Guilty Plea

A former Bank of New York Mellon IT contractor has pleaded guilty to using employee data to steal more than $1 million from charities over the course of eight years.

The data that Adeniyi Adeyemi pleaded guilty to stealing belonged mostly to fellow IT workers in New York, according to an article Computerworld published Saturday.

Adeyemi set up fake bank accounts using the personal information of IT employees. He then moved money from the bank accounts of charities into those accounts through the automated clearing house system.

Adeyemi targeted charities because they openly publish their bank account details to make it easier to receive donations, the article said.

Adeyemi also stole money directly from coworkers, spending some of the money on rent, credit card bills and items that were later shipped to Nigeria.

Adeyemi pleaded guilty to theft, money laundering and computer tampering. He is scheduled to be sentenced on July 21.

Hardwired Hack

Ordinary computer peripherals can be used to house malicious viruses, the tech news blog Gizmodo reported Friday.

USB devices can act as a "hardware Trojan" — much as music files and other software can act as a Trojan horse for malicious code, USB devices can also run code without the computer's user realizing it.

Antivirus programs and other security software can scan data on USB drives, but most do not scrutinize devices that identify themselves as keyboards or other peripherals that do not typically store data.

"The USB protocol trusts any device being plugged in to report its identity correctly," the article said. "But find out the make and model of a user's keyboard, say, swap it with a compromised device that reports the same information — and that doesn't even have to be a keyboard — and the computer won't realize."

This tactic was demonstrated by researchers at the Royal Military College of Canada in Kingston, Ontario. Though most Trojans would try to steal data by e-mailing to another computer, the researchers instead tested whether the data could be transmitted more subtly — such as by flashing the lights on a USB device in Morse code.

Around the Globe

Hackers are developing networks that can focus on identifying security holes at banks in specific countries — right now, their main target is the United Kingdom, according to the security firm Trusteer Ltd.

The bad guys are limiting their efforts to one country because global attacks are easier to spot, according to an article Computerworld ran Friday.

Today, the U.K. is receiving a lot of attention, but other countries are also being hit, said Mickey Boodaei, Trusteer's chief executive. "Regional malware is not unique to the U.K.," he said. "We've recently started analyzing financial malware in South Africa and identified targeted regional attacks [that] are rarely seen outside that region."

Connecticut's attorney general is investigating a data breach at an Indiana company discovered by a woman in California.

The cross-border crackdown stems from a breach disclosed last month by the health insurer Wellpoint Inc., which exposed the personal information of about 470,000 applicants, Bloomberg Businessweek reported Friday. The breach was discovered by a woman in California, who sued when she discovered that by editing a web address in Wellpoint's online application, she could unveil the confidential information of other people.

Wellpoint said that it fixed the problem within 12 hours of learning of the exposure. The issue stemmed from an October upgrade performed by a third party on Wellpoint's online application system.

Connecticut Attorney General Richard Blumenthal said he is seeking the name of the company that performed the upgrade, an explanation of how the information was exposed and an explanation of how Wellpoint determined who was affected.

By the Book

A rise in sales of unusual digital books may be explained by a breach at Apple Inc.'s iTunes digital media store.

The tech news blog Engadget reported Sunday that there are "a number of people reporting up to hundreds of dollars being spent unwillingly from their account to … specific books." Which books? About 42 books published on iTunes in April by one developer, nearly all of which are in Vietnamese. The Engadget article notes that most of these books have even outranked the final Twilight book in units sold.

Though Apple would not confirm that these books were propelled in the rankings by fraudulent transactions, the developer who published them and all related products have been removed from the app store.

Meet a Mule

The first warning sign that the person behind that work-at-home job ad may be a fraudster looking to recruit a "money mule" to launder money? The prospective employer takes more interest in the qualifications of the applicant's printer than those of the applicant herself.

MSNBC's Bob Sullivan reported in his "The Red Tape Chronicles" column June 29 on how one Bay St. Louis, Miss., woman was tricked into helping move money out of compromised accounts and into the pockets of a fraudster.

Gina Walker had already worked several legitimate "virtual assistant" jobs, which typically required her to enter data or handle customer service interactions from home.

However, she became suspicious when her latest employer began taking an unusual interest in her computer's printer.

Walker accepted the job, and after performing several errands — mostly to receive wire transfers at one location and then wire those funds to another — she was asked to print a check for $1,300 and deposit it in her own account.

Soon, the money's rightful owner called Walker, accusing her of fraud. Walker explained her situation and provided the chat logs with her "employer" to aid the investigation.

Because Walker was able to provide helpful information to the victim, "she no longer fears prosecution," Sullivan wrote, and she has "a renewed sense of caution about virtual job hunting."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.

Corrected July 7, 2010 at 9:52AM: An earlier version of an item in this story misidentified Adeniyi Adeyemi, who pleaded guilty to theft and other crimes. He was not a Bank of New York Mellon employee; he worked for a contractor.