JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Sham Australian firm at centre of cyber heist

Date

Brian Krebs

Best fraud: Screen shot of a website of a fictitious company, Best Company or Best Pty, purporting to be based in Melbourne.

Best fraud: Screen shot of a website of a fictitious company, Best Company or Best Pty, purporting to be based in Melbourne. Photo: KrebsOnSecurity

A fictitious Australian company is at the centre of a cyber criminal network employing money mules in the United States on behalf of organised hackers in the Ukraine and Russia.

The hackers stole more than $1 million from a public hospital in Washington state last month. The costly cyberheist was carried out with the help of nearly 100 accomplices in the US who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.

According to Washington’s Wenatchee World newspaper, the heist struck Chelan County Public Hospital No. 1 in Washington on April 19 and moved an estimated $US1.03 million ($998,000) out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in America’s midwest and east coast.

I’ve spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $US14,000 siphoned from the hospital’s accounts.

Jesus Contreras, a 31-year-old from San Bernadino, California, had been out of work for more than two months when he received an email from a company calling itself Best Inc and supposedly located in Melbourne, Australia. Best Inc (or Best Company or Best Pty, according to its website) presented itself as a software development firm based at 200 Spencer Street, Melbourne.

The company told Contreras it had found his resume on Careerbuilders.com. Contreras said the firm’s representative told him he’d qualified for a work-at-home job that involved forwarding payments to software developers who worked for the company’s overseas partners. Could he start right away? All he needed was a home computer. He could keep 8 per cent of any transfers he made on behalf of the company. Contreras said he was desperate to find work since being laid off in February.

Not the best job

His boss at Best Inc, a woman with a European accent who called herself Erin Foster, called Contreras to conduct a phone interview in which she asked about his prior experience and work-life balance expectations. In short order, he was hired.

His first assignment: To produce a report on the commercial real estate market in southern California. Contreras said Foster told him that their employer was thinking of opening up an office in the area.

On Monday, April 22 — shortly after he turned in his research assignment — Contreras received his first (and last) job from his employer: Take the $US9180 just deposited into his account and send nearly equal parts via Western Union and Moneygram to four individuals, two located in Russia and the other pair in the Ukraine. After the wire fees — which were to come out of his commission — Contreras said he had about $US100 left.

“I’m asking myself how I fell for this because the money seemed too good to be true,” Contreras said. “But we’ve got bills piling up, and my dad has hospital bills. I didn’t have much money in my account, so I figured what did I have to lose? I had no idea I would be a part of something like this.”

A small, but significant, part as it happens

Contreras never got to use any of his meagre earnings: his financial institution, Bank of America, froze his account and seized what little money he had in it.

Meanwhile, the Chelan County Treasurer’s Office is struggling to claw back the fraudulent transfers. According to press reports, roughly $US133,000 of the lost funds have been recovered so far, and it may take at least 30 days to learn how much was actually lost.

The company that employed Contreras does not appear to exist. Its address at 200 Spencer Street, Melbourne, is a block of more than 300 apartments above retail and take-away food shops. The building's owners corporation manager, Bencorp OCM, is unaware of any companies running from the address, a spokesman said.

There is no company currently registered under Best Company or Best Pty in Australia, although there appear to be numerous unrelated companies with similar names. The address has been used multiple times in other ‘‘work-from-home’’ money laundering schemes I have investigated.

Its Sydney phone number defaults to a generic computer-generated recorded message that refers inquiries to ‘‘our company’s website’’. The company’s website has been offline since I published the original article on the heist.

The ‘‘company’’ is part of a transnational organised cybercriminal gang operating in Russia and Ukraine. Its distinguishing feature is that it operates its own money mule recruitment division. This eliminates the middle man and increases the gang’s overall haul from any cyberheist. Cashing out hacked accounts is a complex, time-consuming process that is normally contracted out to third-party criminal operations, which can take anywhere from 40-60 per cent of the haul for their trouble.

This gang uses several telltale signatures in its operations, and has been hitting small to mid-sized organisations for the past five years at least. They’ve stolen many, many times more than the millions taken from Chelan County, from hundreds of victim organisations. In fact, this gang appears to have been involved in nearly every cyber heist I have written about for the past four years.

Just as real-life bank robbers are restricted in what they can steal by the amount of loot they can physically haul away from the scene of the crime, these cyber crooks are limited by how many money mules they can recruit to help launder the fraudulent transfers. That’s because unless the mules have access to business accounts that can receive and forward much larger wire transfers, the amounts sent to mules typically range from just below $5000 to slightly less than $10,000.

Edwin Walker of Alpharetta, Georgia – another mule who unwittingly helped launder money for Best Inc — received and processed a $US4970 transfer on April 20. And while available mules may be a bottleneck for this type of crime, this group appears to have a well-oiled mule-recruitment machine working around the clock.

Contreras is something of an oddity as a US west coast money mule. The mule recruitment gangs generally prefer to hire mules that are on the east coast or in the midwest. That’s because mules on the west coast are not particularly attractive for cashing out accounts from victim banks and businesses that open several hours before those on the west coast.

Time is money, and in this business, the more time elapses before the mules can withdraw and move the stolen funds, the more likely the victim and its bank will be able to claw back the fraudulent transfers.

The facts so far include no information about the victim’s bank, or what kinds of security procedures they may have required of Chelan County for moving large sums of money. But my guess is it was a small to regional bank, and there were few security hurdles for the bad guys to overcome, aside from maybe a one-time token and a password.

Broken record alert: If you are running a small business and managing your accounts online, you’d be wise to expect a similar attack on your own accounts and prepare accordingly.

That means taking your business to a bank that offers more than just usernames, passwords and tokens for security. Shop around for a bank that lets you secure your transfers with some sort of out-of-band authentication (a text message sent to a mobile device, for example). These security methods can be defeated of course, but they present an extra hurdle for the bad guys, who are more likely to go after the lower-hanging fruit.

But if you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening.

Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.

KrebsOnSecurity

Follow IT Pro on Twitter

0 comment

  • A good article on the American situation, but it would be good if someone at Fairfax did a review or synopsis of Internet Banking security in Australia for both personal and business customers. I'm sure they would uncover similar scenarios here.

    Commenter
    AndyJ
    Location
    Melbourne
    Date and time
    May 07, 2013, 11:23AM
    Comments are now closed
    Featured advertisers