5 indicted in '07 cybertheft of city's bank account

Alleged crooks illegally wire-transferred $450,000 from Carson, Calif. bank account

Five people were indicted this week on wire fraud and other criminal charges stemming from a 2007 cybertheft in which $450,000 was stolen from the bank account of the city of Carson, Calif.

The indictment charges John Quinn and Anthony Bobbitt of allowing their bank accounts to be used as conduits for accepting money stolen from the city and sending it to bank accounts belonging to three other suspects, Jennifer Woodward, Deago Smith and Lance Holt.

Gregory Evans, CEO of Ligatt Security, an Atlanta-based company that was used by Carson officials to conduct a forensics investigation of the incident, welcomed the indictments and expressed relief that the case was not allowed to go cold.

According to Evans, the theft was perpetrated by hackers using spyware installed on a laptop belonging to the city treasurer. The malware was used to steal the treasurer's login credentials to the city's bank account.

The stolen credentials were then used to initiate several wire transfers totaling about $450,000 from the city's accounts to accounts belonging to Quinn and Bobbitt. The two individuals are accused of sending and attempting to send the stolen money to the other alleged conspirators in the case after keeping a cut of the stolen loot for themselves.

It's not entirely clear how the alleged thieves managed to install the spyware on the city treasurer's laptop, Evans said. The laptop, which was owned by the city, was securely protected while it was connected to the city network, but did not appear to have the same level of protection when it was not directly connected to it, Evans added.

"There was no spyware protection or antivirus protection on the laptop when it was not plugged into the city's network," Evans said. It's a scenario that's fairly common within corporate environments as well, he added.

Most of the money that was stolen from Carson's bank account was later recovered. A request seeking comment from the city's manager was not immediately returned.

The thefts at Carson occurred over two days in May 2007. Since then, there have been dozens of similar heists involving the use of stolen login credentials to illegally transfer money out of bank accounts. Such thefts are believed to have resulted in hundreds of millions of dollars being siphoned out of U.S. bank accounts and transferred overseas. Most of the thefts have targeted small businesses. But there have been several incidents where small cities and towns have been attacked.

In February, the town of Poughkeepsie, N.Y., for instance, revealed that cyber crooks had looted more than $375,000 from its bank account. About $95,000 of that amount was later recovered. Security blogger Brian Krebs, who has been chronicling many of these attacks over the past several months, lists other incidents in which small towns have been similarly victimized. One example involves the Duanesburg Central School District in upstate New York, which lost nearly $500,000 after cyberthieves looted in bank account.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon