Five indicted in cybertheft of city's bank accounts

Thieves used spyware to steal login credentials and illegally transfer $450K from Carson, Calif.'s coffers in 2007

Current Job Listings

Five people were indicted this week on wire fraud and other criminal charges stemming from a 2007 cybertheft in which nearly $450,000 was stolen from the bank accounts of the city of Carson, Calif.

The federal indictment, handed down in the U.S. District Court for the Eastern District of North Carolina, charges John Quinn and Anthony Bobbitt of allowing their bank accounts in North Carolina to be used as conduits for accepting stolen money and for sending it to bank accounts belonging to three other suspects, Jennifer Woodward, Deago Smith and Lance Holt.

Karen Avilla, treasurer for Carson said the money was siphoned out of the city's coffers via two unauthorized money transfers in May 2007.

The first transfer, from the city's bank account at the City National Bank (CNB) of Carson, was for an amount of $90,500, which was sent to Quinn's account at Branch Banking & Trust in Wilson, NC.

The second transfer, a day later from the same CNB account, involved $358,500 that was sent directly to a National City Bank account in Detroit belonging to a company called Broadbase Financial that was owned by Holt.

The alleged thieves used valid login credentials to access the city's bank account and initiate both the money transfers, Avilla said. The city later recovered about $304,000 of the stolen money and was reimbursed $100,000 more by its insurance provider. But it is still short of about $44,000 as a result of the theft, she added.

Gregory Evans, CEO of Ligatt Security, hired by Carson officials to conduct a forensics investigation of the incident, said the city's login credentials were stolen via spyware installed on Avilla's city-issued laptop computer.

It's not entirely clear how the alleged thieves managed to install the spyware on the city treasurer's laptop, Evans said. The laptop, which was owned by the city, was securely protected while it was connected to the city network, but did not appear to have the same level of protection when it was not directly connected to it, Evans added.

"There was no spyware protection or antivirus protection on the laptop when it was not plugged into the city's network," Evans said. It's a scenario that's fairly common within corporate environments as well, he added.

Avilla said she doubts that the spyware was installed by the five alleged conspirators against whom the indictments were handed down this week.

Rather, she believes that someone else stole the login credentials and then sold it to the individuals now accused of stealing the money.

Avilla said CNB should have done a much better job of detecting and alerting the city to what was going on.

What's not clear is why it might have taken law enforcement three years to hand down indictments in the case, Avilla said. Unlike other instances where cyber crooks simply transfer stolen money to bank accounts outside the U.S., making it hard to track them down, the alleged conspirators in this case used domestic bank accounts.

One reason why it might have taken this long is because the investigations were being handled by two agencies, the FBI in NC and the Secret Service in Detroit, she said.

Partly to blame for the delay could also be that the case involves other victims as well, she said. Avilla said that the indictment indicatse that the five accused individuals may have taken at least one other victim.

The unnamed victim or victims, maintained accounts at Citibank in Washington DC, from which two unauthorized wire-transfers totaling over $60,000 were made to the Coastal Federal Credit Union account of Bobbitt in North Carolina.

"I'm thrilled that they have finally indicted some people and that we can go public with what's been going on," Avilla said. "[Investigations] have been going on for quite a while but we were not able to talk about it because it was still an ongoing investigation," she said.

Since the thefts, the city has moved its account from CNB and now maintains it with Wells Fargo Bank.

The city has also implemented new security measures for wire transfers. Every time a wire transfer is initiated, it has asked its bank to send out messages in three different formats: e-mail, text and fax, to Avilla and three other city employees.

The measure stems from a lack of confidence in a banking organization's ability to detect and stop fraudulent transactions on its own, she said.

A request for comment from Thomas Murphy, the assistant U.S. attorney handling the case, was not immediately returned.

Since the thefts, there have been dozens of similar heists involving the use of stolen login credentials to illegally transfer money out of bank accounts. Such thefts are believed to have resulted in hundreds of millions of dollars being siphoned out of U.S. bank accounts and transferred overseas.

Most of the thefts have targeted small businesses. But there have been several incidents where small cities and towns have been attacked.

In February, the town of Poughkeepsie, N.Y., for instance, revealed that cyber crooks had looted more than $375,000 from its bank account. About $95,000 of that amount was later recovered.

Security blogger Brian Krebs, who has been chronicling many of these attacks over the past several months, lists other incidents in which small towns have been similarly victimized. One involves the Duanesburg Central School District in upstate New York, which lost nearly $500,000 after cyber thieves looted its bank account.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

How collaboration apps foster digital transformation
  
Shop Tech Products at Amazon