Security researcher Brian Krebs found that Chelan County Public Hospital No. 1, part of the Cascade Medical Center in Leavenworth, Wash., had been breached by hackers, who were later found to have siphoned out $1.03 million from the hospital’s payroll account into 96 different bank accounts across the country.
The real key to the gang’s success? The accomplices, who were hired to make bank transfers from their own accounts, essentially laundering the stolen loot. The group “appears to have a well-oiled mule-recruitment machine going 24/7,” Krebs noted.
This machine, he said, is a real differentiator. Cashing out and laundering money from hacked accounts is a “complex, time-consuming process,” which is typically contracted out to third parties in exchange for a 40% to 60% cut of the haul.
But Best Inc has looked to do it all in-house – which is not without its challenges. “Just as real-life bank robbers are restricted in what they can steal by the amount of loot that they can physically haul away from the scene of the crime, the crooks behind these cyberheists are limited in how much they can steal to how many money mules they can recruit to help launder the fraudulent transfers,” he said. “That’s because unless the mules have access to business accounts that can receive and forward much larger wire transfers, the amounts sent to mules typically range from just below $5,000 to slightly less than $10,000.”
Krebs spoke to two of the accomplices personally, thus learning of the breach. Edwin Walker of Alpharetta, Ga., received and processed a $4,970 transfer on April 20 after being told he was forwarding payments to software developers who worked for the company’s overseas partners.
Jesus Contreras from San Bernadino, Calif., was similarly instructed to take $9,180 and send nearly equal parts via Western Union and Moneygram to four individuals, two in Russia and two in Ukraine, reported Krebs.
Here’s how Krebs said it played out:
"Contreras had been out of work for more than two months when he received an email from a company calling itself Best Inc. and supposedly located in Melbourne, Australia. Best Inc. presented itself as a software development firm, and told Contreras it’d found his resume on Careerbuilders.com. Contreras said the firm told him that he’d qualified for a work-at-home job.
Could he start right away? All he needed was a home computer. He could keep eight percent of any transfers he made on behalf of the company. Contreras said he was desperate to find work since he got laid off in February from his previous job, which was doing inventory for an airplane parts company.
His boss at Best Inc., a woman with a European accent who went by the name Erin Foster, called Contreras and conducted a phone interview in which she asked about his prior experience and work-life balance expectations. In short order, he was hired. His first assignment: To produce a report on the commercial real estate market in Southern California. Contreras said Ms. Foster told him that their employer was thinking of opening up an office in the area.
Shortly after he turned in his research assignment, Contreras received his first (and last) task from his employer [which was to make the money transfer]."
Contreras found out that he had been scammed and implicated in money-laundering only when Bank of America froze his account.
The Chelan County treasurer’s office has recovered only about $133,000 of the lost funds. But Krebs explained that it could have been worse. “The Chelan County bank accounts that were hacked also are used to administer 54 other junior taxing districts in the county,” he said. “My guess is this attack would have been worse, but that the fraudsters simply exhausted their supply of money mules.”
Meanwhile, Best Inc. has been unmasked for what it is: just another iteration of a well-known organized cybercrime syndicate. Krebs said that it has been hitting SMB organizations for the past five years, recognizable by distinguishing signatures on the fake web pages that it uses. “They’ve stolen many, many times more than the millions taken from Chelan County, from hundreds of victim organizations,” Krebs said. “In fact, this gang appears to have been involved in nearly every cyberheist I have written about for the past four years.”