Criminals steal hundreds of thousands of dollars

Sep 15, 2009 09:46 GMT  ·  By

U.S. public and private schools alike should be in alert as the cybercriminal gang behind the Clampi Trojan has been targeting such institutions recently and walked away with impressive amounts of money. Security researchers say it is one of the most sophisticated and successful online banking fraud operations.

The complex Clampi trojan is known under several different names, including Ligats, Ilomo or Rscan. Its purpose is to steal online banking credentials from compromised systems; however, the attacks involving it are much more sophisticated and widespread, using fake companies and recruitment websites to hire money mules.

The recent versions of the trojan can propagate across internal Windows networks by using a tool called PsExec and stolen domain administrator credentials. PsExec is a legit utility developed by Microsoft, which is generally used by admins to execute processes on remote computers. The presence of this tool on computers that are not authorized to have it installed should raise red flags and generally points to a Clampi infection.

The Washington Post reports that in addition to the incident at the Western Beaver School District, from where cybercrooks stole a total of $704,610 in 74 fraudulent electronic transfers, several other schools have reported similar attacks. Western Beaver School District was forced to sue their bank in an attempt to recover the money, something which other victims might also end up doing as the law does not hold banks liable for such attacks on business customers.

The crooks attacked the Sanford School District on August 17 and initiated under-$10,000 transfers totaling $117,000. An official noted that only two transfers amounting for $18,000 were successfully reversed. Meanwhile, the public school district in Sand Springs, Oklahoma, was similarly hit on August 11 and suffered losses of around $150,000. The Sand Springs Superintendent said that $80,000 were reversed and that their bank offered to cover the rest.

Earlier on August 5, another Clampi attack occurred at the Marian University in Fond du Lac, Wisconsin. The criminals walked away with $189,000 of the institution's money and only $54,000 has been recuperated to date. The Washington Post also has reason to believe that the Community Unit School District #427 in Sycamore, Illinois, was hit back in July, but details are yet scarce.

School districts, as well as small and medium-sized companies are the preferred targets for the gang behind Clampi, which tricks unsuspecting U.S. citizens through fake recruitment websites to receive the fraudulent transfers and wire the money out of the country. The poor computer security and understaffed IT departments that are characteristic to such organizations is what makes them so appealing to these criminals.

Security researchers advise isolating the computer systems used for sensitive activities, such as online banking, from the rest of the internal network. This is referred to as network segmentation and can be achieved by implementing internal firewall solutions and strict routing policies. Using a dedicated system only for these tasks is highly encouraged, but if that's not possible, booting from a live CD into an unaffected operating system, such as Linux, when engaging in online banking can be an alternative.