A few months ago, a small escrow firm from California was targeted by cyber criminals that managed to transfer almost $400,000 from the firm’s bank account to a number of accounts throughout the world and the U.S.
The story of how it happened is becoming increasingly familiar: an employee of the firm is sent an email with a Trojan disguised as a harmless file, executes it and infects the computer with password-stealing malware.
In this case, the employee was actually the owner, one Michelle Marisco, and she said that a couple of days before the theft occurred she received an email that claimed to be from the UPS stating that a package she sent was lost, and that she had to review the attached invoice. When she opened the file, seemingly nothing happened, and thinking that maybe the problem is with her own computer, she forwarded the email to her assistant.
The assistant tried to view the invoice, and the Trojan gained another foothold in the company network. This proved to be very important, since the Professional Business Bank – the bank where the company account was located – requires every wire transfer to be approved by two employees, and the criminals now had the ability to fake both approvals.
Another anti-fraud measure that was disabled by the criminals was the feature that made sure that the owner of the account was notified by email each time a wire was sent out of the company account. This allowed the suspect wire transfers to go unnoticed for some time.
Michelle Marisco has been forced to take out a loan to cover the loss, and the bank washed their hands of any responsibility early on. And that, right there, where the problem lies. Financial institutions have no incentive to improve the the process that assures the integrity of online transactions, since current regulations work in their favor and don’t hold them responsible when similar things happen.
Brian Krebs points out another interesting fact: the accounts in the U.S. to which the money gets transferred often belongs to other small business owners. They aren’t usually aware they are doing something illegal, since they are often recruited by “international finance agents for a company that claimed to help corporations move their money abroad faster than they might be able to do otherwise.”
Since transfers over $10,000 on business bank accounts don’t get flagged as suspicious, small business owners as money mules are preferred by criminals.