Schneier on Security
A blog covering security and security technology.
« The Importance of Backups |
| Google Pays $31,000 for Three Chrome Vulnerabilities »
May 1, 2013
Details of a Cyberheist
Really interesting article detailing how criminals steal from a company's accounts over the Internet.
The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.
Basically, the criminals break into the bank account, move money into a bunch of other bank accounts, and use unwitting accomplices to launder the money.
The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital's payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.
Posted on May 1, 2013 at 10:26 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
For some time I have been wondering why law enforcement and the financial institutions themselves don't infiltrate the "work from home" schemes and receive the money but fail to forward it, instead waiting for the rightful owners to catch up with them, and then return it. If it happened enough, it would make the scamsters look for another mule mechanism.
Then again, maybe they have, and they just haven't said anything about it. ;)
As you and Brian Krebs have both observed in one way or another this happens because in the US the banking code alows the banks to treat such attacks as an external issue and thus refect it back on the comercial customer (US banging code is different for private individuals).
Further as both you and Brian have observed the security offered by the banks is mainly not security, in many if not all cases the authentication systems used are insufficient to prevent such thefts.
Whilst as I've pointed out in the past full transactional security using out of band authentication requires considerable effort on behalf of the human operator it is most definatly not a problem that cannot be solved.
However as long as the banks can externalise the risk legaly there is no incentive for them to fix it, which some estimates indicate costs US small enterprises over 10 Billon USD a year.
A couple of simple security measures to combat this:
1. For the first foreign destined wire transfer from a business account, verify it with the company manually before processing it.
2. For wire transfers from non-business accounts, ask the individual involved if it is part of work from home employment. If the answer is yes, educate and investigate.
Of course, as noted above, the banks don't yet have the full incentive for even basic process-oriented precautions.
Wow, managing 100 "employees" has got to be more work than making an honest living.
@qka: ...why law enforcement and the financial institutions themselves don't infiltrate...
If one bank infiltrates a heist, all they will do is protect what is most likely a rival bank.
If enough banks cooperate, they can solve the problem.
This could have been an example from Bruce's latest book, actually.
Nothing new here really, this is a very old attack scheme. Nothing can be done as long as virtual money can be converted into cash. On the other hand, cash has its advantages and the possibility of sending it easily has as well. (Sometimes you need it to actually help people, e.g. a family member abroad. And the ability to shift some, reasonable amount of money anonymously is a basic freedom.)
It should be noted that part of the criminal network gets always caught in these criminal acts and is responsible for paying back the damage anyways, namely those utterly stupid (and greedy) people that launder the money.
I mean, really, how stupid or naive can you be?
The only countermeasure to that I can see, is to start to teach how these scams work in school. That will still need a few decades to permeate though. In the meantime, bringing these things up regularly is a good idea.
@ Bruce Schneier and Clive Robinson
A Krebs story led to an interesting discussion between James Woodhill and I. I was talking cheap, secure countermeasures. His concept was removing the externality Clive mentions via legislation. Here's his testimony before Congress on his views. It's only 5 minutes and well thought out.
I particularly like his comparison to public health and infectious threats. And mentioning protecting political campaign funds. Clever, that. :)
US banging code is different for private individuals
Was that a typo or an amazingly clever pun ? 8-)
@ Nick P
One of the statements I liked most in Jim Woodhill's testimony is refusing to deposit any funds at banks that have a history of reflecting losses caused by cyberheists on their customers. Make that official policy and you don't even need regulation.
I do wonder what happened to the yourmoneyisnotsafeinthebank.org website. It was offline when I checked. Did he receive some cease-and-desist letter from a bankster kartel or the European Union ?
@ Dirk Praet
That would be a nice policy. As for the site, I have no idea. I think it's more likely that he gave up on trying to change things via user education. Far as I know, he might be in another operation altogether. (He was a "serial security entrepreneur" if you recall.)
However, if you can bring up a website, remember to check archive.org for a copy. It often has one. Woodhill's site is here. Another benefit of Wayback Machine is that it's snapshots allow you to watch evolution of a site over time, including a company's products or marketing. I've used it to bust out Green Hills and others for bogus claims. ;)
A little off topic, but true story. A few years back, my wife received a letter in the mail stating that she was selected to be a mystery shopper. All she had to do is call the phone number provided, the person(s) on the other end would transfer some money to her. She was to go to several local chain stores and purchase any item she wanted, note the price and customer experience on the enclosed form. She was to keep any thing she purchased, and spend up to about $150 USD. The last step was to take the remainder of the money sent to her (it was to be over $1000 USD, don't recall exact amount) to Western Union and send it to an account to be provided to her. Again under the guise of rating customer service on the enclosed form.
After doing some quick checks on the internet, the letter, which was worded to appear to originate from London , England had a London, Ontario postal code and a few other things did not add up.
Needless to say, we did not do it, but I could not help thinking what a good way to move money from country to country, at the same time making it virtually untraceable.
One hundred employee/co-conspirators.
One hundred bank accounts.
One million dollars.
Doesn't seem worthwhile.
@ Dirk Praet,
Was that a typo or an amazingly clever pun ?
I would like to say the latter, but that would be dishonest. For some reason my right thumb goes for the K when it should be my left going for the G... but this time just to make a difference...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.