The Indiana Law Blog: Law - Continuing on computer security problems: Kentucky county's funds stolen by online hackers

« Courts - More on: "SCOTUS declines to set rule on drunk driving stops, letting stand a Virginia court ruling that police must actually see erratic driving – and not just rely on anonymous tips – to stop a suspected drunk driver" | Main | Ind. Courts - "Judge Nemeth issues 11th hour warning about St. Joseph County budget cuts" »

Tuesday, October 27, 2009

Law - Continuing on computer security problems: Kentucky county's funds stolen by online hackers

This August 25th ILB entry began:

Be concerned. When the ILB posted this story July 27th from the Louisville Courier Journal about the theft of $415,000 of Bullitt County Kentucky's funds by Ukrainian hackers, it seemed an isolated incident.

Not so, according to this story today in the Washington Post, reported by Brian Krebs, and headed "European Cyber-Gangs Target Small U.S. Firms, Group Says."

The problem apparently continues, unabated. Krebs' lengthy "Security Fix" column yesterday began:

Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.

According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries like Moldova, Russia and Ukraine. * * *

Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses.

Chabinsky said businesses can insulate themselves from this type of fraud by doing their online banking from a dedicated, locked-down computer that is not used for everyday Web browsing or e-mail. That's because the malicious software that thieves use to steal online banking user names and passwords typically is installed when the recipient of a spam e-mail opens a poisoned attachment or clicks a link that leads to a booby-trapped Web site.

"What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer," Chabinsky said. * * *

Below is a chart showing the victim entities that I have confirmed over the past five months.* * * Some victims are identified only by their industry or specialty to preserve their anonymity. If a victim's name is hyperlinked, readers can click the link to read a prior Security Fix blog post that includes mention of their specific incident.

Posted by Marcia Oddi on October 27, 2009 09:13 AM
Posted to General Law Related