Trojan steals $480k from online bank account

2009-10-22

Pennsylvania Local News is reporting that computer hackers have stolen $479,000 from the Cumberland County Redevelopment Authority, an organization that helps develop affordable housing.

Cumberland County Redevelopment Authority Executive Director, Christopher Gulotta stated that a computer virus, known as Clampi, enables hackers to record keystrokes and was used to siphon more than $479,000 out of Cumberland County Redevelopment Authority bank accounts and transferred to real accounts set up by the hackers, using names of limited liability companies and individuals, at 11 domestic financial institutions.

The "Clampi" Trojan is believed to have been stealing banking and other log-in credentials from compromised PCs since 2007. Joe Stewart, director of malware research for the Counter Threat Unit of SecureWorks, stated "Clampi, also known as Ligats, llomo, or Rscan, infects computers in drive-by downloads when people visit Web sites hosting malicious code that exploits vulnerabilities in browser plug-ins Flash and ActiveX. When the infected computer is used to access a targeted banking or other site, the log-in and other information is stolen. Clampi has spread quickly through Microsoft-based networks in a worm-like fashion. It uses domain administration credentials that were either stolen by the Trojan or based on an administrator logging into an infected system. It then uses Windows executable SysInternals tool, "psexec" to copy itself to all the computers on the domain. Clampi also serves as a proxy server for criminals to anonymize their activity when logging into stolen accounts."

The Sentinel reports that the stolen money was state Department of Community and Economic Development funds earmarked for a building rehabilitation in downtown Newville. The funds had been diverted from one account to a separate payroll account the authority had with M&T Bank, its only account with electronic funds transfer capability. The authority staff realized there was a problem when they had difficulty accessing the online banking features on September 23rd, to which they notified the bank and also the FBI.

Gulotta has confirmed that $109,000 has been recovered by the bank thus far and that they are negotiating with two other organizations. While the authority's insurance did not cover cybertheft, Gulotta stated that the authority would cover the loss with its own funds so that the project would not be impaired and that the theft should not damage authority efforts as a whole.