Cybercriminals disguised themselves and stole more than $900,000.
On Christmas Day’s eve, hackers attacked the website of a regional California bank. They distracted the bank officials and siphoned off the money.
On December 24, 2012, at around midday, Ascent Builders corporate bank accounts became the focus of online cyber thieves. The Sacramento, Calif-based construction firm accounts’ started being drained off funds illegally. Shortly after, the company’s banker was slapped with a huge Distributed Denial of Service (DDoS) attack. This kind of attack normally targets a website and bombards it with huge junk traffic from all the compromised computers.
Mules are the people who unknowingly or wittingly get recruited by cybercriminals to help launder stolen money and thereafter send the said funds to foreign accounts. In the case of this construction company, one mule happened to have been searching for a job and had posted her resume to one of the online job search sites. She suspected of having been used as a bridge in laundering money. After interviewing the mule, Krebsonsecurity made contact with Ascent Builders two days later to inform them of the cyberheist.
Even though Ascent Builders were oblivious of the cyberheist perpetrated against its bank accounts, the bank confirmed later that a number of illegal transactions had been conducted in the construction firm’s accounts between 24th and 26th of December. The criminals used 62 mules in the United States to launder the whole booty stolen from Ascent. Many of the mules were used to handle amounts ranging between $4,000 and $9,000. There was, however, an exception where mules with business bank accounts were used to transfer huge loots ranging between $80,000 and $100,000.
According to the president of Ascent Builders, Mark Shope, the controller of the company upon visiting the bank’s website on the morning of the 24th was unable to access the company’s accounts. Supposedly her browser was unable to let her access the bank’s website. At that particular time, unknown to her, crooks were remotely controlling her computer using a sophisticated malware. She could not access the bank’s website at all.
Shope added that when the controller tried to access the bank’s website, it said that the bank was offline for 24 hours. The company called the bank but the bank said that everything was fine.
Soon after, the Bank of the West had a hell lot to deal with as the criminals had now unleashed vicious malware on the bank’s website. Almost immediately after a couple of the illegal ACH – ‘automated clearing house’ and wire transfers from Ascent had been initiated, the DDoS malware targeting the bank’s website was released. The website went offline because of this. Even though the specific antics and botnets the criminals used, this approach is very similar to the one of all notorious Gameover Trojan malware. Zeus Trojan from Gameover which employs the DDoS tactics to attack has been tied to many cyberheists.
Bank of the West declined to comment on the story and so did the FBI. However, Shope said that the FBI is rigorously investigating this crime.
A law enforcement source speaking on the subject of being anonymous and intimate with the details of the case indicated that the bank had admitted to actually having fallen under DDoS attack at the specific time the cyberheist was taking place. The source continues to say that it is highly likely that other victims other than Ascent exist from this particular incident. A number of businesses and banks in the area might have been similarly robbed on Christmas Eve.
The Bank of the West has already been able to retrieve more than half of the stolen money. According to Shope, the bank is expected to claw back a lot more. He said of the bigger chunks stolen, they were redirected to businesses. In one case, a mule either working or using Hertz Equipment rental franchise on the East Coast had actually called to ask what was happening to his $82,000. After the bank discovered where the money had gone, it started clawing it back after which the mule called Ascent in an attempt to ask why the money was being taken back. It is possible he didn’t know that he was helping cybercriminals launder stolen money.
According to Shope, the Hertz guy called and asked why Ascent had taken back the deposit out of Hertz’s bank account. After Shope asked him what he thought the money was meant for, he said that it was for some equipment that Hertz was buying on behalf of Ascent from Russia. He said that Hertz had already transmitted the money for the equipment to Russia.