For just $5 an hour, or $40 per day, you can keep anyone’s phone so tied up with incoming junk calls that the number is unable to receive legitimate calls.

The seller offers discounts for frequent buyers of his service, and promises that each call to the targeted number will appear to come from a unique phone number, thereby foiling any efforts to block the bogus calls by caller ID. The vendor also is offering this service under escrow payment, which many fraud forums use to ensure both parties to a transaction are happy before payment is rendered.

The FBI first warned about these attacks in June 2010, advising that that receiving rapid-fire “dead air” calls could be a sign that your bank account is being emptied. From that advisory:

“Denial-of-service attacks, by themselves, are nothing new—computer hackers use them to take down websites by flooding them with large amounts of traffic.”

“In a recent twist, criminals have transferred this activity to telephones, using automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting citizens.”

“Why are they doing it? Turns out the calls are simply a diversionary tactic: while the lines are tied up, the criminals—masquerading as the victims themselves—are raiding the victims’ bank accounts and online trading or other money management accounts.”

The easy availability of this criminal offering highlights once again how nearly every aspect of the cyber underground has been converted into a service for hire. Take cyber heists, for instance: Everything about them can now be outsourced to third party services.

You can rent a botnet to send your Trojan-laced emails and steal online banking credentials from thousands who click the booby-trapped attachments. You can purchase Web injects that allow you to change the behavior of targeted bank Web sites as they are displayed in the victim’s browser. If you want help hauling the loot, you can rent access to money mules that are hired by mule recruitment gangs. And if you need a diversion to distract or otherwise occupy your victims while you rob them, you can rent this service.

Prosecutors say the 18-month-long investigation is notable because it underscores the ways in which traditional street crooks are moving their activity online: New York authorities maintain that more than a dozen of the defendants have violent criminal records and belong to different street gangs in Brooklyn.

At the center of the alleged conspiracy are employees at New York institutions that had access to large amounts of sensitive consumer and business data. Among those being arraigned today in a New York state court are JP Morgan Chase employees Karen Chance, Mercy Adebandjo and Joanna Gierczack; Tracey Nelson, an employee of the United Jewish Appeal-Federation; Roberto “Robbie” Millar, a car salesman for Open Road-Audi in Brooklyn; and Nicola Bennett, a compliance officer employed by AKAM Associates Inc., a residential property management company.

“These insiders used their positions to gain access to client data, and then sold that data to make money for themselves and their accomplices,” District Attorney Vance said in a written statement. “We will continue to work with our partners to build significant cases to disrupt identity theft and dismantle these criminal organizations.”

The indictments allege that middlemen named in the conspiracy purchased personal information on customers and donors from Nelson and Millar, and then either re-sold the data or used it themselves to commit fraudulent financial transactions.

Prosecutors also charge that the Chase employees abused their access to steal personal data on account holders, and sold the information to counterfeit check makers and to individuals who specialized in setting up and executing fraudulent bank transfers.

Some of the defendants are alleged to have recruited other indicted members for the purpose of using their bank accounts to conduct fraudulent transactions. Prosecutors say the recruiters played a dual role: trafficking in stolen personal information bought from others, and recruiting people to provide bank accounts through which they could commit fraud.

These so-called “collusive account holders” — effectively complicit money mules — make up the bulk of the individuals named in the indictments. New York authorities charge that when defendants wanted to withdraw money quickly from collusive accounts, they purchased US Postal Service money orders with the debit cards linked to the accounts.

The indictments state that some the defendants arraigned today used automated systems set up by Citibank and TD Bank to change the personal information on ID theft victims’ bank records, including the victims’ contact address, phone numbers and email addresses.

For example, prosecutor alleged that one of the defendants,  Josiah “Pespi” Boatwains, would request that stolen credit cards be mailed to an address where a co-conspirator Richard Ramos, an employee at United Parcel Service (UPS) would intercept the cards on Boatwain’s behalf in exchange for money.

Boatwains and two other defendants allegedly then used those stolen cards to purchase luxury items that other defendants sold to co-conspirators named in the indictments. Other defendants allegedly used hijacked credit card account numbers to make online purchases buying airline tickets, movie ticket, credit reports, pizza and iTunes products.

A statement of facts filed with the New York State Supreme Court notes that there is a large amount of violent activity that surrounds the defendants in this case. The statement reads:

“During the course of our investigation 2 targets of the investigation were murdered. One of the deceased was brutally murdered. When his body was found by the police, they recovered personal identifying information of victims linked to our case. Specifically, on his person, a copy of a check was found that was from one of our identity theft victims that had donated to the United Jewish Appeal.”

“In addition, we are informed by the police department that many of these defendants are members of the Brooklyn Gang called “The Outlaws,” and others are Bloods and Crypts [sic]. Many of our defendants have violent criminal convictions.”

New York authorities say they expect the dollar losses to increase as the investigation continues.

The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves who are using a modified version of the ZeuS Trojan called “Gameover.” The rash of thefts come after a series of heavy spam campaigns aimed at deploying the malware, which arrives disguised as an email from the National Automated Clearing House Association (NACHA), a not-for-profit group that develops operating rules for organizations that handle electronic payments. The ZeuS variant steals passwords and gives attackers direct access to the victim’s PC and network.

In several recent attacks, as soon as thieves wired money out of a victim organization’s account, the victim’s public-facing Internet address was targeted by a network attack, leaving employees at the organization unable to browse the Web.

A few of the attacks have included an odd twist that appears to indicate the perpetrators are using money mules in the United States for at least a portion of the heists. According to an FBI advisory, some of the unauthorized wire transfers from victim organizations have been transmitted directly to high-end jewelry stores, “wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).”

The advisory continues:

“Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as ‘pending’ and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.”

The attackers also have sought to take out the Web sites of victim banks. Jose Nazario, manager of security research at Arbor Networks, a company that specializes in helping organizations weather large cyber attacks, said that although many of the bank sites hit belong to small to mid-sized financial institutions, the thieves also have taken out some of the larger banks in the course of recent e-heists.

“It’s a disturbing trend,” Nazario said.

Nazario said the handful of attacks he’s aware of in the past two weeks have involved distributed denial-of-service (DDoS) assaults launched with the help of “Dirt Jumper” or “Russkill” botnets. Dirt Jumper is a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground, and is made to be surreptitiously installed on hacked PCs. The code makes it easy for the botnet owner to use those infected systems to overwhelm targeted sites with junk traffic (KrebsOnSecurity.com was the victim of a Dirt Jumper botnet attack earlier this month).

Security experts aren’t certain about the strategy behind the DDoS attacks, which are noisy and noticeable to both victims and their banks. One theory is that the perpetrators are hoping the outages will distract the banks and victims.

“The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found),” the FBI said.

That strategy seemed to have worked well against Sony, which focused on weathering a DDoS attack from Anonymous while information on more than 100 million customers was being siphoned by hackers.

“In the chaos of a DDoS, typically network administrators are so busy trying to keep the network up that they miss the real attack,” said Jose Enrique Hernandez, a security expert at Prolexic, a Hollywood, Fla. based DDoS mitigation company. “It’s a basic diversion technique.”

Another theory about the DDoS-enhanced heists holds that the thieves are trying to prevent victim organizations from being able to access their accounts online. One crime gang responsible for a large number of cyber heists against small to mid-sized U.S. businesses frequently invoked the “kill operating system” command built into the ZeuS Trojan after robbing victims.

Organizations that bank online should understand that they are liable for any losses stemming from cyber fraud. I have consistently advised small to mid-sized entities to consider using a dedicated computer for online banking — one that is not used for everyday Web surfing — and preferably a non-Windows system, or a “live CD” distribution.

Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.

The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.

When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.

Capital One declined to comment for this story, citing the ongoing litigation.

Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.

“By operating a single factor identification online banking system, Capital One lefts its customers open to identity theft and failed to take sufficient safeguards to prevent unauthorized access to its client’s online banking accounts, including the ability to send wire transfers,” the company charged in its complaint.

Global Title also alleges that Capital One should have known that the transfers were fraudulent and unauthorized.

“Capital One was put on notice through Ms. Aurora’s phone call at 2:09 on June 1, 2010, and on subsequent calls that same day, that Global Title had no access to its online banking system,” the complaint states. “Accordingly, Capital One knew or should have known that any wire transfer that afternoon would be unauthorized.”

BUSY, BUSY MULES

Dorin Codreanu

Some of the fraudulent activity was tied to money mule activity that was busted up by federal prosecutors last year. Two wires totaling more than $234,000 were sent to Key Marius Import LLC, a company flagged by federal investigators as a fraudulent front for organized cyber thieves.  In November 2010, Wisconsin police arrested two men who were wanted as part of a crackdown in late Sept. 2010 on so-called “J1″ money mules who were in the United States on work/travel visas. According to an FBI press release from last fall, Key Marius and the commercial bank account attached to it were set up by one of those men, Dorin Codreanu, a Moldovan who pleaded guilty to conspiracy charges earlier this year.

Codreanu was sentenced to three years in prison, and ordered to pay restitution of more than $110,000 to his victims. The court judgment against him (PDF) states that the company Codreanu was ordered to pay restitution was not Global Title but a Dinkels Bakery; the remainder of the $110,000 restitution was to be paid to court services, Level One Bank and JP Morgan Chase.

Other companies that received large wire transfers may also have been fronts set up in advance of the attack. Key Marius Import LLC was established in April 2010, as were; Alvarez Here and Now, Inc. of Ontario, Calif, which received a fraudulent wire of $39,560 on June 2; Sharp and Bright Designs Inc. of Simi Valley, Calif., which was sent a bogus wire of $19,583 from Global Title on June 2; PWD Properties, incorporated in late January 2010 in Wilmington, Del., was sent a fraudulent wire of $28,582 on June 2.

Capital One was able to reverse all but the first three fraudulent wires ($119,500 to Key Marius, $39,560 to Alvarez Here and Now, and $48,698 to a Dwaine Peterson), leaving Global Title with a $207,758 loss. As a result, it was forced to take out a loan to make the required cash distributions from the firm’s escrow account.

UNCERTAIN LEGAL GROUND

Banks in the United States are supposed to adhere to online banking authentication guidance issued in 2005 by regulators at the Federal Financial Institutions Examination Council (FFIEC), but many institutions have been slow to comply with the guidelines.

Several victims of corporate account takeovers have sued their banks, claiming similar negligence, but with mixed results. In June 2011, a Michigan court held Comerica Bank liable for more than half a million dollars stolen in a 2009 cyber heist. Two months later, a district court judge in Maine ruled that banks which protect accounts with little more than passwords and secret questions are in compliance with the FFIEC’s security guidance.

Faced with an explosion of corporate account takeovers in the past two years, the FFIEC recently updated its guidance, which calls for “layered security programs” to deal with riskier commercial banking transactions, including methods for detecting transaction anomalies, the use of out-of-band verification, and enhanced customer awareness campaigns. Those requirements, which will inform the activities of bank security examiners, are set to take effect on Jan. 1, 2012.

Avivah Litan, a fraud analyst with Gartner Inc., said many banks are still out of compliance with the FFIEC’s older guidance.

“The new guidance isn’t that radical, and it basically re-affirms the previous guidelines and clarifies some points,” Litan said. “This case sounds like a clear violation of the FFIEC guidance, which says put controls in place that are commensurate with the risk, and many banks still aren’t doing that.”

Global Title is asking the court for a $500,000 judgment, plus pre- and post-judgment interest and attorney’s fees. Their legal challenged has cleared its first major set of procedural hurdles, and unless both parties settle before then, the case is scheduled to go to trial on April 10, 2012.

A copy of the company’s complaint is available here (PDF).

Update, 12:36 p.m. ET: Fixed the link to Global Title’s complaint filing.

Update, Nov. 15, 4:53 p.m. ET: Capital One provided the following statement in response to this article:

“Capital One’s authentication controls protecting our commercial platforms are compliant with the federal multifactor authentication guidance. These controls are the subject of annual risk assessments to ensure they remain appropriate in light of the threat environment. In the funds transfer realm, among the controls utilized are hard tokens and out-of-band confirmation of payment instructions.

As part of our broader security measures, Capital One provides security – and safe computing – related ‘best practice’ tips and recommendations to let our small business and commercial clients know what they can do to protect themselves and reduce their fraud risk.”

Yevhen Kulibaba

According to the Metropolitan Police, the U.K. courts have convicted 13 members of the gang, including four who were profiled last year by KrebsOnSecurity shortly after their initial arrest and charging. The gang is thought to have used the ZeuS Trojan to steal nearly £3 million (USD $4.6M) from banks in the U.K.. They are believed to be responsible for aiding in the theft of at least USD $3 million from U.S. banks and businesses in the past two years.

Karina Kostromina

Among those convicted were the husband-and-wife ringleaders of the gang, 33-year-old Ukrainian property developer Yevhen Kulibaba, and his wife, Karina Kostromina, 34. According to British prosecutors, the two lived a “jet set” lifestyle and spent money on holidays, cars and property. Kostromina was cleared of conspiracy charges but convicted of money laundering, and sentenced this week to two years in prison. Kulibaba is awaiting sentencing on charges of conspiracy to defraud.

Yuriy Konovalenko

An individual described as Kulibaba’s right-hand man — 29-year-old Yuriy Konovalenko, aka “Pavel Klikov” — is due to be sentenced, also for conspiracy. Valerij Milka, a 30-year-old Ukrainian whom U.K. police say was a building laborer and fourth member of the conspiracy, was jailed for three years after admitting his role.

Milka "Valera" Valerij

News of the convictions in the United Kingdom comes days after authorities in the United States announced the guilty plea of the 27th and final individual arrested last year in New York as part of a major law enforcement sweep against Russian and Eastern European exchange students-turned-money mules. U.S. prosecutors have charged a total of 37 Russian and Eastern European students in connection with last year’s law enforcement sweep; According to the FBI, two defendants have entered into deferred prosecution agreements, and eight defendants are fugitives and are being sought in the United States and abroad.

It should be noted that these individuals were only a small part of a much larger fraud ring. According to sources close to the investigation, the true masterminds of these ZeuS-powered bank heists reside in Donetsk, Ukraine, and have yet to be charged with any crime. Authorities in Ukraine this time last year detained five individuals identified by the FBI and other national law enforcement authorities as the “coders and exploiters” in the fraud operation, but the men were released and have not been charged with a crime.

These fake NACHA lures were mailed the week of Sept. 19, even though the sent date on the message says Aug. 3. Source: Commtouch.

Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Using NACHA’s name as bait is doubly insulting because victims soon find new employees — money mules — added to their payroll. After adding the mules, the thieves use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds (minus a commission) overseas.

On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama. John Ziak, director of information technology at the center, said he suspects the organization’s accounting firm was the apparent source of the compromise. That means other clients may also have been victimized. He declined to name the accounting firm.

Ziak said the bank was able to block some of the fraudulent transfers, but that it was too soon to say how much the thieves got away with. But the center may have better leverage than most victims in convincing the bank to accommodate them: Many of its doctors are on the board of directors of the organization’s bank.

“We still don’t know how much is going to be coming back,” Ziak said. “We can chalk it up to lessons learned, but we’re going to be making some changes with the bank…forcing them to implement a higher level of security for our account.”

Last month, computer crooks also robbed the North Putnam Community School Corporation, which serves the children of six northern townships of Putnam County, Indiana.

Mary Sugg Lovejoy, superintendent of the K-12 school system, said thieves stole about $98,000 from school coffers, sending the money to numerous individuals who had no prior business with the school district. Fortunately for North Putnam, all of the fraudulent transfers were returned shortly after the attack, Lovejoy said.

In a separate attack on a public institution, malicious hackers last month struck the City of Oakdale, Calif., according to a story in the Modesto Bee. High-tech criminals stole $118,000 from a city bank account, the publication reported last week. Oakdale city officials are confident that its insurance carrier would reimburse the loss, minus a $2,500 deductible.

But that story ended on a sour note. The reporter quoted officials from the city’s bank, Oak Valley Community Bank, wrongly laying blame for the incident on a lack of technology and security.

“It’s the same story we hear from a lot of institutions,” Oak Valley President Chris Courtney said. “It’s about safekeeping the information on your computers, scanning for viruses and having a state-of-the-art security system.”

Blocking these attacks has little to do with state-of-the-art computer systems or scanning files with anti-virus. It’s not clear what malware family was used in any of these attacks, although the first two mentioned in this story involved a cyber gang that favors the ZeuS Trojan (the fraudulent NACHA messages in the screen shot above contained a malware dropper that installs ZeuS). But organizations should understand that these attacks have far more to do with social engineering and tricking humans than with defeating technology and security solutions.

As I’ve noted in past stories, all of the victims I’ve interviewed were running anti-virus software: Very few of them had protection against the malware used in the attack until after their money was stolen.

Most commercial banks have significant room for improvement in securing the transaction and authentication space for their customers. But businesses that rely on their financial institutions to detect fraudulent activity are setting themselves up for an expensive lesson.

No single approach or technology will stop all of these account takeovers, but preventing the theft of your online banking credentials is a critical first step. That’s why I continue to advise that small- to mid-sized organizations use a dedicated computer for online banking. Using a non-Windows PC — such as a Live CD or a Mac — is the safest approach, but not necessarily the most practical or affordable. An alternate approach is to access bank accounts from an isolated PC that is locked-down, regularly updated, and used for no other purpose than online banking.

Zeustracker.abuse.ch tracks antivirus detection rates for new variants of the ZeuS Trojan. The average detection rate is about 38 percent.

A complicit mule negotiating a new deal.

In June 2011, I was investigating an online banking heist against a company called Jackson Properties. Thieves had broken into Jackson’s computers and stolen the firm’s online banking credentials. They added a half dozen money mules to the company’s payroll account, using mules they’d acquired from a gang I call the Back Office group. This mule gang uses multiple bogus corporate names, and the Back Office front company that supplied the mules in this attack was called AMR Company.

Reginald, a 45-year-0ld Texas resident, was among the mules hired by AMR Company. Reggie communicated with the mule recruiters by logging into a Web site set up by the fake company, and checking for new messages. A source who had figured out how to view the administrator’s account (and hence, all messages on the server) sent me some choice screenshots from several mule communications.

On June 7, the mule recruiters sent Reginald a transfer of $4,910, claiming that Jackson Properties was its client. Reginald was to withdraw the money in cash and wire it overseas, minus a small commission. The payment never landed in his account; it was blocked when Jackson detected the fraudulent transactions and worked with its bank to get them reversed.

But that apparently did not deter our Reginald, who told his recruiter and manager at AMR Company that he understood the whole thing was a scam, and that he had done this sort of thing before. He said he was ready and willing to open additional bank accounts to help with future fraud schemes.

On June 8, Reggie signed into his account at AMR Company and wrote the following to Sarah, his erstwhile boss:

“Let me say from the start. I knew what this was about. I’ve had success working with others like yourself in the past, especially comrades from Russia. I know this game well. If you want to have an ally in the US, I’m your guy. I have more accounts. I’d like us to try again, with another account…Listen Sarah, I am all for making some money. I couldn’t care less about our banking system, anything we can get out [sic] it. Lets [sic] do it. I cant do this without you. I can open up accounts in different names, that’s easy for me. But I have no way of funding them like you do. Think it over and see if there’s a way we can make some money. Even if we only succeed one time…we will still succeeded. I have another account ready to go. Respond to me and I will send you the name, routing, account num, etc.”

The eager mule ended his proposal with a startling declaration:

“Have a great day, Sarah, and thanks for trying. I assure you the only victim on my side will be the banks. I can easily set up active checking or savings with info I have.”

Sarah wrote back that she was interested in his idea:

“Dear Reginald,

We are interested in your offer if you can set up different accounts. What percentage would you like to get for you part of the job We can not offer you a fixed price.”

Reginald replied:

“I think 40 percent is fair. That’s what the Russians give me.”

Apparently, Reggie’s percentage was too high; he never heard from Sarah again, even after he offered to lower his cut to 30 percent of future fraudulent transfers.

I could not reach Reginald at the number he gave to AMR Company; the line was disconnected. But a search on his email address revealed more information about his current activities. He is currently the registered contact for a shady-looking enterprise that has all of the hallmarks of a multi-level marketing or pyramid scheme.

Lea French, MECA’s chief financial officer, said the trouble began when an employee with access to the organization’s online accounts opened a booby-trapped email attachment containing password-stealing malware.

The attackers used MECA’s online banking credentials to add at least six people to the payroll who had no prior business with the organization. Those individuals, known as “money mules,” received fraudulent transfers from MECA’s bank account and willingly or unwittingly helped the fraudsters launder the money.

French said the attackers appeared to be familiar with the payroll system, and wasted no time setting up a batch of fraudulent transfers.

“They knew exactly what they were doing, knew how to create a batch, enter it in, release it,” she said. “They appear to be very good at what they do.”

Prior to the heist, MECA refused many of the security options offered by its financial institution, First National Bank of Omaha, including a requirement that two employees sign off on every transfer.

“We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,” French said. “We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.”

MECA was able to reverse an unauthorized wire transfer for $147,000 that was destined for a company called Utopia Funding U.S.A. The organization was not as lucky with the remaining transfers.

The funds stolen from MECA were sent to money mules recruited through fraudulent work-at-home job offers from a mule recruitment gang that I call the “Back Office Group.” This gang is one of several money mule recruitment outfits, and they appear to be among the most active. Like many other mule gangs, they tend to re-use the same format and content for their Web sites, but change their company names whenever the major search engines start to index them with enough negative comments to make mule recruitment difficult.

The mules used in the MECA heist were recruited through a Back Office Group front company named AV Company. Mules were told they were helping the company’s overseas software engineers get paid for the work they were doing for American companies. In reality, the mules were being sent payments to transfer that were drawn on hacked accounts from victims like MECA.

More than $9,000 of MECA’s money was sent to Erik Rhoden, a resident of Fleming Island, Fla. Rhoden was recruited in June by the Back Office Group. Rhoden successfully transferred the funds to three individuals in Eastern Europe, but says he didn’t profit from the work. His story matches that of other mules recently recruited by Back Office, and indicates a devious shift in tactics which ensures that mules never receive a payment for their work.

Typically, the Back Office group had instructed mules to withdraw transfers in cash, pocket eight percent as a commission, and wire the remainder of the funds to specific individuals overseas. Recently, the Back Office group changed its policy, and began telling mules to transmit the entire amount. In place of commissions, mules are now promised a payday at the end of the month. That payday almost never comes.

“They said I was going to get benefits, a salary, and a bonus for each transaction, but that was all a lie,” said Rhoden, who recently landed a job as a drink server in a local bar.

MECA lost more than $70,000 from the heist, although French said she believes their Travelers cyber security policy will help recoup some or all of the loss.

“We have a $25,000 deductible, plus the cost of an ongoing forensic investigation, which is going to be pretty expensive,” she said.

MECA has since added more security features to its online banking account, and access to that account is only possible through a locked-down, dedicated computer.

“All of this is a day late and a dollar short, I guess,” French said. “Why isn’t someone out shouting on the rooftops about this fraud? People need to understand how exposed they are.”

The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.

Over the next four business days, the thieves initiated another three fraudulent batch payments to money mules. Some transfers went to money mules who owned businesses, such as a $14,750 payment to Mission Viejo, Calif. based Art Snyder Software. Most money mules were sent payments of less than $5,000.

Pittsford town supervisor William Carpenter said the FBI is investigating the incident, and that many of the details of how the attackers got in remain unclear. He said the FBI told him the thieves most likely stole the town’s online banking password using a banking Trojan. He added that the town has recovered just $4,800 of the stolen funds, the proceeds of a single transfer. I left a message with the FBI field office in New York but haven’t yet heard back.

“We have good firewalls and anti-virus software, and we weren’t at all lax in our security systems,” Carpenter said. “We thought we were pretty secure.”

Carpenter said the fraud went undetected for days. He said the town normally does its direct deposit payroll bi-weekly on Wednesdays, and that the first fraudulent transfers happened during a non-payroll week.

The attack happened shortly after Pittsford opened an account with Canandaigua National Bank & Trust (CNB), a regional institution based in Canandaigua, N.Y. Carpenter said that prior to banking at Canandaigua, the town held its online accounts at a different bank, where all transactions had to be approved by at least two town officials. But he said the town hadn’t yet established these dual controls over their account at Canandaigua at the time of the fraud.

Carpenter said he was not fully versed in the security mechanisms in place for the bank’s commercial customers, but a review of the security procedures displayed on Canandaigua’s Web site indicate that they include a user name, password, a set of security questions. Customers also have the option of registering their computers, which involves downloading a CNB certificate or cookie. According to the bank’s site, “when you log in from a registered computer you are not required to answer a security question to complete the process.”

CNB spokesman Steve Martin declined to respond to any specific questions about the incident, but he confirmed the information about the bank’s authentication procedures.

The question of how far commercial banks should go to authenticate their customers was the subject of a court battle I wrote about earlier this week. The lawsuit was brought by a Maine construction firm that lost $345,000 in May 2009 when thieves used the ZeuS Trojan to steal the company’s online banking credentials and defeat their bank’s online security measures, which were eerily similar to CNB’s: passwords, secret questions and registered computers. That case also involved a series of fraudulent transfers that took place over the course of a week.  A magistrate in that case issued a recommended decision earlier this month that said the bank’s security measures were sufficient to meet federal guidelines on ebanking authentication.

The proliferation of commercial banking thefts involving the ZeuS Trojan and other sophisticated attack tools underscores the asymmetry between the attackers and defenders. As I have detailed in more than 75 stories on this topic, ZeuS allows attackers to manipulate the victim’s browser and to log in to the victim’s bank account using the victim’s own PC, effectively negating any security that a device fingerprint or registered computer may provide.

Unfortunately, these attacks will continue; I’ve been in touch with three other organizations in the past week that have experienced losses from ebanking thefts but have asked not to be named. There are millions of towns, cities, nonprofits, churches and small businesses that remain dangerously exposed to this type of attack, and far too many banks that are not doing enough to educate their customers about the threat and to implement systems capable of detecting the attacks when they occur.

The FBI said that between March 2010 and April 2011, it identified twenty incidents in which small to mid-sized organizations had fraudulent wire transfers to China after their online banking credentials were stolen by malicious software. The alert was sent out Tuesday in cooperation with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium. The alert notes that actual victim losses are $11 million, suggesting that victim banks were able to claw back some of the fraudulent transfers.

The FBI says it doesn’t know who is behind these fraudulent transfers, but that the intended recipients are companies based in the Heilongjiang province of the People’s Republic of China, and that these firms are registered in port cities that are located near the Russia-China border. The agency says the companies all use the name of a Chinese port city in their names, such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Donging, and that the official name of the companies also include the words “economic and trade,” “trade,” and “LTD”. The recipient entities usually hold accounts with a the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

From the advisory (PDF):

“In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing email or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating that the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.”

The alert said the unauthorized wires range in value from $50,000 to $985,000. While most transfers tend to be toward the upper end of that spectrum, “the malicious actors have been more successful in receiving the funds when the unauthorized wire transfers were under $500,000.” In addition, the attackers initiated fraudulent automated clearing house (ACH) transfers to money mules in the United States within minutes of conducting the overseas wire transfers.

According to the alert, the thieves  used a variety of malicious software to steal victim online banking credentials, including the ZeuS Trojan, backdoor.bot and Spybot, all malware families that let the crooks steal passwords and control infected systems remotely.

None of this should be news to anyone who has followed my reporting on this type of crime. I’ve written more than 70 stories over the past two years about these type of attacks. Earlier this year, victims at three Iowa banks lost about $2 million in a series of fraudulent wire transfers to Hong Kong. Last fall, thieves stole close to $1 million in a single fraudulent wire transfer from the University of Virginia to the Agricultural Bank of China.

It is vital for small business owners to understand the risks they face when banking online, and to get a sense of the sophistication of today’s attackers. Unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them. Small business owners wondering what they can do to protect themselves should read the tips at this post. One of the surest ways that business owners can avoid becoming the next victim is for the person handling the company’s books to bank online only from a dedicated machine — preferably one that is not Windows-based (since all of the malware used in the attacks to date won’t run on anything but Windows). Using a Mac or a Live CD approach may seem expensive or impractical, but losing hundreds of thousands of dollars because your PC got a virus infection isn’t so great either.