New York District Faces $500,000 Loss in Cyber Bank Theft

• By Dian Schaffhauser
• 01/12/10

A school district in New York apparently has been the victim of cyber fraud totaling nearly $3 million. The Duanesburg Central School District in Schenectady County is working closely with the Federal Bureau of Investigation and New York State Police Cyber Crime and Critical Infrastructure Unit to investigate unauthorized electronic transfers of school district funds from its NBT Bank account.

The district first learned of the fraudulent activity Dec. 22, when contacted by an NBT bank representative, questioning the validity of a request for an electronic transfer of funds to multiple overseas accounts that day. Upon confirming with the district that the transfer wasn't authorized, the bank immediately cancelled the pending transaction, which totaled about $759,000.

But the bank also discovered that an additional $3 million in unauthorized electronic transfers to various overseas banks had already been executed over the previous two business days. Friday, Dec. 18, an unauthorized electronic transfer of $1.86 million was made from a district bank account to an overseas bank. Monday, Dec. 21, several different unauthorized electronic transfers totaling $1.19 million were made to multiple overseas locations. Both district representatives and the bank immediately contacted the FBI, which opened an investigation along with the state police.

To date, $2.5 million of the stolen funds have been recovered by NBT Bank, working with several overseas financial institutions.

"Thanks to NBT Bank's aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered," said Superintendent Christine Crowley. "However, $497,200 of Duanesburg taxpayers' money is still missing, and we are committed to doing everything in our power to recover the remaining funds."

To prevent any district bank accounts from being further compromised, the district closed all of its bank accounts and established new ones with restricted online access.

In a letter distributed to the district community, the district said it was the victim of a cyber crime, but it's still unable to say how the unauthorized transfers occurred.

In November, the federal Internet Crime Complaint Center (IC3) had issued an "intelligence note," reporting that the FBI had seen a significant increase in fraud involving "the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts."

Some security experts are suggesting that the NY district had been a victim of an online banking Trojan. The Trojan is planted on unwitting users' computers through phishing, sending out what appears to be an e-mail message from a trusted source that actually includes a malware link or an infected attachment. Once the user clicks the link or opens the attached file, the banking Trojan is planted on his or her computer.

Thereafter, according to the IC3, the malware contains a key logger that will harvest the recipient's business or corporate bank account login information. "Shortly thereafter, the perpetrator either creates another user account with the stolen log-in information or directly initiates funds transfers by masquerading as the legitimate user. These transfers have occurred as both traditional wire transfers and as ACH transfers."