[Tech-l] FW: [Mail_treas] FRAUD ALERT

Thor Sage sage at mveca.org
Thu Apr 25 12:14:15 EDT 2019 

Good afternoon!
I wanted to share the message below with those responsible for cyber security and awareness in your districts.  This is happening all over Ohio and beyond.  Please make sure your malware protection is up-to-date and fully deployed and consider recurring awareness training for your staff.  Let me know if you need assistance.
Thanks
Thor

Thor Sage
Executive Director
Miami Valley Educational Computer Association
937-767-1468  x3101
[http://www.mveca.org/images/logo.gif]<http://www.mveca.org/>       [i] <https://www.linkedin.com/company-beta/3947840/> [t] <https://twitter.com/mvecarcog> [f] <https://www.facebook.com/MVECA-707401659416692/>
Not-for-profit Technology Services for Education and Local Governments



From: mail_treas-bounces at listserv.mveca.org <mail_treas-bounces at listserv.mveca.org> On Behalf Of Pursley, Jacqui
Sent: Thursday, April 25, 2019 11:19 AM
To: oecn_treas at oecn.k12.oh.us
Subject: [Mail_treas] FRAUD ALERT

Hello All,

I just wanted to give you a heads up on an attempted fraud at our district so you can warn your staff what to look for.

Our district was infected by the malware trickbot which steals usernames, passwords, etc.  Four of the five staff in the Treasurer's office here were attacked using this malware.  There were several incidents but the most severe was an actual breach of our online banking.  They had changed the beneficiary ABA and account number for two of our wire templates that we used often and where large amounts were wired.  Luckily, (and I must stress that there was definitely some luck involved which makes it even scarier), we noticed the change and were able to correct the templates and let our bank know what had been attempted.

Luckily, the changes the thieves made were enough to make the Treasurer come to me to question why the account looked somewhat different when he was getting ready to wire $2 million dollars.  That started us looking more closely.  We discovered that on Wednesday April 17, one of our staff had modified 2 templates which was a red flag to us.  Since we have a 2 person approval requirement for all changes, they could not complete the change.  We knew that staff member would not change the template and remembered that on that day, she was actually unable to get into the bank after her first posting to the online banking system.  We had mistakenly attributed that to just one more difficulty we were experiencing district wide because of the malware.

So, what the bank thinks happened is that when she was in the first time that day, they grabbed all of the info she entered including the temporary random access number from the her bank fob.  Acting quickly, because the fob number is so brief, they entered the online banking system as her and made the changes.

They continued on to attack both another staff member and myself - obviously looking to snag another set of credentials that would let them complete the change.  Luckily, we needed to do a wire transfer before they were able to do that and were alerted to the attack.  Had they succeeded in getting the other set of credentials, we may not have realized what had happened and may have proceeded with the wire transfer.

My advice to you is - be on hyper alert if your district gets infected with a password stealing malware like trickbot.  Don't just assume that any issues or strange incidents on staff computers can be chalked up to the malware issue in your district.  Those issues and incidents may very well mean your banking information (or other equally valuable data) is under attack.

Some things that happened here (each person seemed to have a slightly different experience):


1.    Not being able to access the online banking system – just won’t load.



2.    Sudden shut down of google chrome immediately after entering or approving a payment via the online banking system.  When you attempt to sign back in, you get a message that chrome shut down oddly and asking if you want to restore.  When you say yes, the online banking opens exactly where you left off.  I learned this was a BIG no-no.  If all were well, you would be forced to sign back in after an internet shut down.



3.    When in bank, screen goes blank momentarily then comes back at first greyed out and then in full color.


We also learned that at least one other district has had a similar attack.

This is our second fraud attempt in the last 2 months.  The first one was an email from a vendor that we make very large regular payments to asking to be paid by ACH rather than paper check.  As we were in the process of implementing ACH vendor payments, we were happy to oblige and requested the banking information to make it happen.  There was something just a little fishy about the urgency they were conveying that this happen very soon, so the Treasurer called the person who said that they had not sent the emails.  So we dodged a bullet there.  And, implemented a policy that no ACH or Direct Deposit changes could be made without our staff calling the vendor or employee personally and verifying that the request indeed came from them.  I would recommend this process to everyone.

I guess bottom line is be very vigilant.  The threat is real.

--



Thank you and have a great day!



Jacqueline Pursley

Assistant Treasurer - Revere Local Schools

Phone:  330-556-3111



CONFIDENTIALITY NOTICE: This email is intended only for the addressee(s) and may contain material that is confidential under state and federal law. If you were not an intended recipient, please notify the sender and delete all copies. School District email is to be used only for school purposes. The District may monitor email to and from its network. This email and any response to it may be archived for later retrieval and may constitute a public record and therefore may be made available upon request in accordance with Ohio Public Records law (ORC 149.43).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20190425/f402275b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3184 bytes
Desc: image001.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20190425/f402275b/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1229 bytes
Desc: image002.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20190425/f402275b/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1197 bytes
Desc: image003.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20190425/f402275b/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1194 bytes
Desc: image004.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20190425/f402275b/attachment-0003.jpg>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20190425/f402275b/attachment.txt>

More information about the Tech-l mailing list