Online crooks made off with $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization that manages the Qwest Center and other public venues in Omaha, Nebraska.
The criminals first sent a rigged email, which had a password-stealing piece of malware as an attachment, to a MECA employee. Once they infiltrated MECA's computer network and gained access to the organization's banking credentials, the thieves hired six unwitting money mules, who accepted the fraudulent transactions and helped launder the stolen funds.
Brian Krebs, who broke the story on his Krebs on Security blog, reported that the thieves recruited the money mules through phony work-from-home job scams fronted by corrupt cybercrime firms — AV Company, in this case.
"Mules were told they were helping the company's overseas software engineers get paid for the work they were doing for American companies," Krebs said.
What actually happened is that the mules received the fraudulent transfers, wired it to the hackers' accounts — one participant in the MECA hack was instructed to wire money to three accounts in Eastern Europe — and then never received any compensation for their own part in the scheme.
Losing $217,000 is a devastating blow to MECA. What's worse is that it could have been prevented.
MECA's chief financial officer Lea French told Krebs that MECA refused several of the added security options offered by its bank, the First National Bank of Omaha, including a requirement that two employees sign off on every bank transfer.
"We had declined some of the security measures offered to us, [but if] we had those in place this wouldn't have happened to us," French told Krebs.
She added that the MECA was concerned with internal security, "not somebody hacking into our systems."
The MECA was able to reverse one unauthorized transfer for $147,000, but once they determined the scope of the theft, it was too late. French wishes she had known beforehand just how vulnerable her company was to this type of targeted, sophisticated cybercrime.
This is just the latest example of how online criminals, usually based overseas, are successfully targeting smaller organizations outside the big cites, reasoning that those groups won’t be as savvy about cybersecurity.
"Why isn't someone out shouting on the rooftops about this fraud ?" French said. "People need to understand how exposed they are."