Threat Management, Incident Response, Malware, TDR

$1.5M cyber heist causes escrow firm to close its doors

A defunct escrow firm, which failed to recover lost funds after a $1.5 million cyber heist, serves as a grave reminder to businesses to spot telltale signs left by fraudsters.

Huntington Beach, Calif.-based Efficient Services Escrow Group found itself entangled in a scheme often carried out by cyber criminals aiming to siphon funds from unwary victims. On Wednesday, security blogger Brian Krebs brought the case to light on his website: another company discovers far too late that a large money transfer was fraudulently wired to bank accounts in a far away destination.

Only in this instance, the cyber heist, where attackers infected Efficient's networks with a remote access trojan, culminated in employees of the victim company losing their jobs – and the firm itself being shut down by state regulators.

Efficient was shuttered in March by the California Department of Corporations after three fraudulent wire transfers took place: a December 2012 wire for $432,215 to an account in Russia, and two wires on Jan. 24 and 30 totaling $1.1 million which were sent to accounts in the Heilongjiang province in China, an area near the border of Russia and China that the FBI has flagged in the past as a destination for stolen funds.

The escrow firm was able to recover the nearly half a million dollars wired in December, but California's commissioner of the Department of Corporations deemed that the rest of the unaccounted for money (the $1.1 million remaining) was the result of Efficient “conducting escrow business in an unsafe, injurious and unauthorized manner, so as to render further operations hazardous to the public and to customers…,” a March 7 document filed in a Los Angeles court said (PDF).

According to the agency, Efficient failed to maintain its financial records in accordance with California state law. The firm's practices also allowed the second and third wire transfers to occur undetected, the court document said.

Peter Davidson, a partner at law firm Ervin Cohen & Jessup in Beverly Hills, who was appointed by the courts to work with Efficient to recover the funds stolen from customers' escrow accounts, told on Thursday that he wasn't aware of what specific trojan was used to compromise Efficient's systems.

“I think [the attackers] somehow got remote access to the company's computers,” Davidson said. “The case is ongoing. We are looking into [ways] of trying to recover the money [and] are talking to the banks to see if they want to come to some resolution on the issue.”  

Davidson said that if an agreement can't be reached with the bank that in January released the funds to the fraudsters – Irvine, Calif.-based First Foundation – he may file a lawsuit against it.

A 2011 FBI fraud alert (PDF) warned of the trend of fraudsters sending stolen funds to the Heilongjiang province in China. Federal law enforcement also said that attackers usually opted to use commercial banking trojan Zeus to steal victims' login credentials before having money mules withdraw fraudulently wired funds. Other backdoors, including a trojan called Spybot, have also been used to leverage heists, the alert said.

While Efficient serves as a worst-case scenario of attackers successfully draining the accounts of unsuspecting companies, some researchers believe that it's become harder for fraudsters to carry out their two-part scams, which involve stealing credentials then cashing out with money mules.

Idan Aharoni, head of cyber intelligence at RSA, wrote in a Tuesday blog post that banks are, on the whole, “doing a better job at identifying mule accounts and are in fact declining [or] outright blocking potentially fraudulent transfers sent to them.”

The extra attention paid at banks that catch suspicious transfers comes at a time when landmark cases are making their way up in the court system.

Last November, People's United Bank ended up settling out of court with a small construction company, Patco Construction, which lost nearly $600,000 to hackers that emptied its accounts. Under the settlement, the bank was ordered to pay Patco $345,000 and an additional $45,000 in interest for not stepping in to stop the fraudulent transactions.

The two companies settled after an appeals court reversed an earlier court decision in favor of the bank.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.