business

Executives at the North Country Health Services in Bemidji have no idea how a hacker invaded the center's online bill payment system and pilfered data on nearly 350 of its customers' bank accounts, credit and debit cards.

Like most small to midsized businesses that fall prey to such heists, North Country probably never will.

Experts say few local law enforcement agencies have the resources to solve these crimes. And the state and federal agencies that do are so busy that they have to "triage" the cases, focusing on cyber attacks that involve huge losses or links to organized crime or national security threats.

In the past year, several federal agencies and industry associations representing banks and electronic payments firms have issued warnings and held seminars about the growing threat of corporate account takeovers.

Experts say highly skilled cyber criminals -- most based in Eastern Europe or former Soviet states -- have been using a powerful combination of social engineering techniques and computer "malware" to break into accounts of small to midsized U.S. firms, religious organizations, charities, municipalities and school districts nationwide.

"I guarantee you, your turn is coming," John McCullough, the former civilian director of the Minnesota Financial Crimes Task Force, told about 140 banking, insurance and cyber-security professionals at a recent conference.

The targets tend to lack the sophisticated security systems found in large corporations and financial firms. And their deposit and purchasing systems offer richer rewards than random consumer accounts.

No one knows how much the thieves are getting away with because the crimes frequently go unreported by businesses for fear of tarnishing their reputations. For similar reasons, banks "absolutely are not going to report it," said Claudia Swendseid, a senior vice president with the Minneapolis Fed and an expert on electronic payments systems.

The Federal Deposit Insurance Corp. (FDIC) used to issue reports on the problem, but that task has been turned over to the FBI, whose data are incomplete and woefully out of date, Swendseid said.

One recent FBI report on the problem cited a study by Sterling, Va.-based Neustar Inc., which concluded that several successful cyber attacks on U.S. businesses occur daily, "resulting in the irretrievable loss on average of between $100,000 and $200,000 per victim."

Consumers are generally indemnified against unauthorized charges on their credit cards, and they have 60 days to notify banks of improper withdrawals from their bank accounts. Businesses, however, generally have just two workdays to reverse an unauthorized withdrawal. A number of lawsuits have been filed over who's at fault when accounts are hacked; most settle with undisclosed terms.

Swendseid said the FBI has about 350 active cases under investigation.

North Country learned that its online accounts had been compromised in April, when a local bank reported that one of the hospital's 900 employees had improperly spent money from a health savings account on retail purchases, said Joy Johnson, vice president for marketing. The hospital quickly determined that an outsider had infiltrated its payments database and used customized software to purloin the employee's account.

"We were pretty surprised because you think about it occurring in bigger companies where there's more at risk," Johnson said. "You hear about cybercrime but you don't think about it affecting you directly."

She said North Country had no choice but to shut down its online payments and won't restore the system until an outside company with security expertise can be hired to run it. The cost hasn't been determined yet.

Jaeger Bellows, a Bemidji Police investigator, said overseas hackers made about $14,000 in purchases from about 50 accounts before they could be closed. He said the goods were sent all over the country, as well as overseas. Typically, "money mules" would buy gift cards to launder the cash. Any merchandise purchased could be returned for refunds or sold. The cash would then be wired overseas, with the mules keeping a cut of 8 to 10 percent.

Bellows sought help from the FBI and the Minnesota Financial Crimes Task Force, a multi-agency group that works on major crimes. "I couldn't find any takers," he said. The losses and number of victims were just too small for those agencies, Bellows said.

Cyber criminals often rely on automated programs to find unprotected computers and plant harmful software, which can turn infected computers into a network of drones called "botnets." To get around defenses like anti-virus software and firewalls, hackers will send out "phishing" e-mails to entice the recipients to visit infected websites, open infected files or view photos that plant harmful code, including "keyloggers," on their computers.

In one novel case discovered this year by Atlanta-based SecureWorks, hackers in Russia broke into digital warehouses that store images of executed checks and printed off an estimated $9 million in counterfeits. Like other scams, it also relied on a network of money mules.

Hackers also alter legitimate websites by planting phony log-in buttons that users click to enter their credentials, then capture passwords, account numbers and answers to security questions. The information is used to drain accounts, sometimes even while the account holder is still online.

Attacks on business accounts often involve "spear phishing," a technique similar to phishing that targets individuals who might have a company's computer credentials. Hackers often extract information about their targets from social networking sites.

Wenlock Free, vice president of business development for SecurityMetrics, demonstrated several of these methods as well as a "live hack" at a recent seminar in Bloomington. He said crooks also sometimes plant infected USB drives around a target's office, or send targeted executives "thank you gifts," such as an iPhone, that will get the hackers directly inside a company's network.

Once inside, the thieves can send money by wire or the Automated Clearing House (ACH) system. The ACH system is the nation's primary electronic funds transfer network. It relies on credits and debits to move money electronically, and provides the two-day buffer to reverse erroneous or fraudulent transfers. Direct wires have no such buffer. They are used for much larger transactions, but they get more scrutiny.

The FBI, working in concert with law enforcement in Britain, the Netherlands and the Ukraine, announced Oct. 1 that it had broken up a ring that allegedly hacked into the computers of 390 U.S. companies and tried to steal $220 million; $70 million of that was lost over the past four years.

The investigation, dubbed Operation Trident ReACH, found that the thieves had set up a network of some 3,500 money mules who received transfers from the hacked accounts, then wired money to overseas drop sites. According to BankInfoSecurity.com, the United States charged 92 suspects; British authorities arrested 19; and Ukrainian authorities arrested five.

"The whole ACH thing is really interesting because you know, that's the mother lode," said Craig Sorum, supervisor of the FBI's Cyber Crime Task Force in Minneapolis. Once a crook plants malware on a computer "they can see everything," including nearly any security measures a business relies on to authenticate its accounts, he said.

Jeff Chisolm, owner of the Mad Capper Saloon & Eatery in Stillwater, said a hacker infiltrated his customer database in January and stole credit and debit card information. The hack took place just one month after he had upgraded his computer systems to comply with what are known as Payment Card Industry (PCI) data security standards, he said.

The crooks ran up charges on his customers' accounts, buying merchandise and gift cards at Walgreen's, Target stores, Wal-Marts and other retailers, mostly in Southern states. The hackers covered their tracks through a network of proxy servers, said Kyle Sykes, an investigator with the Stillwater Police, adding that the city lacks the resources to chase them.

"When we did petition the other agencies who could help us out, they were kind of reluctant in expending their resources on something that they felt strongly would lead them overseas," Sykes said.

Chisolm gave a copy of his hard drive to federal investigators, but said he never heard from them. He hired his own data forensics expert, who found malware on his system. He still doesn't know how it got there. Visa fined him $5,000 for the breach, he said, and MasterCard fined him $2,500. All told, Chisolm said he's spent $20,000 as a result of the hack.

"That's a $20,000 nick in my bottom line," he said. "It's a killer."

Dan Browning • 612-673-4493