Online Theft Costs $28K on Eliot, Maine
Thousands of dollars have been funneled by a group of cyber thieves from the town of Eliot in Maine last week in an online theft that highlights the “mismatch” between the firms’ security measures and sophisticated attacks, a security expert said.
“On July 11, 2011, I alerted the town controller of Eliot, Maine that its accounts were probably being raided by computer crooks in Eastern Europe. I had heard from a ‘money mule,’ an individual who was recruited through a work-at-home job scam to help the thieves launder money,” Brian Krebs said in his security blog.
Krebs said the money mule had misgivings about a job he had just completed for his employer, which involved helping to move almost $5,000 from one of his employer’s “clients” to individuals in Ukraine.
“The receipt his employer emailed to him along with the money transfer said the client was ‘Town of Eliot, Ma.’
Immediately after reports came pointing to the online theft, Norma Jean Spinney, the town controller, alerted Eliot’s financial institution, TD Bank. However, the bank found no unusual transaction.
Three days later, Spinney said she received a call from TD Banks that notified the town through Spinney that a suspicious batch of payroll had directed deposits totaling more than $28,000.
“TD Bank may have had a chance to stop this robbery, but apparently they dropped the ball,” Krebs pointed out.
“Nevertheless, the town is not likely to see the stolen money again. Unlike consumers, organizations are not protected against online banking losses from cyber fraud. What’s more, a forensic analysis by a local IT firm showed that Spinney’s PC was infected with at least two banking Trojans at the time of the heist.”
TD Bank spokeswoman Jennifer Morneau refused to comment due to “customer confidentiality policies.”
According to Spinney, the bank required a user name and password, and the answer to least one “challenge question” when logging in to the town’s account.
However, Krebs cited the new guidelines issued by banking regulators last month that state “that challenge questions are not adequate to protect corporate online-banking accounts from today’s cyber thieves.”
“Unfortunately, many banks continue to rely on existing methods of authenticating customers: Bank examiners won’t start measuring how banking institutions conform with the recommendations until Jan. 2012,” Krebs noted.
“If you’re responsible for a commercial bank account and you’re accessing the account online, the safest way to do so is to use a non-Windows computer such as a Mac, or a Live CD version of Linux.
“The bad guys may begin to write banking Trojans to help them rob organizations using other computing platforms, but all of the attacks I’ve written about to date involved malware that will not run on anything but a Windows PC.”
The security researcher recommended accessing the accounts “through a dedicated PC that is only used for that purpose as an alternative for those who must use Windows.”
“If your bank allows it (and most do), consider taking advantage of anti-fraud mechanisms like Positive Pay, and requiring that more than one person must sign off on all accounting transactions,” said Krebs.
He encouraged bank customers to review the new guidelines, which include many recommendations for improving online-banking security.
“A bank that provides adequate protection will not wait until 2012 to implement the enhanced measures,” Krebs said.