By Brian Krebs, Washington Post Staff Writer, Tuesday, August 25, 2009

Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. A task force representing the financial industry sent out an alert Friday outlining the problem and urging its members to implement many of the precautions now used to detect consumer bank and credit card fraud.

"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," the confidential alert says. The alert was sent to members of the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector. The group is operated and funded by such financial heavyweights as American Express, Bank of America, Citigroup, Fannie Mae and Morgan Stanley.

Because the targets tend to be smaller, the attacks have attracted little of the notoriety that has followed larger-scale breaches at big retailers and government agencies. But the industry group said some companies have suffered hundreds of thousands of dollars or more in losses.

Many have begun to come forward to tell their tales. In July, a school district near Pittsburgh sued to recover $700,000 taken from it. In May, a Texas company was robbed of $1.2 million. An electronics testing firm in Baton Rouge, La., said it was bilked of nearly $100,000.

In many cases, the advisory warned, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company's controller or treasurer, a message that contains either a virus-laden attachment or a link that -- when opened -- surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks' anti-money-laundering reporting requirements.

The alert states that these scams typically rely on help from "money mules" -- willing or unwitting individuals in the United States -- often hired by the criminals via popular Internet job boards. Once enlisted, the mules are instructed to set up bank accounts, withdraw the fraudulent deposits and then wire the money to fraudsters, the majority of which are in Eastern Europe, according to the advisory.

"Eastern European organized crime groups are believed to be predominantly responsible for the activities that are employing witting and unwitting accomplices in the U.S. to receive cash and forward payments -- from thousands to millions of dollars to overseas locations -- via popular money and wire transfer services," the alert warns.

The FBI said it is working to stem the problem. "We share a mutual concern with respect to criminals' unrelenting intent to target our nation's financial sector and customers, whether through computer hacking or by other schemes to steal customer account information and make unauthorized withdrawals," Steven Chabinsky, deputy assistant director for the bureau's cyber division, said in a statement.

Fewer Fraud Protections

The Financial Crimes Enforcement Network, a Treasury Department division that tracks suspected cases of fraud reported by banks, said incidences of wire-transfer fraud rose 58 percent in 2008. But experts say reliable figures about losses from commercial online banking fraud are hard to come by, and many incidents go unreported.

"The data is not quite where it could be, and we don't have a good benchmark in terms of determining the prevalence of this type of fraud," said Cliff Stanford, director of the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta. "As a result, banks and consumers might not fully understand where they need to best deploy additional security measures."

Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.

In contrast, companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.

Avivah Litan, a fraud analyst with Gartner Inc., said few commercial banks have invested in back-end technologies that can detect fraudulent or unusual transaction patterns for businesses.

"The banks spend a lot of money on protecting consumer customers because they owe money if the consumer loses money," Litan said. "But the banks don't spend the same resources on the corporate accounts because they don't have to refund the corporate losses."

Swallowing the Losses

The incidents in many cases are pitting victims against their banks. In July, a public school district near Pittsburgh filed a lawsuit against ESB Bank, a subsidiary of Ellwood City, Pa.-based ESB Financial Corp., to recover funds lost to cyber-fraud. The Western Beaver school district charges that crooks used malicious software to siphon more than $700,000 from the school's account at ESB. According to the lawsuit, the funds were transferred in 74 separate transactions over a two-day period, to 42 different money mules.

In April, cyber-crooks stole $1.2 million from Unique Industrial Product Co., a Sugar Land, Tex.-based plumbing equipment supply company. Pankaj Malani, the company's operations manager, said a forensic analysis showed the attackers used malware planted on its computers to initiate 43 transfers out of the company's account within 30 minutes. The intruders sent some of the funds directly to Eastern Europe and funneled the remainder through people in the United States.

Malani said the FBI is investigating the case, but because the company spotted the fraud quickly, its bank was able to retrieve all but $190,000 of the stolen money. "This could have put us out of business," Malani said.

Other small to mid-sized companies have not fared so well. In February, fraudsters struck JM Test Systems, an electronics calibration company in Baton Rouge. According to Happy McKnight, the company's controller, on Feb. 19, an unauthorized wire transfer of $45,640 was sent from JM Test's account to a bank in Russia. The company's bank subsequently provided the company with new credentials. But less than a week later, $51,550 of JM Test's money was transferred to five money mules across the country. McKnight said her employer was able to recover just $7,200 of the stolen money, which was returned only because one mule who was to receive that transfer apparently closed his or her account before the transfer could be completed.

"The whole thing consumed us for about a month," McKnight said. "When we start looking at all of the investigation and the things we had to change as a result of this fraud, we estimate the soft costs to our company is already three times what our straight online banking loss was."