �nancial institution proved to be an employee. One of the keys to security is educating personnel on Internet Security Awareness. If the employee had been educated, a large amount of money would have been saved and much aggravation would have been avoided.

Financial Institutions Fall Victim To Cyber-Theft – Could Internet Security Awareness Training Have Prevented The Larceny?











very quickly.


SITUATIONMany of today’s banks are neither as sound nor as secure as Fort Knox, as we have seen during the recent �nancial meltdown. The Internet with all its wonderful abilities has also opened the door to cyber-theft on a grand scale. We are not talking nickels and dimes as we have documented previously, we are talking millions and millions of dollars being stolen right from under the noses of both the banks and their customers.

CASE IN POINT – HUNTINGTON, WEST VIRGINIA JULY 30, 2009The First Sentry Bank prides itself as being a community oriented �nancial facility. Their motto – ‘Your Town… Your Bank’ is nice and folksy. It provides the requisite warm and fuzzy down home feelings. However in July, 2009, there was nothing folksy to be found.

The accounts at First Sentry were raided from the inside out – via the Internet. Cyber –thieves transferred nearly $50,000 from the bank in approximately �ve payments of just under $10,000 to so called money mules around the United States. The transfers were made possible because of a computer network violation at the bank.After receiving the electronic transfer to their individual bank accounts, the money mules were then instructed to wire the funds in allotments of less than $3,000 via Western Union or Moneygram to criminals in Eastern Europe. The mules received a signi�cant commission for accepting the funds and making the transfers. Being a money mule is equivalent to driving the getaway vehicle from the scene of the crime. Often these are innocent people that are pulled into these scams via the Internet.

The attackers likely in�ltrated the bank the same way they broke into the accounts of dozens of small businesses last year: By spamming out e-mails that spoofed a variety of trusted entities, from the IRS, to the Social Security Administration and UPS, urging recipients to download an attached

password-stealing virus disguised as a tax form, bene�ts claim or a shipping label, for example. Recipients who opened the poisoned attachments infected their PCs, and the thieves struck gold whenever they managed to infect a PC belonging to someone with access to the company’s bank accounts online.



ANALYSISIt was interesting to visit First Sentry’s web site. It is very old school and reminded me of the banking sites created in the 90’s before today’s technology and security precautions had been developed. How secure would you feel if your bank had just been ripped o� for tens of thousands of dollars? If you are utilizing online banking especially with local or community banks, now would be a good time to investigate, just how secure their facility is.

Back Door Banking











very quickly.


SITUATIONMany of today’s banks are neither as sound nor as secure as Fort Knox, as we have seen during the recent �nancial meltdown. The Internet with all its wonderful abilities has also opened the door to cyber-theft on a grand scale. We are not talking nickels and dimes as we have documented previously, we are talking millions and millions of dollars being stolen right from under the noses of both the banks and their customers.

CASE IN POINT – HUNTINGTON, WEST VIRGINIA JULY 30, 2009The First Sentry Bank prides itself as being a community oriented �nancial facility. Their motto – ‘Your Town… Your Bank’ is nice and folksy. It provides the requisite warm and fuzzy down home feelings. However in July, 2009, there was nothing folksy to be found.

The accounts at First Sentry were raided from the inside out – via the Internet. Cyber –thieves transferred nearly $50,000 from the bank in approximately �ve payments of just under $10,000 to so called money mules around the United States. The transfers were made possible because of a computer network violation at the bank.After receiving the electronic transfer to their individual bank accounts, the money mules were then instructed to wire the funds in allotments of less than $3,000 via Western Union or Moneygram to criminals in Eastern Europe. The mules received a signi�cant commission for accepting the funds and making the transfers. Being a money mule is equivalent to driving the getaway vehicle from the scene of the crime. Often these are innocent people that are pulled into these scams via the Internet.

The attackers likely in�ltrated the bank the same way they broke into the accounts of dozens of small businesses last year: By spamming out e-mails that spoofed a variety of trusted entities, from the IRS, to the Social Security Administration and UPS, urging recipients to download an attached

password-stealing virus disguised as a tax form, bene�ts claim or a shipping label, for example. Recipients who opened the poisoned attachments infected their PCs, and the thieves struck gold whenever they managed to infect a PC belonging to someone with access to the company’s bank accounts online.



ANALYSISIt was interesting to visit First Sentry’s web site. It is very old school and reminded me of the banking sites created in the 90’s before today’s technology and security precautions had been developed. How secure would you feel if your bank had just been ripped o� for tens of thousands of dollars? If you are utilizing online banking especially with local or community banks, now would be a good time to investigate, just how secure their facility is.

Back Door Banking











very quickly.


SITUATIONWe often write about situations gone bad as the perpetrator for the most part have been successful. But law enforcement o�cials also have some share of success. But better to not worry about luck or informants, etc. and have an educated sta� that knows before it goes!

CASE IN POINT – LONDON, ENGLAND NOVEMBER 16, 2009In early April of 2009 more than 50 o�cers from the Metropolitan Police's Central e-Crime Unit raided several addresses in south-east London following an investigation into a criminal network (believed to be based in Eastern Europe) that had been targeting the �nancial services industry with a Trojan virus. Malware was downloaded into numerous computers which was then used to access bank accounts and transfer the funds to money laundering accounts controlled by the gang. Money mules were then used to withdraw the funds and sent them on to the gang’s accounts via money transfer bureaus.

The key to the cyberheist as usual, was the “inadvertent” download of the malicious software which would capture login information when the customer logged into their account. Once access had been gained, the virus would call out to a server and request a page to be inserted into the customer's online session. This new page would pop up and mirror the design of the victim's genuine bank page, and encourage them to enter personal data which was then hijacked and the account raided.



ANALYSISHow much time, energy and resources would have been saved had the bank customers been educated on cybercrime through Internet security awareness training?

As a side note would it not be a good idea to educate so-called money mules that they are involved in a criminal activity? Perhaps some educational text boxes on the sites that recruit the money mules, like Monster.com

Sometimes They Do Get Caught

The recent arrests connected

with Zeus accounted for some

390 reported cases where $70

million was stolen from

accounts.

The criminals had attempted to

steal some $220 million.

Economy & Finance

Case study joined