Cybercrooks Drive Away With 63,000 Dollars From Car Dealership

The recent $63,000 hack of a Kansas car dealership highlights a dangerous vulnerability companies sometimes face when balancing their books online.

The controller for Abilene, Kansas based Green Ford Sales, Inc. logged into his account at First Bank Kansas to check the company"s accounts on November 1, 2010. Seven hours later, he logged back in and submitted a payroll batch for company employees totalling $51,970. The bank"s authentication system sent him an e-mail to confirm the batch details, and the controller approved it.

The controller didn"t know it at the time, but thieves had already compromised his Microsoft Windows PC with a copy of the Zeus Trojan, which allowed them to monitor his computer and log in to the company"s bank account using his machine. Less than an hour after the bookkeeper approved the payroll batch, bank records show, the thieves logged in to Green Ford"s account from the same Internet address normally used by the dealership, using the controller"s correct user name and password.

The attackers also cased the joint a bit by checking the transaction history, account summary and balance before logging out of the system. They waited until 1:04 p.m. the next day to begin creating their own $63,000 payroll batch by adding nine new "employees" to the company"s books. The employees added were in fact money mules, willing or unwitting individuals recruited through work-at-home job scams to help crooks launder stolen funds.

And to cover their tracks, the hackers erased the confirmation emails regarding the transaction. "They went through and deleted it," said Green Ford owner, Lease Duckwall. "If they had control over his machine, they"d have certainly had control over his email and the password for that, too."

Duckwall praises his bank for moving quickly to contact the mules" banks after being alerted by the company"s controller at 8 a.m. on Nov. 3, but he said the recovery effort was slowed considerably by the responses from many of the mules" banks.

Duckwall also reached out to one of the mules, a man named Shawn Young from New York, who received nearly $5,000 of Green Ford"s money. Young hadn"t yet wired the money overseas as instructed by his recruiters, a bogus entity calling itself "R.E. Company". Young said he communicated with the mule recruiters at R.E. Company by logging in to his account at the web site, uploading his personal and bank account information, and awaiting for further instructions.

Green Ford recovered $41,000, and the company has since changed its security procedures. However, according to Krebs in his blog Krebs on Security, as long as PC viruses exist, online banking sessions will continue to be high-priced targets for cybercriminals.

"If a bank"s system of authenticating a transaction depends solely on the customer"s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today"s more stealthy banking Trojans," Krebs wrote.

Amit Klein, chief technology officer at Trusteer, also blogged about a relatively new strain of malware dubbed "OddJob," which hijacks customers" online banking sessions in real time using their session ID tokens. According to Klein, OddJob keeps online banking sessions open after customers think they have "logged off," enabling criminals to extract money and commit fraud unnoticed.

Many SMBs are unaware that hackers are finding online banking transactions to be profitable and easy targets for cyber-attacks because of several weaknesses in the security systems, not only of both organizations, but also in the authentication protocols between them.

This incident highlights the need for better security systems in both the business and their bank. The frequency of cyber crime is only going to increase if organizations and financial institutions fail to pay attention to the vulnerabilities of their network security. They need to implement robust internet security initiatives, including hiring highly trained information security experts, to avoid cyber crimes and security breaches.

IT security professionals can increase their information security knowledge and skills by embarking on advanced and highly technical training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of technically proficient information security professionals.

Additionally, the all-new EC-Council CAST Summit series is also created to make advanced information security training opportunities available for information security professionals across the globe. It will be the excellent platform for any IT security professionals to acquire cutting edge skills by embarking on the CAST workshops, or further enhance their IT security knowledge by attending the one-day seminar.

The 3 days CAST Summit workshop covering current and important security topics such as penetration testing, application security, cryptography, network defense and mobile forensics training, and allows for participants to actually learn, and not just listen or be rushed through a short presentation like how it"s like in many other events or conference. All of these IT security trainings will only conducted by appointed EC-Council Master Trainers, some of whom are authors of the respective trainings.