Cyber Gangs Hit Healthcare Providers

Organized cyber thieves that have stolen millions from corporations and schools over the past few months recently defrauded several health care providers, including a number of non-profit organizations that cater to the disabled and the uninsured.

The victims are the latest casualties of an online crime wave being perpetrated against U.S.-based organizations at the hands of cyber thieves thought to be based out of Eastern Europe.

On Sept. 9, crooks stole $30,000 from the Evergreen Children's Association (currently doing business as Kids Co.), a non-profit organization in Seattle that provides on-site childcare for public schools.

Kids Co. chief executive and founder Susan Brown said the attackers tried to send an additional $30,000 batch payment out of the company's account, but that her bank blocked the transfer at her request.

"Now we're in this battle with our bank, because my staff accountant checks the account every day, and we notified the bank before this money was stolen and the transfer still went out," Brown said.

Then last week, criminals targeted Medlink Georgia Inc., a federally qualified, not-for-profit health center that serves the uninsured and under-insured. The thieves stole the user name and password to Medlink's online banking account, and used that access to send more than $44,000 to at least five different "money mules," people wittingly or unknowingly recruited via online job scams to help criminals launder stolen funds. The mules typically are told to wire most of the funds they receive to the criminals abroad (minus a small commission).

Gary Franklin, MedLink Georgia's chief financial officer, said the company's bank reversed some of the fraudulent transfers, but that it looks like transfers to two of the mules - worth $15,000 -- may never be recovered.

Also last week, unknown hackers stole nearly $200,000 from Steuben ARC, a Bath, N.Y., based not-for-profit that provides care for developmentally disabled adults. The fraudulent transfers were sent in two batches to at least 20 different money mules around the nation. Steuben's bank blocked the second batch, for a total of $103,000, and a portion of the $93,000 worth of bogus transfers from the second batch.

Steuben's director of finance, Anita Maroscher, said the company is still trying to recover some $42,000 in stolen funds.

Bob Haley, Steuben's director of information technology, told Security Fix that the thieves were able to steal the company's online banking credentials through a keystroke logging piece of malware disguised as a shipping invoice that was sent via e-mail to one of Steuben's accountants.

"It went through this lady's computer, there was a file called 'dhlinvoice.zip' that she mentioned having opened while checking her Web mail at work," Haley said. "She said there wasn't anything she recognized in [that invoice], but there was a Trojan horse in it."

The Trojan horse in question was none other than Clampi, by many accounts one of the most sophisticated pieces of malware in distribution today. Clampi is so complex and clever that some of the smartest security researchers out there are still trying to decode all of its functionality and features. Researchers at Symantec last week just posted what they say will be the first in a series of writeups discussing various aspects of Clampi.