14 DAY TRIAL // Five individuals who played money mule roles in an operation involving the theft of $450,000 from a bank account belonging to the City of Carson, CA, have been indicted. A computer trojan was used to infect the laptop of the city treasurer in order to steal the information necessary to carry out this attack.
Automated Clearing House (ACH) fraud has become a preferred method for cybercriminals to steal large sums of money from businesses and organizations. Additionally, because of the hit-and-run nature of these complex attacks, they have proven hard to prevent.
An ACH fraud operation starts with cybercriminals customizing a computer Trojan, which would give them the ability to hijack online banking credentials from an infected computer. Their goal is to infect key people with access to a company or organization's bank accounts and funds with it. In this case, the malware used is a trojan called Talex and the targeted individual was City of Carson treasurer Karen Avilla.
The trojan can be delivered to the intended target via e-mail or as drive-by download launched from a compromised website. Investigators have not succeeded in determining how Avilla's laptop came to be infected with the trojan, but they did manage to track where the money went.
The gangs of fraudsters who launch these attacks generally operate from abroad, but since ACH transactions are only nation-wide, they can't get the stolen money directly and need to send it to U.S. bank accounts. This is where intermediaries known as money mules come into the equation. These are people who agree to use their personal account to receive funds and wire them out of the country in exchange for a commission.
The indictment filed in the District Court for the Eastern District of North Carolina names Anthony Leonard Bobbitt, Lance Corbett Holt, Jennifer Ann Woodard, Deago Larase Smith and John L. Quinn II, as defendants. “It was an object of the conspiracy that the defendants would provide the user name and other login information and passwords for their personal online bank accounts to co-conspirators, both known and unknown to the Grand Jury, for the purpose of using their online bank accounts to receive and distribute unauthorized electronic transfers of funds from victim bank accounts,” it reads.
The five money mules used their accounts to receive almost $450,000 that were transferred without authorization in May 2007 from a compromised bank account belonging to the City of Carson. With the help of the bank, city officials managed to recover most of the stolen funds, the final loses amounting to $44,000.
This is important because it is one of the first ACH transfer fraud cases where charges are brought against the people who acted as money mules. The issue is sensitive as most of the times, people are approached under the cover of fake companies extending them a work-from-home job opportunity and are unaware of the money's true source.