I have written a great deal about how organized cyber gangs in Eastern Europe drained tens of millions of dollars from the bank accounts of small- to mid-sized businesses last year. But new evidence indicates one of the gangs chiefly responsible for these attacks managed to hack directly into a U.S. bank last year and siphon off tens of thousands of dollars.
On July 30, 2009, at least five individuals across the United States each received an electronic transfer of funds for roughly $9,000, along with instructions to pull the cash out of their account and wire the funds in chunks of less than $3,000 via Western Union and Moneygram to three different individuals in Ukraine and Moldova.
The recipients had all been hired through work-at-home job offers via popular job search Web sites, and were told they would be acting as agents for an international finance company. The recruits were told that their job was to help their employers expedite money transfers for international customers that were — for some overly complicated reason or another — not otherwise able to move payments overseas in a timely enough manner.
The money was sent to these five U.S. recruits by an organized ring of computer thieves in Eastern Europe that specializes in hacking into business bank accounts. The attackers likely infiltrated the bank the same way they broke into the accounts of dozens of small businesses last year: By spamming out e-mails that spoofed a variety of trusted entities, from the IRS, to the Social Security Administration and UPS, urging recipients to download an attached password-stealing virus disguised as a tax form, benefits claim or a shipping label, for example. Recipients who opened the poisoned attachments infected their PCs, and the thieves struck gold whenever they managed to infect a PC belonging to someone with access to the company’s bank accounts online.
In each of those attacks, when the attackers found credentials for commercial bank accounts, they would log in to the victim’s account and set up bogus payroll payments to the newly-hired financial agents — known to the criminals and law enforcement alike as “money mules.” I’ve also interviewed dozens of these mules, and each one I spoke with said the deposits they received were all accompanied by e-mail messages stating the amount and time of the transfer, as well as the name of the “client” whose money their employers were supposedly “helping” to move. In every case, the name listed in the e-mail as the “client” was in fact a company that the thieves had looted (see Money Mule Recruitment Network Exposed for another example of this).
On July 30, 2009, the thieves sent out at least five payments totaling nearly $50,000 to five separate money mules. In each case, the name of the client listed in the e-mail message the criminals sent to alert them of the transfer read “FIRST SENTRY BANK,” suggesting that the theft was the result of a computer compromise inside of First Sentry.
I attempted numerous times to get a response from someone at Huntington, West Virginia based First Sentry Bank about the July attack. I left no fewer than seven phone messages and sent several e-mails to bank employees, explaining who I was and the reason for my inquiry. To this day, I have yet to receive so much as a “no comment.”
One of the money mules who helped move money out of First Sentry was a 65-year-old woman from Von Ormy, Texas, who spoke on condition of anonymity. She said she successfully withdrew the $9,099 sent to her from First Sentry, and wired it to three different individuals in Eastern Europe, as instructed. Four other money mules who also helped launder funds stolen from First Sentry said they also received similar amounts, and that their e-mailed receipts also listed First Sentry as the client. It is quite possible that the mules I spoke with represent a fraction of those who received funds in this attack: Some of the more than two dozen victims of this crime that I’ve chronicled lost upwards of $500,000.
The Von Ormy mule said she suspected the job may not have been legitimate, but decided she needed the money too badly to turn it down. She said she made about $500 off the transaction, after paying the fees to wire the money.
“I’m a senior citizen on a fixed income, and I hate to say it, but I did make some good money,” she said. “I knew it was too good to be true after making that doggone much money in one day, but it helped me out a lot.”
Below is the transaction message sent from the thieves to the Texas-based mule. Bobbear.co.uk, which does tireless work to track these scam Web sites, has a writeup here on the site used to recruit the Von Ormy mule.
—– Original Message —–
From: [email protected]
Sent: Thursday, July 30, 2009 6:58 AM
Subject: Attention: Transaction 136282 – new task for you
We are glad to inform you about a new task! Please review transfer details:
Date: 30.07.2009 12:56:01
Amount: USD 9099
Commission: USD 727.92 (8 %)
FROM: FIRST SENTRY BANK
Funds should already be there at your bank account. Please contact your bank urgently and confirm that the money is available for withdrawal.
The next thing you have to do is to inform your personnel supervisor about the task status and perform three basic actions:
1. LEARN MORE.
Make sure you’ve already read our detailed manual at: hxxp://alliance-group.cc/member/admin/job_instructions.php
2. WITHDRAW THE FUNDS.
Please visit your bank as soon as possible and withdraw the received funds. Usually this procedure doesn’t take more than 30 minutes.
3. TRANSFER MONEY VIA WESTERN UNION (MONEY GRAM).
After cash withdrawal you are to make transfer(s) at your local Western Union location(s). Commission (8 %) should be deducted from the received money. WU fees along with all other costs, such as bank fees, transportation costs, etc. are covered by you and are deducted from your commission.
* According to the contract terms, should your expenditures exceed 3% of the amount transferred, we’ll compensate you the difference. For more info, please read the EXHIBIT A part of the contract.
You are to make the following transfer(s):
Type: Money Gram
Amount: 2790 USD
Recipient’s First Name: Igor
Recipient’s Last Name: Ilyin
Recipient’s City: Odessa
Recipient’s Country: Ukraine
Type: Money Gram
Amount: 2700 USD
Recipient’s First Name: VERA
Recipient’s Last Name: KSENOFONTOVA
Recipient’s City: Donetsk
Recipient’s Country: Ukraine
Type: Western Union
Amount: 2880 USD
Recipient’s First Name: Constantin
Recipient’s Last Name: Grozav
Recipient’s City: Chisinau
Recipient’s Country: Moldova
IMPORTANT: Before leaving for bank or WU you must read the detailed FAQ available HERE: hxxp://alliance-group.cc/member/admin/job_instructions.php
*We kindly ask you to specify purpose of WU transfer: family (if required). It will allow us to avoid delays connected with Western Union policy concerning business transfers.
**All transfers must be made in USD. Use MONEY IN MINUTES type only (not MONEY IN DAYS).
***We recommend to use 2-3 different locations to complete the transaction.
Alliance Group Inc