Spokane company helps uncover cyberspace bandits
Three Spokane businesses that saw tens of thousands of dollars stolen from their online bank accounts have taken the lesson to heart. All three say they no longer bank online and won’t until they’re sure they won’t get stung again.
A Spokane medical services company saw $60,000 disappear from its account in 2008. A Spokane doctor’s office lost roughly $34,000 that same year. And The Artisans, a Spokane Valley nonprofit, lost close to $64,000 in early 2009.
All three cases involved hackers gaining access to computers inside the businesses through software that snuck in through e-mail or Web browsing.
The software hunts for online bank passwords and Web sessions involving bank access. It saves that information and ships the passwords to the hackers, who can transfer money from the local bank accounts to a specific bank somewhere else.
By intention, the stolen money is sent in $3,000 to $12,000 transfers to avoid suspicion.
In at least two of the Spokane cyber theft incidents, the hackers sent transfers to “money mules” — recipients who were recruited to use personal bank accounts to receive funds. The mules then wire the cash to another location and get a small fee for doing something they were told, initially, is legal.
But banks and law enforcement say cyber fraud directed against smaller businesses is the fastest-growing online crime in recent years.
The three Spokane businesses were victimized because hackers have begun targeting easier targets than the large, well-defended major companies and corporations, said Frank Harrill, senior supervisory resident agent with the FBI in Spokane.
“Smaller businesses do not have the robust IT security defenses large companies have,” Harrill said.
The FBI says it investigated more than 200 cases of bank account transfer fraud in 2008 and 2009. Those totaled about $100 million in payments to people who successfully made off with $40 million, according to FBI data.
Marcus Lawson, who operates Spokane-based Global CompuSearch, which helps companies identify security problems or find computer hard-drive evidence of fraud, said many business owners or managers are reluctant to talk about being victims of online fraud.
Many owners feel discussing the problem raises the chance they might be targeted again, he said.
Of the three business managers or owners contacted for this story, only Polly Maxwell, executive director of The Artisans, agreed to speak on the record.
The other two owners agreed to discuss their cases anonymously so that their examples would help other firms be better prepared against the same threats.
Maxwell said the experience of being hit with cyberfraud changed how she does business at The Artisans, which provides training and job placement for developmentally disabled workers.
“We don’t do anything online now. We don’t give out any financial information to people,” Maxwell said.
Of the local cases, only the doctor’s office received a full refund for the $34,000 removed from its Bank of America business account. In that instance, the bank had already begun tracking the business owner’s personal accounts after there were several attempts at identify theft.
In August 2008 the doctor said he was away from Spokane when cyberthieves initiated four money transfers to overseas accounts. One of the four requests, for $12,000, was halted immediately by the bank, the doctor said. He was informed by the bank that the three other transactions had occurred.
Even though the business lost no money after the bank restored the amount, “I don’t do any business or personal banking online,” the doctor said.
The case of the medical services company was a clearer example of a smart, intrusive attack by a hacker, according to the firm’s owner.
The company used a Spokane accounting firm to handle payroll deposits and vendor payments. In spring 2008, the accountant, who used a personal computer with a password to the bank account held by the company, discovered the computer was not working normally.
How the hacker got into the computer is unclear, the company owner said.
Over several days, the hacker transferred about $60,000 to offshore bank accounts.
“They even knew my account had a single-day transfer limit of $52,000. They changed my account settings, raising it to $53,000, so they could take $52,000,” the owner said.
The company considered going after the accounting firm, claiming the problem occurred because the accountant’s personal computer was compromised. But the owner soon discovered proving how a cyberfraud occurs can be difficult.
“The accountant company told us they weren’t responsible. And they said it would be impossible to establish that they were,” the owner added.
When the company owner went to his insurance provider, he was surprised to find the policy didn’t cover the loss. “They said it was a password theft, and it wasn’t a physical theft,” the owner said.
Eventually the medical services company owner recovered $38,000 from the accounting firm’s errors and omissions coverage.
Like the doctor’s office, the medical services company owner now refuses to do any online business banking.
In the case of The Artisans, the fraud occurred after Maxwell agreed to install bank-approved software on an office computer. The software would let Maxwell switch from using physical checks for purchases and payroll to a direct deposit and online transfer system.
Maxwell said she never used the software because she first had to get authorization from all employees who wanted to get direct deposits.
Over three days in January 2009, someone removed about $62,000 from the account at a Spokane Valley branch of a bank based in North Idaho.
Lawson, who offered to assist Maxwell and The Artisans in uncovering what happened, looked at the Artisans office PC and found a rootkit as the source of the problem.
A rootkit is well-hidden computer code loaded via an e-mail message or a seemingly innocent Web site. Lawson said numerous computers end up infected with the same software but only those that have business and bank information on them end up being the key part in a skillful cyber theft.
The rootkit, he added, was too sophisticated to be detected by traditional antivirus tools.
The hackers in this case eventually created six “phantom” employees for The Artisans, all of them on the East Coast. Over three days the hackers transferred the money in mid-size chunks to those six “money mules.”
The bank even allowed the hackers to overdraft the account by $18,000, she said. “They called me one day and said I was overdrawn. I said, ‘How could I be overdrawn? I just deposited about $52,000.”
Despite having the names and identities of the six mules, the Idaho bank has recovered just a little more than $5,200 from those transfers, Maxwell said.
The bank also refunded about $11,000 from the overdraft, she added.
Federal officials who pursue cases of cyberfraud say one of the main challenges is being able to gather information once the trail leads to overseas accounts, said Harrill, of the Spokane FBI office.
Larry Kuznetz, a Spokane attorney and a board member for The Artisans, said preventing future instances of cyber fraud will require efforts by the banks and by their customers.
In their competition for more customers and more accounts, many banks don’t force customers to adopt rigorous passwords or to change them frequently, a practice now considered especially useful in halting rootkit attacks.
And many banks don’t use sophisticated technologies to track and detect cyber fraud, nor do they set lower limits on the amount of money an account can transfer, say bank security experts.
At the same time, the burden also falls on the users of online bank accounts to ensure that their computers have the latest software and effective anti-malware systems, Kuznetz said.
It won’t help if a bank requires a user to use sophisticated passwords but that same user’s computer is easily compromised, Harrill said.