Duanesburg school theft highlights problem of cyber-attacks

PHOTOGRAPHER: Justin Mason

Like most small school district administrators, Duanesburg Superintendent Christine Crowley is accustomed to handling a shoestring budget.

She’s used to keeping a tight spending plan, and she’s no stranger to fluctuations in the district’s state aid. But nothing could have prepared her for more than a quarter of the district’s operating revenue vanishing somewhere into the depths of cyberspace.

Just two days before Duanesburg’s Christmas recess, an unseen hand used the Internet to gain access to the district’s money market account with NBT Bank and then attempted to electronically transfer $758,758 to a destination overseas. The move triggered an alert with the bank, which subsequently determined that more than $3.8 million in transfers had been ordered over the course of five days.

“The first reaction was sheer shock,” Crowley recalled last week. “The second reaction was anger over how the district and taxpayers could be subjected to cyber crimes.”

Bank representatives quickly contacted authorities after the discovery and were able to stop the final transfer. Over the next week, they managed to recover another $2.5 million from the earlier thefts.

Nearly a month after the initial transfer, Duanesburg’s account is still short roughly $497,000. That’s about 3.3 percent of the 950-student district’s $14.8 million operating budget. And school officials are no closer to learning how a hacker or group of hackers was able to break into a banking system they believed to be safe.

“It’s extremely scary to think that somehow someone out there can break into your banking system and then steal $3 million without anyone noticing,” Crowley said.

Authorities won’t release any details about the theft, citing the ongoing investigation. Likewise, a spokeswoman for NBT refused to discuss the online thefts or any of the bank’s safeguards to prevent such fraud.

But December’s cyber-attack occurred only a month after the FBI’s Internet Crime Complaint Center issued an alert about a “significant increase” in online banking fraud targeting government and school district accounts via “spear phishing” attacks.

Spear phishing

In spear phishing, hackers use public Web sites to identify a school or government’s business administrators. The hackers then send e-mails that appear to be sent by trusted sources, such as clients, banks and even federal organizations, warning of a possible virus infection. Recipients are encouraged to either open a file attachment or visit a Web site that will automatically download a file. In actuality, the file linked to the e-mail is a type of Trojan that will log the recipient’s key strokes and then relay this information to a hacker.

Typically, a hacker scans for an account that has access to the Automated Clearing House, a widely used system that allows banks to exchange details of financial transactions.

Once an account with the ACH is accessed, hackers can transfer money to accounts they’ve created for themselves or to accounts they’ve arranged through a third party or “money mule.” These individuals are usually solicited through online advertisements and used to transfer money for hackers under the guise of employment, such as an earn-money-from-home job.

Money mules are directed to quickly wire a portion of the stolen cash to overseas accounts, often in eastern Europe or Russia. They are often directed to transfer the money using wire services, such as Western Union and Moneygram, which help erase the tracks of the hackers.

“The fact is, you have a real criminal supply chain at work,” said Doug Johnson, the vice president for risk management policy at the American Banking Association. “You have people who search out companies and school districts to exploit, you have others in the chain that are building malicious software and then you have the money mules that take money out to wire it overseas.”

Looking for answers

School district officials in Duanesburg are still trying to figure out exactly how December’s thefts occurred and what, if anything, they can do to prevent a future online attack.

The first unauthorized electronic transfer occurred on Dec. 18, when $1.86 million was moved from the district’s money market account to an overseas destination.

Three days later, transfers totaling more than $1.19 million were wired to multiple destinations outside the United States.

Then, after the final attempt raised an alert on Dec. 22, representatives from NBT began tracking down the illegal transfers.

Crowley said the bank was able to thwart the final transfer and recover about $1.8 million within a day. Less than a week later, the bank tracked down another lump sum.

As soon as the fraud was discovered, the school district closed all of its accounts and established new ones with extremely limited online functionality. With few exceptions, all payments to and from the district were switched to paper check form.

“It’s been a lot of work,” she said. “We’ve gone from the electronic age and back-stepped as much as we possibly can, so wherever we’re allowed to send a paper check, we send a paper check.”

The crime stirred concern throughout area school districts and prompted many administrators to review the safeguards in place. Capital Region BOCES Superintendent Charles Dedrick said the heightened alert has also resulted in a sense of urgency among districts.

“Security right now is higher than it’s been in a long time,” he said. “It caused districts to go back and look to make sure their security was tight.”

But in Duanesburg, Crowley isn’t sure what the district could have done to prevent the attack. She said Duanesburg operates through BOCES’ two firewalls, does regular anti-virus software upgrades and overhauled all of its Internet technology systems before the crime took place.

“Ultimately, until you know exactly how they did it, there’s not much you can do,” she said. “And without the FBI explaining that to me, I’m just going to have to patiently wait.”

Busy, smart thieves

Federal authorities have documented roughly 200 cases of spear phishing and $100 million in attempted thefts between 2008 and October 2009, with new ones arising on a weekly basis.

Spear phishing combines high-tech sophistication with good old-fashioned trickery, meaning the effectiveness of anti-virus software is significantly diminished.

This type of attack also demonstrates the higher level of organization exhibited by modern hackers, explained Sanjay Goel, an associate professor of information technology management at the University at Albany’s School of Business. Hackers looking for money now use scores of terminals to attack a network and have professional-quality software to scan for security vulnerabilities.

“Despite the best security you may have, you still may become a victim of hacking because of these things,” he said. “People protecting their computer have to protect against each and every vulnerability, while the hackers only need to find one.”

Some in the banking industry place the greater burden for preventing cyber attacks on the commercial customers being exploited. They argue that the controls in place at the bank level are adequate to keep hackers out, so the real issue is with the account administrators who are duped into downloading Trojans.

Michael Herd, the managing director of network rules for the National Automated Clearing House Association, said electronic money transfer systems are extremely safe. Among the tens of billions of transactions made last year, only 0.04 percent were unauthorized and returned.

Herd said a majority of returned transactions resulted from other factors that don’t include criminal intent, meaning electronic transfers are considered safer and less prone to fraud than paper checks. The vulnerable area of the network lies with businesses safeguarding their account information, not the electronic payment network.

“The analogy would be if you gave someone the front keys to your house and they came in to make a long distance phone call without you knowing — it’s not the phone system that is compromised,” he said.

Banks also limit their liability with commercial business transfers made after an account has been compromised by hackers. While individual customers are only responsible for $50 of the money stolen from their account, commercial customers are often held wholly liable for funds stolen.

Johnson, of the American Banking Association, said businesses need to be aware of their greater responsibility in ensuring their transactions are secure. “There’s a presumption that there is a higher level of sophistication in terms of conducting these transactions,” he said.

Hitting the bank

At least one commercial bank customer and fraud victim — the Western Beaver County School District of Pennsylvania — is contesting this presumption in court. The 820-student district near the Ohio border filed a lawsuit against ESB Bank in August after ESB refused to reimburse the school for $441,197 in unrecoverable funds.

In December 2008, West Beaver suffered a cyber-attack similar to the one in Duanesburg. Hackers breached the district’s account during Christmas break and were able to move $704,610 to various destinations across the country and in Puerto Rico via 74 transfers over a five-day period.

ESB eventually credited the district with $263,413 but declined to reimburse any additional losses. In court documents, the district argues that the bank had an obligation to notice the fraudulent transfers because the school had never authorized payments to any out-of-state recipient, much less the 42 accounts used by the hackers.

“We feel as if on a factual level and a legal level, we’re going to recover those funds from the bank,” said Brian Simmons, a Pittsburgh attorney representing the district.

The fallout from similar cyber-heists prompted a separate federal lawsuit targeting the hackers themselves. Last summer, a group calling itself Project Honey Pot filed a lawsuit in U.S. District Court that identifies the defendants as “John Does stealing money from U.S. businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam.”

The lawsuit is aimed at getting banks to disclose details about their cyber-attackers, such as the IP addresses used during account breaches and the viruses used to gather information.

Jon Praed, the attorney representing Project Honey Pot and a founding partner of the Internet Law Group, said the lawsuit isn’t likely to bring hackers and hacking organizations to justice. However, the case could result in better security for banks and greater protection for their customers.