Ontario law firm victim of large fraud due to infection by Trojan Banker Virus
Description of Potential Fraud:
This is the text of an email fraud alert sent by LAWPRO to our insureds on December 21, 2012.
Just this week LAWPRO has dealt with two firms that were the victims of major frauds on their trust accounts. The time just before the holidays should not be a time for bad thoughts and frauds targeting lawyers, but unfortunately the fraudsters aren’t cooperating. We frequently see an increase in fraud attempts around the holidays as the crooks behind these frauds will actually use the distractions of the holidays to help them dupe lawyers and law office staff.
In one case the lawyer was duped out of $90,000 on a bad-cheque collection scam – the same type of scam LAWPRO has warned Ontario lawyers about many times. And what is really frustrating for us, the name of the scammer client (Cheng Wu of Wu Co. Ltd.) was posted on this blog. The lawyer could have avoided being a fraud victim by taking 60 seconds to cross-check the name of his client against the names of confirmed fraudsters on AvoidAClaim. See our Fraud Fact Sheet for a list of the red flags of a bad cheque fraud.
The other fraud reported to us is a scary one. A southern Ontario firm has suffered a six-figure loss from its trust account after an apparent infection by the Trojan Banker Virus or a similar virus. As a result of the infection, access passwords were passed to the fraudsters when the bookkeeper logged into the firm’s trust account. The trust account was at a major Canadian bank. This is a summary of what LAWPRO currently understands happened. See the bottom of this post for advice on how to protect yourself from being a victim of this type of fraud.
What is the Trojan Banker Virus
The Trojan Banker Virus is designed to steal financial account login information. Trojans are spread by e-mail attachments, visits to a website or the installation of a software program (usually something that looks harmless like a screensaver or game). Opening an attachment, clicking on something on a website or running a program will install the virus and infect a computer. After installing itself on a computer, this virus works as a keystroke logger to capture passwords and other sensitive information (i.e., it tracks the keys that are pressed and sends that information to the hacker). It can also create a “back door” that lets the hacker access and control the computer from a remote location.
This type of virus can also monitor web browser activity and will wait for the computer user to visit one of dozens of predefined banking or financial websites. The Virus then creates a pop-up window to replace and mimic the actual login page. These pop-up windows are customized for each financial institution’s website and are designed to spoof the appearance of the legitimate login page. User ID and password(s) information entered into these pop-up windows are captured and sent to the hacker. With this information the hacker can access the target’s bank account.
Summary of this fraud
In this fraud, the bookkeeper’s computer was infected. We do not know how at this point. She then had difficulties accessing the website of the firm’s bank and got a “This site is down for maintenance” message. On one of the screens that appeared on her computer she was asked to enter her name and phone number. This appears to have given the fraudsters her contact information as later that day the bookkeeper received a telephone call from someone, allegedly from the firm’s bank. That caller said she was aware of the login attempts and stated that the site had been down for maintenance. The caller then asked the bookkeeper to try logging in again. The bookkeeper did so entering the primary and secondary login passwords for the account on screens that appeared on her computer – the passwords were not given to the person on the phone. The second password came from a key fob password generator. This appears to have given the hacker both passwords and access to the firm’s trust account.
On each of the following two days there were similar phone calls to the bookkeeper from the woman who allegedly worked for the bank to “follow-up on the website access problems.” On each occasion the bookkeeper tried to login again and entered the primary and secondary passwords on screens that appeared on her computer. The fraudsters went into the account during or immediately after these phone calls and wired funds overseas. An amount less than the balance in the account was wired out each time. This was an infrequently used trust account and the firm had never done wire transfers from the account. The bank did not detect these frauds or stop the wires. The people behind this fraud appear to have had intimate knowledge of how to send wires from a bank account. The virus seemed to be aware that the firm had done banking at another major Canadian bank in the past.
How to protect yourself
Be aware of and be on the lookout for this type of fraud. At this point we are not aware of any other firms being victimized, but we suspect there are firms actively being targeted. These steps can lessen the likelihood that you will be a victim of this kind of fraud:
- Closely monitor the activity in your trust and regular bank accounts.
- Immediately investigate and talk to your bank if there are any problems or suspicious activity with your bank accounts or online banking access. Talk to your bank in person or through verified telephone numbers if there are problems. Remember that emails, fake documents and spoofed websites will have contact information for the fraudsters – not the real bank.
- If you do online banking, remove features that you do not use (e.g., the ability to initiate wires)
- Educate your firm staff about fraud prevention, in particular bookkeeping staff and other staff that handle cheques or payments.
- Be extremely wary of any calls or emails from your bank that deal with account information or access. Banks and other financial institutions will not ask you to reveal or change banking information in an email or phone call.
- Train your staff and lawyers to never open any emails or download any attachments from unknown senders. They should simply delete these messages.
- Install anti-virus and anti-malware software on all computers in your office. Make sure this software is configured to update itself automatically on a regular basis and that real time scanning is enabled (this will scan incoming emails and downloads). While it didn’t work in this situation, using brand-name anti-virus software should protect you from or warn you of an infection in most cases.
- If you ever find a computer has been infected with a trojan or other malware, you should immediately disconnect it from the internet and your network. Make sure the malware is removed before it reconnected.
- Use a firewall to block all unnecessary incoming and outgoing connections to your network.
- Enforce a password policy that requires the use of complex passwords and a requirement that passwords are regularly changed. People should be strongly discouraged from using the same password for everything.
- Ensure that programs and users of a computer use the lowest level of privileges necessary to complete their tasks. In other words, regular users should not have administrator level privileges to their computers.
Here are some other basic security “best practices” you should consider following:
- Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required.
- Turn off file sharing if it is not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
- Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. This is commonly referenced as “hardening” a computer.
- If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- Make sure all computers are running the most up-to-date software, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
- Configure your email server to block or remove email that contains “executable” file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Please seek help from a knowledgeable person if you do not have the technical expertise to implement the above protections yourself.
August 07, 2015 at 1:57 pm, Oloff Biermann said:
I received the same e-mail a few days ago which you described in your “fraud alert to the profession”, dated August 6, 2015. I did not open the attachment or end it to anyone but deleted the e-mail. It sits in my deleted e-mails. Am I at risk of infection by the Trojan virus?
August 10, 2015 at 10:41 am, TimLemieux said:
If you didn’t open the attachment and just deleted the email, you should be fine. If you have any concerns or notice any of the activities described in the post, you can run your virus checker (and make sure it has the latest updates).