Cyber attackers empty business accounts in minutes

IDG News Service - The criminals knew what they were doing when they hit the Western Beaver County School District.

They waited until school administrators were away on holiday, and then during a four-day period between Dec. 29 and Jan. 2, siphoned $704,610.35 out of two of the school district's bank accounts. Western Beaver's financial institution, ESB Bank, managed to reverse some of the transfers, but the Pennsylvania school district was out more than $441,000.

On July 9, Western Beaver sued ESB to try and recover the money, but security experts say that it's just one of many organizations that have been hit in recent months by a disturbing new type of financial fraud that can often leave the victim holding the bag.

Fraudsters are taking advantage of the widely used but obscure Automated Clearing House (ACH) Network in order to pull off their attacks. This financial network is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.

In April, ACH fraudsters moved $1.2 million out of a Sugar Land, Texas, importer called Unique Industrial Products, according to a report in the Houston Chronicle. They did this by hacking into the company's computers and then authorizing 39 transfers to move the money out of Unique Industrial's account. Although the bulk of the money was recovered, scammers made $150,000 from the attack -- not bad for 30 minutes of work.

"ACH fraud continues to grow, especially in this current economic downturn where unemployment is at very high levels," said Jeffery Dertz, a partner in the insurance practice group with Blackman Kallick, a Chicago-based accounting and consulting firm.

Criminals can make millions of dollars per day with ACH fraud, investigators say. And while consumers are protected from this type of fraud, the rules for corporations and organizations are not as clear-cut, so sometimes victims like Western Beaver find themselves having to pay.

The fraud typically starts with a targeted phishing e-mail, aimed at whomever is in charge of the company's checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.

"If I can get a hold of their credentials then I can have some fun," said Robert West, the former chief information security officer at Fifth Third Bank, who is now CEO of security intelligence consultancy Echelon One. He agrees that ACH fraud is a growing problem

Western Beaver's attorney, Alfred Steff, declined to comment for this story, but in court filings the county said that fraudsters used a computer virus to hack into the school board's computer system.