Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Magic Is Misdirection. Often, So Is Cybercrime. DDoS Attack Helps Cyberthieves Make $900K Disappear from Company Bank Account.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Christmas 2012 was very merry for cyberthieves who, on December 24th, stole $900,000 from the online corporate account of Ascent Builders, a Sacramento, California construction company.

At about the time the cybercrooks were raiding Ascent Builders’ Bank of the West account, the bank was being hit by a DDoS attack which flooded the Website with traffic from compromised PCs effectively covering the thieves’ tracks.

The breach wasn’t discovered until December 26th. With Christmas, you could see how that might happen. Or not happen. However, the Bank of the West didn’t discover the breach. Nor did Ascent Builders. It was discovered by security expert Brian Krebs (Krebs on Security) after a money mule, who’d been hired to transfer funds overseas contacted him after she “smelled a rat.” We’ll have Brian Krebs take it from here in his own words:

Ascent was unaware of the robbery at the time, but its bank would soon verify that a series of unauthorized transactions had been initiated on the 24th and then again on the 26th. The money mule I spoke with was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. 

Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.

Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.

“It said the bank was offline for 24 hours, and we couldn’t get in to the site,” Shope said. “We called the bank and they said everything was fine.”

But soon enough, everything would not be fine from Bank of the West’s end. Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline. It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan – a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists

Shope said the FBI is actively investigating the breach. The FBI declined to comment for this story. Bank of the West also did not respond requests for comment. 

But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve.

Shope said Bank of the West has been able to claw back about half of the stolen funds, and expects to recover a great deal more. He said many of the bigger fraudulent transfers went to other businesses. For example, one of the mules was either running or working at a Hertz equipment rental franchise on the East Coast, and had called Ascent Builders to complain after the bank discovered the fraud and began clawing back large transfers. That mule, apparently unaware he was helping thieves launder stolen money, was calling to find out what happened to his $82,000.

“We got a call from a Hertz rental equipment company back east, and they said “Why did you take this deposit out of our account?’ Shope recalled. “I asked him what he thought it was for, and he said, “Oh, this was for some equipment that we were purchasing for you guys from Russia, and we already sent the money on [to Russia], so what’s going on?”‘

A few thoughts about this attack. If you run a business and suddenly find yourself unable to log in to your commercial account, pick up the phone and call your bank to inquire about any recent money transfer activity. Very often, malware that thieves use to steal banking passwords in these cyberheists will also redirect the victim to an error page that says the bank’s site is down for maintenance. If this happens to you, call your bank and ask them to check your accounts (don’t trust a customer service phone number offered on a “down for maintenance” page; call the number on your bank card or search online for the institution’s customer service number). 

By ThreatMetrix Posted