Banking Blog

Finance Blogs » Banking » Hackers empty $900K bank account

Hackers empty $900K bank account

By Claes Bell, CFA · Bankrate.com
Monday, February 25, 2013
Posted: 9 am ET

In itself, a distributed denial of service, or DDoS, attack on a bank's website is little more than costly hooliganism. It essentially consists of hackers ordering a bunch of malware-infected computers to "click" on a bank's website until it's too overwhelmed to respond to legitimate users.

The effect is pretty similar to a barricade across the entrance to your bank: You can't get in, but your money is still safe inside the bank.

But what if thieves used a DDoS attack as cover for a more harmful attack that did actually compromise customer checking accounts? That appears to be exactly what happened to a customer of Bank of the West, according to a report from security blogger Brian Krebs:

A Christmas Eve cyber-attack against the website of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.

At approximately midday on Dec. 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company's financial institution -- San Francisco-based Bank of the West -- came under a large distributed denial of service (DDoS) attack …

There were 62 individuals suckered in to acting as "mules" for the stolen money, according to Krebs.

It's standard operating procedure for scammers to recruit unsuspecting individuals and businesses ("make big money working from home!") to accept a substantial deposit from thieves and wire the bulk of it overseas, keeping a portion for themselves as payments. Typically, the money clears and the mule completes the transfer, only to have the authorities catch up with them and claw back the money, leaving them on the hook for most of the losses.

Obviously, you never want to agree to accept and transfer cash as these mules did. Aside from the legal implications of engaging in what amounts to money laundering, what good are promised payoffs if they're going to be clawed back later?

Another important step to avoid having your account on the receiving end of this type of coordinated attack is having up-to-date antivirus software installed on your computer. Krebs writes that the thieves may have gained access to Ascent Builders' bank logins using malware surreptitiously installed on its computers. And you don't want that happen to you, especially on Christmas Eve.

What do you think? Do you worry about online thieves draining your accounts? What precautions do you take to prevent that from happening?

Follow me on Twitter: @claesbell.

«
»
Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
147 Comments
mahi
March 26, 2013 at 2:25 pm

there not thieves until they take your money or property. maybe one day when you find your car missing or house broken into you can laugh it off to just some fine entrepreneurs hard at work. and if they harm you or someone you care about in the process you can chalk it up to overly aggressive entrepreneurs and shrug it off.

onlyonetruth
March 25, 2013 at 10:39 am

Theres nothing you can do we live in the modern world, computers are here to stay, and so are the cyber theives, whom most are from out of this country, china,russia,india,extc. Keep as little as possible in your accounts, business accounts keep the amount that is insurable under the FDIC, $250,000, have several acounts in different banks and transfer funds as needed.
Here in the US the real big theives is the Government, get ready their going to steal you blind soon, empty your IRA's - 401's, take your gold and silver.Remember you heard it here first. Prepare.

Chris
March 25, 2013 at 12:41 am

Andreas,

You obviously know absolutely nothing about computers, go back in your cave.

Tony G
March 24, 2013 at 10:40 pm

ALL banks SHOULD have a fail safe system for not allowing transfers of money. Its very easy to do, they are to blame more then the thieves. There should be a direct voice contact with an account holder over a certain amount, or a fail safe code that is used when large transfers are requested. It a very simple thing to do. Of all systems the Government and the Banks should have a system that can not be invaded.... They should be ashamed of themselves.....

Sharon Crosby
March 24, 2013 at 2:22 pm

I live in an alleged haven for crime otherwise called an apartment building that is managed by people and or programmers who commit that same type of crime; allegedly.

andreas vasiadis
March 22, 2013 at 8:51 pm

some years back no one was worry about his money stolen from the bank you have a savings book and a checking statement each time you put money in the bank......now we dont know if we have any money left in the account unless we have a combuter and know how to use it but even that it dont give instant account only gives you account of 3 days before if you try to find your actual amount you dont my opinion is use the smalest bank in your area they maybe dont have sofisticated combuters so hackers cant get in easy any more i believe no bank will be hacked if they use win 95 and not win xp p or win 7 or win 8 or best bet is to create a win bank operating system with all the norton and karpenskys antivirus inside

Laughable
March 22, 2013 at 6:43 pm

@Open Minded: I doubt you would feel the same way if it had been your bank account hacked.

Open Minded
March 21, 2013 at 10:30 pm

Why keep referring to these people as "thieves"? Why not "entrepreneurs" or "fund redistributers"? "Cyber crooks"? Come on, they just used their minds to redistribute some wealth, um, in their direction. And those mules who helped these "entrepreneurs" were motivated by their need for a greedy fast buck. The mules got what they deserved. In any case, no one was shot or terrorized in this bank heist.

CampKohler
March 21, 2013 at 5:43 pm

If you do banking from a personal account, you need only take minimal safety steps to be protected from loss. But if you do banking from a business account, you must take reasonable steps that a "prudent man" would do to prevent loss, such as using the PC from which the banking is done ONLY for banking, installing anti-malware software, etc. Of course doing all that for personal banking is a very good idea, too, but not necessary to have the bank replace any losses under the law.

s
March 21, 2013 at 2:51 pm

it all scares me.i dont have much but i dont need someone taking it,and i have checked out a lot of online money making businesses,but only paid for the info once,and even then put a stop payment on it because it didnt seem legit.i dont think there really is a fool proof way of making money online.my credit is already bad so i dont think it could benefit anyone.