A $170,000 cyberheist last year against an Illinois nursing home provider starkly illustrates how (especially smaller) businesses are at risk of attacks by cybercriminals.

On Monday, Dec. 17, 2012, computer crooks logged into Niles Nursing’s online banking accounts using the controller’s credentials and tunneling their connection through his hacked PC.

At the beginning of the heist, the miscreants added 11 money mules to Niles’ payroll, sending them ACH (Automated Clearing House) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.

Niles’ financial institution — Ft. Lauderdale, Fla. based Optimum Bank— evidently saw nothing suspicious about 11 new employees scattered across five states being added to its customer’s payroll overnight. From the bank’s perspective, the user submitting the payroll batch logged in to the account with the proper credentials and with the same PC that was typically used to administer the account. The thieves would put through another two fraudulent payment batches over next two days (the bank blocked the last batch on the 19th).

In total, the attackers appear to have recruited at least two dozen money mules to help haul the stolen loot. All but two of the mules used or opened accounts at four out of five of the nation’s top U.S. banks, including Bank of America, Chase, Citibank, and Wells Fargo. No doubt these institutions together account for a huge percentage of the retail banking accounts in America today, but interviews with mules recruited by this crime gang indicate that they were instructed to open accounts at these institutions if they did not already have them.

Banking online remains a legally and financially risky affair for any business, regardless of which bank it uses. Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is ENTIRELY UP TO THE BANK.

 

Filed under: Uncategorized

Like this post? Subscribe to my RSS feed and get loads more!