$1.5M cyber heist causes escrow firm to close its doors

An escrow firm has closed its doors after failing to recover lost funds from a $1.5 million cyber heist.

California-based Efficient Services Escrow Group found itself entangled in a scheme often carried out by cyber criminals aiming to siphon funds from unwary victims.

The cyber heist in which attackers infected Efficient's networks with a remote access trojan, culminated in employees of the victim company losing their jobs and the firm being shut down by state regulators.

Efficient was shuttered in March by the California Department of Corporations after three fraudulent wire transfers took place: a December 2012 wire for $US432,215 to an account in Russia, and two wires on 24 January and 30 totaling $US1.1 million which were sent to accounts in the Heilongjiang province in China, an area near the border of Russia and China that the FBI has flagged in the past as a destination for stolen funds.

The escrow firm was able to recover the nearly half a million dollars wired in December, but California's commissioner of the Department of Corporations deemed that the rest of the unaccounted for money (the $US1.1 million remaining) was the result of Efficient “conducting escrow business in an unsafe, injurious and unauthorized manner, so as to render further operations hazardous to the public and to customers…,” a 7 March document filed in a Los Angeles court said.

According to the agency, Efficient failed to maintain its financial records in accordance with California state law. The firm's practices also allowed the second and third wire transfers to occur undetected, the court document said.

Peter Davidson, a partner at law firm appointed by the courts to work with Efficient to recover the stolen funds from customers' escrow accounts, told SC he wasn't aware of what specific trojan was used to compromise Efficient's systems.

“I think [the attackers] somehow got remote access to the company's computers,” Davidson said. “The case is ongoing. We are looking into [ways] of trying to recover the money [and] are talking to the banks to see if they want to come to some resolution on the issue.”  

Davidson said that if an agreement can't be reached with First Foundation  - the bank that in January released the funds to the fraudsters – he may file a lawsuit against it.

A 2011 FBI fraud alert warned of the trend of fraudsters sending stolen funds to the Heilongjiang province in China.

Federal law enforcement also said that attackers usually opted to use commercial banking trojan Zeus to steal victims' login credentials before having money mules withdraw fraudulently wired funds. Other backdoors, including a trojan called Spybot, have also been used to leverage heists, the alert said.

While Efficient serves as a worst-case scenario of attackers successfully draining the accounts of unsuspecting companies, some researchers believe that it's become harder for fraudsters to carry out their two-part scams, which involve stealing credentials then cashing out with money mules.

Idan Aharoni, head of cyber intelligence at RSA, wrote in a Tuesday blog post that banks are, on the whole, “doing a better job at identifying mule accounts and are in fact declining [or] outright blocking potentially fraudulent transfers sent to them.”

The extra attention paid at banks that catch suspicious transfers comes at a time when landmark cases are making their way up in the court system.

Last November, People's United Bank ended up settling out of court with a small construction company, Patco Construction, which lost nearly $600,000 to hackers that emptied its accounts. Under the settlement, the bank was ordered to pay Patco $345,000 and an additional $45,000 in interest for not stepping in to stop the fraudulent transactions.

The two companies settled after an appeals court reversed an earlier court decision in favor of the bank.

This article originally appeared at scmagazineus.com