Hackers steal $205k from Missouri practice

Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.

Dentists working at the Smile Zone, a Springfield, Mo. based dental practice that caters specifically to the needs of children, weren’t exactly all smiles on March 22. That was the day unidentified crooks sent at least $205,000 of the practice’s money to nearly a dozen individuals around the country.

Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires. Once again, it seems the attack was carried out with the help of money mules, willing or unwitting individuals hired through work-at-home job schemes over the Internet and lured into helping the attackers launder the stolen money.

“I’ve got the names, account numbers, and phone numbers for most of them, and have even looked some of them up on Facebook,” Hudkins said of the co-conspirators. “The bank talked to two of the [mule] account holders and asked them why they opened the account, who it was for, that kind of thing. Both of them said they’d had their resumes out oncareerbuilder.com or monster.com and that someone they’d never met contacted them and offered to help them make some money.”

Hudkins said he contacted the FBI, and that the agent he spoke with told him the FBI wouldn’t open a case on the theft unless it was over $500,000 in losses. As it stands, he was told, his case would be lumped into a group of similar investigations that is being run out of an FBI task force in Omaha, Nebraska. It also appears there is little appetite for prosecuting the money mules, he said.

“The FBI said prosecuting these [mules] for doing anything wrong is near impossible,” Hudkins said.

Meanwhile, Smile Zone’s bank — Springfield, Mo. -based Great Southern Bank — maintains it is not responsible for the loss, according to Hudkins, although he said the bank is still trying to reverse some of the transfers. I spoke briefly with a representative of Great Southern on Monday, but received the standard “we don’t discuss our customers activities” reply.

Businesses do not enjoy the same protections afforded to consumers hit by online fraud. With credit cards, consumer liability is generally capped at $50. Consumers who report suspicious or unauthorized transactions on their ATM or debit card, or against their online banking account within two days of receiving their bank statement that reflects the fraud also are limited to $50 in losses. But waiting longer than that can costs consumers up to $500 (the liability is unlimited if a consumer waits more than 60 days to report the fraud).

Businesses have no such protection from fraudulent transfers. Generally speaking, banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by this type of online banking fraud.

Hudkins said Great Southern required only that customers provide the proper user name and password to access their accounts online and to move money. The bank does require customers to correctly answer one or challenge questions if it detects a customer is logging in from an unfamiliar Internet address. Still, Hudkins said his bank told him the transfers were made using the company’s regular Internet connection.

Smile Zone is still investigating how the thieves compromised the account. But in case after case I’ve reported on involving this type of fraud, the attackers hacked the victim’s computer networks using a Trojan horse program known as Zeus or Zbot, which allows the criminals to tunnel back through the victim’s PC in order to log into the target account without raising red flags or additional security mechanisms.

Hudkins said that a few days after the unauthorized transfers, Great Southern sent him a security token to complement the bank’s existing customer-facing online security mechanisms (user name + password + occasional security question).

“They just sent me a security token in the mail last Friday, and suggested I use that,” Hudkins said.

Unfortunately, the thieves that hit the Smile Zone have had little trouble defeating security tokens as well, as I have documented in several recent victim cases.

Due to the liability exposure that businesses face when banking online, I’ve long urged business owners to build and use a dedicated system strictly for online banking and nothing else — no Web browsing, checking e-mail, nothing. An alternative — and far more secure — approach is to use a Live CD (or a Mac) when banking online.

Do you have questions about embezzlement?  Give Prosperident a call at 888-398-2327 or send an email to requests@dentalembezzlement.com