US construction company sues bank over cyber-heist

TEC Industrial sues TriSummit Bank after cyberheist perpetrated by gang based in Eastern Europe

A US heavy industrial construction company is sueing its bank after losing $327,000 in a cyber attack, claiming negligence on the part of the bank and breach of contract after it was subject to a "corporate account takeover" in a sophisticated sting.

The company was only alerted to the sting days after it was attacked when it was contacted by security blogger and journalist Brian Krebs.

In a local filing, the Kingsport, Tennessee-based company claims that its bank, TriSummit Bank, failed to conduct sufficient due diligence checks to ensure that the line-of-credit extended to cover its weekly payroll was protected from cyber thieves. That arrangement was started in 2010 when a telephone verification and authorisation process was agreed for security.

"Initially, [the bank] employed no security measures to verify that the files uploaded by the Plaintiff each Tuesday were in fact the Plaintiff's files and/or that the individual payment orders to the individual employees were actually authorised by the Plaintiff," argues the complaint. Three to five fives were uploaded via the Bank's website each week to pay between 350 and 400 employees.

However, in May 2012, TEC Industrial was the target of a corporate account takeover that saw cyber thieves use a network of more than four dozen money mules to siphon $327,804 from the company's accounts at TriSummit Bank.

At the time, the company complained to the Bank that it was unable to log into the Bank's website, but was told that this was probably due to maintenance of the website. Instead, representatives of the company conducted transferred the files in person, at the Bank's Kingsport branch.

"On May 9, 201.2, Plaintiff received two telephone calls during the lunch hour from a 'Jim' who identified himself as being with Defendant's 'IT Department' and who stated that he wanted Plaintiff to log onto Defendant's website for on-line banking to determine if the website was fixed. 'Jim' called back at approximately 1:28 p.m. and again asked that Plaintiff "log onto" the Defendant's website," according to the complaint.

It continues: "The Plaintiff's representative told 'Jim' that there was no need to access the website at that time because Plaintiff had the prior day accessed the website to upload the payroll files needed for Plaintiffs payroll for that week. 'Jim' then told Plaintiff to try to log into the website the following day, that the website would be fixed."

However, during the usual call with the bank to authenticate and approve the transfers conducted at the bank branch, the Bank's representative failed to inform the company of an erroneous transaction of a $327,804 automated clearing house (ACH) draft. That transaction was broken down into 55 separate transfers that was sent to 55 different accounts across the US.

The company was only alerted to the breach days later, after the transaction had taken place, after security blogger and journalist Brian Krebs alerted them that a gang of cyber criminals might have targetted the organisation.

"On the morning of 10 May 2012, the Plaintiff received a call from Brian Krebs, who identified himself as a prior news reporter on cyber crimes, that he had received a tip on a possible 'hacking' of Plaintiffs bank accounts at Defendant for a large sum of money. Krebs said that the source of the 'hacking' might be persons who were located in Russia, the Ukraine or somewhere overseas," accuses the complaint.

While some of the money was recovered, the company claims that it is still out of pocket and that, in any case, the security breach occurred due to lapse in security by the Bank.

Krebs claims that the cyber-gang was able to conduct the attack by using keystroke loggers infiltrated into the company in order to steal their banking passwords.

"When I spoke with Tennessee Electric's controller back in 2012, the controller for the company told me she was asked for, and supplied, the output of a one-time token upon login. This would make sense given the controller's apparent problems accessing the bank's website," writes Krebs.

He continues: "Cyber thieves involved in these heists typically use password-stealing malware to control what the victim sees in his or her browser; when a victim logs in at a bank that requires a one-time token, the malware will intercept that token and then redirect the victim's browser to an error page or a 'down for maintenance' message - all the while allowing the thieves to use the one-time token and the victim's credentials to log in as the legitimate user."

The case represents one of the first in which a company has sued a bank in order to recover funds stolen in a cyberheist.

Krebs advises organisations conducting business with their bank online to adopt a variety of extra security procedures, including running their banking services from a version of Linux, booted-up solely from a LiveCD or USB.