California escrow firm shuttered after cyberthieves drained it of $1.5 million

An escrow firm in the US state of California has been run out of business and its nine employees laid off, after a remote access Trojan planted on its system drained it of $1.5 million.

As reported by security journalist Brian Krebs, the funds got swindled in three fraudulent wire transfers.

The first transfer, about $432,215, went to Moscow, and two more, totaling $1.1 million, went to a notorious cyberthievery destination: the Chinese province of Heilongjiang.

Problems at the firm, Efficient Services Escrow Group, began in December 2012 with the first fraudulent transfer to Moscow.

The next two bogus transfers funneled funds to Heilongjiang in January.

As Krebs notes, this same Chinese province was the subject of a 2011 FBI alert [PDF].

The alert warned that $20 million had been sucked out of small to mid-sized businesses through bogus wire transfers sent to Chinese economic and trade companies in 2010.

The companies receiving the stolen funds were registered in port cities located near the Russia-China border.

Now, whatever money Efficient Services has left is under the control of a court-appointed state receiver, who plans to sue the victimized company’s bank in an effort to claw back the stolen funds.

Efficient Services managed to recover the wire to Russia, but getting the $1.1 million back from China has proved to be far more difficult.

When the company reported the crime to state regulators, as required by California law, it was given three days to scrape together enough to replace the looted amount.

When the firm failed to do so, the state stepped in and closed it down.

Krebs reports that up until a few weeks ago, the firm’s money has been locked away from access in a state-established conservatorship.

The state in early July appointed a receiver, Peter A. Davidson, of Ervin Cohen & Jessup LLP, in Beverly Hills, to wind things up (or down, as the case may be).

Davidson told Krebs that he and Efficient Services are now contemplating how the money might be recovered from the bank, First Foundation.

Efficient Services co-owner Daniel J. Crenshaw told Krebs that the bank issued a report soon after the heist that concluded that the money had actually been embezzled by one of the company’s employees.

The bank backed off the claim after the state appointed a forensics expert who found that Efficient Services system had, in fact, been compromised by a Trojan before the fraudulent wire transfers hit.

The bank’s business customer logins had been protected by a username, password and dynamic token code, but Davidson said that the one-time token wasn’t working at the time of the fraud.

Unfortunately, by the time the forensics expert weighed in, Efficient Services was already out of business, its employees laid off.

Davidson, for his part, wants to know why the bank didn’t slam the brakes on the out-of-character overseas transfers in the first place:

“This company had never sent wires overseas before. Why not pick up the phone and confirm the transaction? That’s where I think the bank may have some problems.”

But a bank fraud expert and independent security consultant, Charisse Castagnoli, told Krebs that only a handful of large banks offer country-blocking capability for wire transfers.

The smaller financial institutions hand over the job to third-party service providers that don’t offer such capability, she said.

Nor do businesses such as title and escrow firms always think to ask for limits – until, that is, a disaster like this one strikes:

“It’s not widely implemented. On the wire side, there are just a few providers - Fedwire and ACI Worldwide are the big ones — and these software systems are ancient. Most smaller banks use a service provider that handles the Web site and plugs into these wire systems. Why aren’t there better controls available to businesses and banks so they can manage specific business risks in more appropriate ways? The answer is lack of imagination and lack of capabilities at the software layer. And if customers aren’t demanding it, why would banks spend probably hundreds of thousands to integrate that capability?”

Krebs’s story is, as always, full of much more detail, including other cases of title and escrow firms getting ripped off, so please do read his article.

He’s also pointing readers to his collection of Online Banking Best Practices for Businesses, such as: a useful set of tips on everything from not using Windows if at all possible (most malware runs in Windows); keeping up with patching (with suggested tools to alert you to updates); requiring two people to sign off on transactions; and much more.

Beyond that, I would suggest looking into cyber liability insurance.

Too many businesses think they’re covered by general liability policies, only to find, far too late, that these policies don’t cover cyber theft.

I’m sure that none of these tips offer much consolation to Efficient Services and its staff of nine newly unemployed workers.

To them, my condolences, and good luck with retrieving as much of the pilfered funds as possible.

Image of ironic electronic funds transfer form courtesy of Shutterstock.