Cyber Attackers Empty Business Accounts in Minutes
The criminals knew what they were doing when they hit the Western Beaver County School District.
They waited until school administrators were away on holiday, and then during a four-day period between Dec. 29 and Jan. 2, siphoned US$704,610.35 out of two of the school district's bank accounts. Western Beaver's financial institution, ESB Bank, managed to reverse some of the transfers, but the Pennsylvania school district was out more than $441,000.
On July 9, Western Beaver sued ESB to try and recover the money, but security experts say that it's just one of many organizations that have been hit in recent months by a disturbing new type of financial fraud that can often leave the victim holding the bag.
Fraudsters are taking advantage of the widely used but obscure Automated Clearing House (ACH) Network in order to pull off their attacks. This financial network is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.
In April, ACH fraudsters moved $1.2 million out of a Sugar Land, Texas, importer called Unique Industrial Products, according to a report in the Houston Chronicle. They did this by hacking into the company's computers and then authorizing 39 transfers to move the money out of Unique Industrial's account. Although the bulk of the money was recovered, scammers made $150,000 from the attack -- not bad for 30 minutes of work.
"ACH fraud continues to grow, especially in this current economic downturn where unemployment is at very high levels," said Jeffery Dertz, a partner in the insurance practice group with Blackman Kallick, a Chicago-based accounting and consulting firm.
Criminals can make millions of dollars per day with ACH fraud, investigators say. And while consumers are protected from this type of fraud, the rules for corporations and organizations are not as clear-cut, so sometimes victims like Western Beaver find themselves having to pay.
The fraud typically starts with a targeted phishing e-mail, aimed at whomever is in charge of the company's checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.
"If I can get a hold of their credentials then I can have some fun," said Robert West, the former chief information security officer at Fifth Third Bank, who is now CEO of security intelligence consultancy Echelon One. He agrees that ACH fraud is a growing problem
Western Beaver's attorney, Alfred Steff, declined to comment for this story, but in court filings the county said that fraudsters used a computer virus to hack into the school board's computer system.
Often the malicious software lies right inside the browser, waiting for the victim to log into a bank site before springing into action. Then, once the victim has logged in, the software sets up new payees and transfers money to them -- once the victim's accounts have been hacked, all the attacker needs is a routing number and an account number to send the cash to a money mule. If two people must sign off on the transfer, the hackers hit both of them.
The mules are victims too. They typically think they are doing legitimate payroll work for international companies. After being recruited on sites such as Monster.com, they're told they get to keep a 5 percent commission if they move money out of the country. Often when the bank reverses the transaction, they have to pay.
Some security experts believe that the fact that mules are difficult to recruit is the only thing keeping this type of fraud from skyrocketing right now. Security vendor Trusteer estimates that 3 percent of consumers are already infected with financial fraud software. "The bottleneck is getting the money out of the accounts," said Amit Klein, Trusteer's chief technology officer.
The fraud works, in part, because fraudulent ACH activity doesn't always trigger red flags with the banks, especially when smaller regional banks are involved, according to one investigator, who asked not to be identified because he is working on active cases. "There's a very serious problem going on," he said of the ACH fraud. "It's a very old system and there are potentially not a lot of controls in the underlying transfer system."
In Western Beaver's case, red flags should have been raised when the school board suddenly added 42 individuals to its payroll in places as far away as California and Puerto Rico during its Christmas break, and then started to pay them far more than most other people on the payroll, he said. According to court filings ESB received 74 transfer requests during the four-day period, another red flag.
In its lawsuit, Western Beaver faults its bank for failing to "red flag" unauthorized requests. An ESB bank spokesman could not be reached for comment.
One reason that banks have a hard time spotting fraudulent ACH transactions is because the volume of money moving through the network is simply overwhelming. The ACH network processed nearly 9 billion payments in 2002, valued at more than $24.4 trillion dollars. "The last couple of banks I worked at, we would go through the equivalent of our net assets in a couple of days," West said.
As lucrative as it may be, this type of ACH fraud is not widespread, according to Mary Gilmeister, president of WACHA, a nonprofit organization that provides information relating to ACH to financial organizations. "It's important, but it's not affecting a large number of financial institutions," she said. "Financial institutions are paying more attention to it," communicating with each other and sending up warning flags when the fraud occurs, she said.
For consumers who have their bank accounts emptied by an ACH scam, federal banking regulations cap liability at $50, so long as the fraud is reported in a timely manner. But for corporations and other entities, things are a lot more complicated, and whether the victim has to pay can vary from bank to bank.
That could seriously erode the public's trust in Internet banking, the investigator said: "We're talking about small businesses, the lifeblood of the U.S., that are getting hit for five or six figures because they've embraced online banking."