It’s a curious feature of the IT security world that predicted attack vectors have a nasty habit of becoming a cybercriminal reality, and Arbor Networks’ solutions architect team leader Darren Anstee’s predictions about DDOS attacks hiding another attack – made to ITSP at last year’s Infosecurity Europe show – appear to have come true, with a Californian bank reportedly being hit for $900,000.
According to security researcher Brian Krebs of the KrebsOnSecurity newswire, a DDoS attack started against Bank of the West in San Francisco around lunchtime on Christmas Eve last year.
Just prior to this, he says that cybercriminals started moving money out of corporate accounts belonging to Ascent Builders, a Californian-based construction firm.
Krebs interviewed one of the money mules used in the Bank of the West scam and contacted Ascent Builders soon after Christmas and – although the company was unaware of the cyberheist, its bank soon confirmed what had happened.
The scale of the cyberheist is interesting, as Krebs says the money mule he interviewed was one of 62 used in the scam – shuttling money in blocks of between $4,000 to $9,000 around, after the funds were transferred in larger blocks from the hapless building firm.
Mark Shope, Ascent Builders’ president, told the researcher that his financial controller went online to the bank’s online service on Christmas Eve morning, but her browser would not let her access the bank’s page.
“She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site,” Krebs noted, adding that Shope says the Web page said the bank was offline for 24 hours and users could not get in.
“We called the bank and they said everything was fine,” the firm’s president told the researcher, but it appears that the DDoS attack was used as a method of detracting attention from the unauthorised automated clearing house (ACH) and wire transfers from Ascent’s accounts.
Krebs suggests that the problems with the financial controller’s computer were probably the result of an infection from the Gameover trojan, a ZeuS Trojan variant that he says has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.
FBI called in
Shope told the researcher that the FBI has been brought into the investigation, and even though the bank and the FBI have not commented, Krebs goes on to say that more than one client of Bank of the West may have been hit by a banking fraud on Christmas Eve.
The good news is that Ascent has managed to claw back half of the $900,000 “and expects to recover a great deal more” as many of the larger fraudulent transfers went to other businesses.
One interesting aside is that one of the money mules appears to have been working at Hertz equipment rental franchise on the East Coast of the US and called Ascent Builders to complain after an $82,000 transfer to its account was clawed back by the bank.
“We got a call from a Hertz rental equipment company back east, and they said `Why did you take this deposit out of our account?’,” Shope told Krebs, adding what, when the firm’s president asked him what he thought it was for, he replied: “Oh, this was for some equipment that we were purchasing for you guys from Russia, and we already sent the money on [to Russia], so what’s going on?”