Den Of Thieves Hackers Transferred $527,000 From Louisiana CU
BATON ROUGE, La. – A group of Ukrainian hackers siphoned almost $527,000 from LES FCU in September 2009 by using malware to transfer funds from the account the credit union held with Capital One Bank, according to a suit filed last week in federal court here.
The hackers transferred the money by sneaking an e-mail attachment with malware past an accountant at the credit union, according to the suit, filed against Capital One by insurer Fidelity & Deposit Co., which paid $321,873 to the credit union after more than $200,000 of the stolen funds were recovered before they could be picked up by criminals at wire transfer stations around the globe.
The suit claims Capital One negligently allowed the unauthorized wire transfers from the credit union’s account after an LES accountant opened an e-mail attachment that was purported to contain an IRS query about LES’ taxes. The e-mail did not come from the IRS, but it carried a key logging program that allowed the hackers to obtain the credit union’s user identifications and passwords.
The insurer said those mistakes enabled Ukrainian criminals – whom the suit calls a “Den of Thieves” – to siphon money out of the credit union’s account at Capital One.
When officials with the $28 million credit union confronted Capital One they were told that the thefts resulted solely from the security breach at LES. “Capital One is not responsible for the unauthorized wire transfers,” the insurer said banks officials told the credit union in 2009.
The credit union, chartered to serve the Louisiana Department of Labor, maintained the account for 30 years, having originally opened it with Fidelity Bank, then transferring it to Hibernia Bank, which was acquired in 2007 by Capital One. Prior to September 2009, the credit union used electronic wire transfer withdrawals to transfer funds out of the account only on rare occasions.
On or about Sept. 14, 2009, LES FCU employees received an e-mail purporting to be from the Internal Revenue Service in their business e-mail accounts, according to the suit. An accountant employed by the credit union opened this e-mail, which purported to inform her there was a tax reporting discrepancy regarding the credit union’s taxes, and instructed her to click on a link to retrieve the report and resolve the problem.
The e-mail had not been sent by the IRS, but had been sent by a den of thieves operating from the Ukraine, who used the e-mail to direct the accountant to an official looking website, the suit says. At that website, a “key logger program” was secretly downloaded to the accountant’s computer. This allowed the thieves to obtain the credit union’s user IDs and passwords as well as to install a backdoor,” allowing them to gain remote access to the accountant’s computer.
On the morning of Sept. 16, 2009, the credit union’s accountant accessed its account and checked the balance, noticing that nine unauthorized wire transfers had been made from the account on Sept. 15, 2009.
Capital One mailed notifications to the credit union regarding the nine wire transfers processed on Sept. 15, 2009, but did not directly contact the credit union or make any other attempt to notify the credit union of the highly unusual activity on its account, according to Fidelity.
At about 9:15 a.m. on Sept. 16, 2009, employees of LES FCU contacted Capital One and reported the unauthorized wire transfers. At that time, the credit union notified Capital One that the wires were fraudulent and requested immediate retrieval of the funds transferred, the suit says. At that point, Capital One notified the credit union that an additional five transfers totaling $75,400 had been made earlier that morning. The credit union notified the bank that those transfers also were fraudulent.
At that point 14 wire transfers had been conducted for a total of $526,613, and the money was transferred to intermediary banks in New York, then overseas. Capital One was able to stop the transfer of $204,740 of the credit union’s money. But the bank refused to reimburse the remaining $321,873, telling LES FCU in a letter, “As unfortunate a situation as LES FCU finds itself, the wire transfers were initiated through an LES FCU computer as a result of a breach at LES FCU, not Capital One.” As a result, the letter stated, “Capital One is not responsible for the unauthorized wire transfers initiated from the LES FCU computer at issue.”
Fidelity says Capital One’s security measures consisted of single-factor authentication to access the credit union’s account. By that point NCUA, the FDIC and all financial regulators were requiring dual-factor authentication for such processes.
Officials with Capital One could not be reached to comment on the suit.