A California escrow firm has been forced to take out a pricey loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year.
In March, computer criminals broke into the network of Redondo Beach based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.
Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.
The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco’s computer and the PC belonging to her assistant, the second person needed to approve transfers.
As a guarantor of payment for residential real estate transactions, Village View Escrow holds other peoples’ money until the sale of a property is complete. Failure to come up with the funds when a real estate deal is finalized can spell bankruptcy and possibly worse for an escrow provider. Since the incident, Marisco has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).
“I’m working for nothing right now, and can’t afford to pay myself,” Marisco said in a phone interview.
Officials from Professional Business Bank did not immediately return calls seeking comment.
Marisco said her bank disavowed any responsibility for the incident early on, and that the bank believes the thieves had even used her company’s Internet address to access the account, apparently by leveraging the Trojan they had planted to tunnel their connection through her machine.
Village View Escrow depends on wires to finalize residential real estate sales in the California area, but had never before sent a wire outside the United States. Yet, several of the wires were sent internationally, including a direct $88,000 wire to PrivateBank in Latvia, and a $94,000 transfer to Norvika Bank, also in Latvia.
The rest of the money was sent via wire to numerous individuals across the United States who were willingly or unwittingly recruited over the Internet through work-at-home job scams that promised work as international finance agents for a company that claimed to help corporations move their money abroad faster than they might be able to do otherwise.
At least the thieves were honest on that point.
The case of Village View Escrow shows that while small businesses are frequently the target of this sophisticated type of e-banking fraud, small business owners also often are involved in helping to fleece the victims. Indeed, many of the fraudulent wires that the thieves sent from Village View Escrow’s online account were for amounts between $10,000 and $30,000 that were sent to checking or savings accounts belonging to small business owners.
E-banking thieves normally keep their fraudulent transfers to less than $10,000 to avoid the anti-money laundering requirements of the retail banks. But the fraudsters can move far more money through business accounts without raising any red flags.
According to Village View Escrow, one of the mules was a real estate agent in Houston who received two wires totaling $34,000. Another fraudulent wire for $29,000 was sent to an upstart software firm in Tennessee.
“Probably 60 percent of them were people who were trying to start a small business,” said Ken Holloman,Village View Escrow’s information technology consultant. “They were everything from a guy who had started a gem company, another that had started a watch company…most of them were just trying to some business going and some income coming in.”
I have said it before and will say it again: No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system. But for better or worse, the commercial banks have no (dis)incentive to do much to improve the integrity of online banking transactions because the current regulations effectively hold them blameless when a customer loses money.
Some commercial banks are adopting security measures that don’t merely involve pushing the security entirely out to the customer’s computer. But regardless of whether the legal equation changes, small to mid-sized businesses can dramatically reduce the risk of becoming the next victim of this type of crime by either using a dedicated PC for online banking, or by accessing their accounts only from a computer booted up into a Live CD.