ACH Fraud Hits Texas CountyTax Assessor's Office Loses $200,000 to Scheme
The attack on the Gregg County, Texas, tax assessor's office began on Nov. 23, and authorities from the U.S. Secret Service, the Texas Department of Public Safety and the Gregg County District Attorney's office are investigating the crime. A workstation in the tax office was infected with Zeus, a trojan designed to steal online banking credentials. The malware was activated when an employee in the target agency clicked on a link in an email or on a website.
The county's tax assessor and collector Kirk Shields says a Gregg County employee who mistakenly unleashed the program was suspended for violating county cybersecurity policy. Shields also says his tax office has gone back to the old-fashioned paper deposits to avoid future cyber theft. In fact, a countywide halt has been placed on all ACH fund transfers for any county office.
"As long as I'm tax collector, we will never go back to sending out money electronically again," Shields says.
Russian AttackThe international attack is believed to have originated in Moscow, and the cyber thieves hijacked local tax payments from an ACH transfer totaling $690,000, of which all but $200,000 has been retrieved. Shields says authorities are investigating whether other Texas counties could also be victims. This cyber crime is the first of its kind Shields has experienced in his 14 years as tax collector.
The Gregg County, Texas, tax assessor's office collects taxes for 13 entities in the county, including five school districts, six towns, a local college and the emergency services provider for the county.
Discovering and stopping the transactions began on the Friday after Thanksgiving, when Shields learned of the infiltration. He says that's when all the activity started from the county's end and with the banks. Investigators traced the malware to an associated website located in Moscow. Because of the ongoing investigations, Shields wasn't able to give further details, including which of the seven taxing entities were victims.
The theft occurred when the payments were being moved from Shields' office to Texas Bank and Trust for distribution. The crime was discovered in progress, when a bank in Tennessee that was receiving funds contacted Texas Bank and Trust, Gregg County's bank of record. Between the arrival of the ACH transaction file at the bank and the time it was processed, Shields says the Russian cyber criminals began changing the routing and account numbers for certain entries within the ACH file.
The Year of ACH FraudThe looting of the tax assessor's account is just one of many recent corporate account takeovers made in the U.S. by foreign hackers aimed at looting bank accounts via ACH and wire fraud. How it typically happens: An individual at the business receives an email that is loaded with an executable file containing malware. The unsuspecting employee opens the email, infecting the computer with malware -- most often of the Zeus trojan variety that is designed to steal online banking credentials.
Law enforcement agencies are actively investigating these cases, and members of one criminal gang were arrested recently both here in the U.S. and in Europe.
Some of the most prominent cases:
- Village View Escrow of Redondo Beach, Calif., was hit in an attack in March, and hackers made off with $465,000.
- Choice Escrow vs. BankcorpSouth was just filed in November in a Missouri court against the bank, alleging inadequate security measures didn't protect from ACH fraud.
- Hillary Machinery vs. Plains Capital Bank was the case of a bank suing its own customer. This suit was settled for undisclosed terms.
- Experi-Metal Inc. vs. Comerica Bank is an ongoing case of a customer suing its bank over fraud losses
- The Catholic Diocese of Des Moines, Iowa, fell prey to a hacker who took $600,000 in August.
Legislation PendingEarlier this fall, Senator Charles Schumer, (D-NY) produced a Senate bill to be discussed in the new year. Schumer's proposed amendment to Regulation E would give municipalities and school districts the same level of protection as consumers.
Schumer introduced S. 3898, on Sept. 29, and extends the Electronic Fund Transfer Act's Reg. E protections. Under the bill, the Board of Governors of the Federal Reserve System would define which entities fall into the categories of "municipality" and "school district."
Schumer's proposed legislation would cover a municipal office such as the Gregg County tax assessor, but does not extend protection to commercial businesses.