Cyberthieves still rely on human foot soldiers

Nov 22, 2010 By ALICIA A. CALDWELL and PETE YOST , Associated Press
This poster released by the FBI shows photos of individuals wanted by the FBI and shows Eastern European Cyber Criminals, wanted on a variety of federal charges stemming from criminal activities including money laundering, bank fraud, passport fraud, and identity theft in New York. Complaints were issued by the United States District Court, Southern District of New York, in September of 2010. The court records of Operation Trident Breach reveal a surprise: For all the high-tech tools and tactics employed in these computer crimes, platoons of low-level human foot soldiers, known as "money mules," are the indispensable cogs in the cybercriminals' money machine. (AP Photo/FBI)

(AP) -- Sitting at a computer somewhere overseas in January 2009, computer hackers went phishing.

Within minutes of casting their electronic bait they caught what they were looking for: A small Michigan company where an employee unwittingly clicked on an official-looking that secretly gave cyberthieves the keys to the firm's bank account.

Before company executives knew what was happening, Experi-Metal Inc., a suburban Detroit manufacturing company, was broke. Its $560,000 bank balance had been electronically scattered into bank accounts in Russia, Estonia, Scotland, Finland and around the U.S.

In August, the Catholic Diocese in Des Moines, Iowa, lost about $680,000 over two days. Officials there aren't sure how hackers got into their accounts, but "they took all they could" before the bank noticed what was going on, according to Jason Kurth, diocese vice chancellor.

The diocese and the Detroit company were among dozens of individuals, businesses and municipalities around the country victimized by one of the largest cybertheft rings the has uncovered.

In September, the bureau and its counterparts in Ukraine, the Netherlands and Britain took down the ring they first got wind of in May 2009 when a financial services firm tipped the bureau's Omaha, Neb., office to suspicious transactions. Since then, the FBI's Operation Trident Breach has uncovered losses of $14 million and counting.

Overall in the last two years, the FBI has opened 390 cases against schemes that prey on businesses that process payments electronically through the Automated Clearinghouse, which handles 3,000 transactions every five seconds. In these cases, bureau agents have uncovered attempted thefts totaling $220 million and actual losses of $70 million.

But the court records of Operation Trident Breach reveal a surprise: For all the high-tech tools and tactics employed in these computer crimes, platoons of low-level human foot soldiers, known as "money mules," are the indispensable cogs in the cybercriminals' money machine.

A dozen FBI criminal complaints filed in New York provide an inside look at how this cybertheft ring worked:

Operating from Eastern Europe and other overseas locations, the thieves used malicious software, known as malware, to infect the computers of unsuspecting users in the United States by e-mail. The malware-infected e-mails were written to look like they came from a company manager or colleague who might send an e-mail message to everyone in a company, such as the head of human resources.

When the e-mail recipient clicked on an embedded link to a website or opened an attachment, a Trojan horse virus called Zeus installed itself and gathered usernames, passwords and financial account numbers typed by the victims on their own computers. The hackers then used this information to move the victims' money electronically into bank accounts set up in the United States by the money mules.

The money mules set up shell bank accounts to receive the money. Then they withdrew the funds from the shell accounts in amounts they thought were small enough to elude detection by banks and law enforcement. In some cases, the cyberthieves bombarded telephone numbers attached to the targeted accounts with calls to block the company from calling to verify the transactions.

The mules sent most of the stolen funds overseas electronically to accounts controlled by the ring leaders; the mules usually kept 8 to 10 percent as their cut.

For instance, the FBI said money belonging to one TD Ameritrade customer landed in the bank account of a fake company, the Venetian Development Construction Service Corp., which was registered at an unmarked, two-story brick building in Brooklyn. The sole name on the construction company's account was that of one of the money mules. Eventually some of the money wound up in accounts in Singapore and Cyprus and some walked out the bank's door in the pockets of mules. TD Ameritrade spokeswoman Kim Hillyer said the company has reimbursed customers who lost money

Just like in the illegal drug trade, the ring leaders overseas reaped the big profits but relied on the mules to do the risky, dirty work.

For each shell account, a mule had to walk into a bank, in full view of surveillance cameras and leave copies of personal identification documents. The ring leaders hid behind computer screens overseas.

Operation Trident Breach found many mules are Eastern Europeans who came to the U.S. on student visas.

Among the allegations in the FBI's criminal complaints:

One mule was an immigrant from Moldova who within a few months of her arrival in New York this year had opened at least six using a trio of names. Another mule, a Russian national, opened eight accounts at three different banks using five different aliases.

The criminal networks used so many money mules that full-time recruiters were needed. One recruiter placed advertisements on Russian language websites seeking students with U.S. visas.

A pair of Russian roommates living in Brooklyn worked together. One smuggled at least $150,000 in cash to hackers in Russia, arranged for fake passports to be smuggled into the U.S., and acted as a middleman picking up and delivering stolen money from other mules. The other roommate opened accounts with fake names and false passports in New York and New Jersey this summer.

This cybertheft ring zeroed in on individuals and small- and medium-sized businesses because they usually have fewer computer security safeguards than huge companies. Among its targets: municipalities in Massachusetts and New Jersey, the account held by a hospital at a California bank and the computers of at least 30 customers of E Trade Financial Corp.

Like a number of victims, Experi-Metal has sued its bank over the thefts.

A lawyer for Experi-Metal, Richard Tomlinson, said the thieves emptied the company's account and then tried to siphon another $5 million out through an empty savings account of an Experi-Metal employee. They actually transferred another $1.34 million before the bank shut down the mystery wire transfers, Tomlinson said.

According to court records, the company's bank, Dallas-based Comerica Inc., has recovered all but the company's original balance of $560,000. Tomlinson said the bank should be liable for the company's losses because the wire transfers were obviously dubious - the company hadn't made any transfers in more than two years and never to Eastern Europe.

"Canada was maybe as exotic as we got and it was maybe three or four years before this," Tomlinson said.

Comerica says it wasn't part of the problem.

"This was caused solely by the actions of that (Experi-Metal Inc.) employee," a lawyer for the bank wrote in a court filing. "The criminal that accessed Experi-Metal's accounts was able to do so only because Experi-Metal gave him its key."

Explore further: New streaming apps could boost citizen journalism

More information:
FBI background:

E Trade security:

E Trade losses:

TD Ameritrade:

Comerica security:

4.8 /5 (4 votes)
add to favorites email to friend print save as pdf

Related Stories

Dozens charged in NY in global computer virus scam

Sep 30, 2010

(AP) -- Hackers in eastern Europe who used computer viruses to steal usernames and passwords teamed up with foreign students who opened bank accounts in the U.S. to snatch at least $3 million from American bank accounts, ...

Businesses vulnerable to cyber attacks

Aug 31, 2009

Most of us think cyber crooks cast their phishing lines mostly to try to hook everyday consumers. But some businesses across the country have seen hundreds of thousands of dollars vanish from their bank accounts after cyber ...

Canadian charged in US in Internet gambling case

Aug 06, 2009

A Canadian resident was indicted in the United States on fraud and related charges for processing some 350 million dollars for Internet gambling firms, officials said Thursday.

FBI smashes US-Egypt cyber 'phishing' ring

Oct 07, 2009

Investigators in the United States and Egypt have smashed a computer "phishing" identity theft scam described as the biggest cyber-crime investigation in US history, officials said Wednesday.

Group says poker winnings are frozen

Jun 10, 2009

(AP) -- An advocacy group for online poker said Tuesday that the federal government has frozen more than $30 million in the accounts of payment processors that handle the winnings of thousands of online poker players.

Phishers Use Call Forwarding to Mask Fraud

Apr 28, 2007

A phishing attack uncovered by SecureWorks tries to entice victims into forwarding their telephone calls in order to thwart out-of-band authentication by banks.

Recommended for you

Meerkat vs. Periscope: Live-streaming app battle & buzz

Mar 27, 2015

Download Periscope, Twitter's just-launched live video-streaming app, and you'll find people broadcasting all sorts of mundane stuff: waiting for AT&T to fix their wiring, getting out of bed in Silicon V ...

Twitter chief vows to help Indonesia fight disasters

Mar 26, 2015

Twitter chief Dick Costolo said Thursday the microblogging site planned to work with Indonesian authorities to warn people about natural disasters that regularly hit the archipelago, from earthquakes to volcanic ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.