[BreachExchange] Town of Hollywood Park attempting to recover nearly $200, 000 stolen in 2019 cyber theft

[Destry Winant]

https://www.ksat.com/news/local/2020/08/17/town-of-hollywood-park-attempting-to-recover-nearly-200000-stolen-in-2019-cyber-theft/

On March 5, 2019 someone attempted to steal nearly half a million
dollars from the sleepy San Antonio suburb of Hollywood Park. The
thieves were likely international cyber-criminals, but 17-months
later, no one has been arrested for the crime.

With the help of the United States Secret Service, the town managed to
recover nearly $300,000 of the missing money, but there’s still a
dispute over who should be held responsible for the nearly $200,000
that ended up in a bank in Turkey.

Hollywood Park Mayor Chris Murphy recently recalled the moment he
learned about two large, unauthorized wire transfers from the town’s
bank accounts on March 6, the day after the money had been moved.

“We got a call from Frost Bank asking us to confirm the two wire
transfers and we said, ‘No, we didn’t authorize any wire transfers. We
don’t do them.’” Murphy said. “I got physically sick to my stomach. I
couldn’t fathom that it could even happen.”

Murphy says he immediately went to police chief Shad Prichard's office
and an investigation was launched. They soon learned someone had
transferred a total of $486,766.82 from city funds at the same time a
city employee was processing payroll the day before.

Prichard called in the U.S. Secret Service to assist in the investigation.

“They dropped what they were doing and came to our aid and their six
hours of work saved us a considerable amount of money and trouble,”
Prichard said.

Secret Service agents traced one of the transfers for $192,883.31 to a
San Antonio Bank of America account, but the money had already been
moved to an off-shore bank account located in Turkey.

Agents were able to seize nearly $293,883.31 from the second wire
transfer, thanks to an alert banker at a San Antonio Wells Fargo
branch who thought the transaction was suspicious and froze the funds.

“(The banker) was trying to execute, on behalf of one of their
customers, a transfer from a one day old bank account with Wells Fargo
to a personal Wells Fargo account and she saw enough suspicious
looking elements to call Frost (Bank) to find out if that was indeed a
legitimate wire transfer,” Murphy said. “The Secret Service agents
were pretty clear that had that not happened that quickly. We very
likely would be out the entire amount.”

The Secret Service seized the money and continued their investigation.
Agents ruled out any Hollywood Park city employees being involved as
well as anyone at Frost Bank. A analysis of the city’s finance
computer used to make the wire transfers revealed it was infected with
malware designed to steal financial information. It was a simple spam
email that let the banking trojan virus into the town’s system.

“How it spreads is these fake PayPal invoices. It’ll give you this red
flag, past due or confirm your account, it’s been locked out. You
know, these are those spam emails that you see and you probably see
them every day,” Prichard explained. “That malware gets downloaded by
using those e-mail spams. That’s how Emotet, the trojan virus that
affected us, gets into our system. So an employee, especially a
finance director who is getting invoice after invoice after invoice,
he clicks on the wrong one. Now we’re infected. And if you don’t have
the right protections in place, that perfect storm begins to brew. And
then you lose money.”

Emotet, the malware that was used, was the focus of a 2018 Homeland
Security bulletin that called it “among the most costly and
destructive malware affecting state, local, tribal, and territorial
governments, and the private and public sectors.” According to the
bulletin, “Emotet infections have cost governments up to $1 one
million per incident to remediate.”

Once it infects a computer, it can fool even the most savvy of users.

“It mimics the screen of your banking partner. It can be right over
the top and you never even know it and it knows exactly what it needs
to complete that transaction and it gets it,” Prichard said.

According to Mayor Murphy, the town learned from its IT provider that
all of their computers had cyber-threat protection software except for
the one that became infected. Turns out, the IT company had removed
those protections from the finance computer three months earlier when
downloading new software and had failed to reinstall the malware
protection.

Making matters worse, the mayor learned from Frost Bank that their
depository agreement, signed in 2009, had been expired for five years
and there were no protections in place.

“The law requires it to be done every five years but none of the five
prior mayors to me knew about it, nor I,” Murphy said. “In fact, when
I took the oath of office, all they asked me to do is sign a card for
signatures. I would have been glad to sign something that would have
provided us with updated cybersecurity protocols, alerts and
safeguards.”

Murphy believes had that agreement been up to date, they would have
been covered for the loss. He said Frost Bank insisted on signing a
new agreement after the incident and that it offered more protections
than the 2009 agreement.

“A whole category of cyber protection. It wasn’t existent in the
original depository agreement. That would be the key difference. It’s
just exactly the kind of thing that happened to us,” Murphy said.

Murphy sent an email to Frost Bank executives in June 2019, asserting
the bank was partially responsible because they failed to notice the
suspicious nature of the transaction.

On June 4, Murphy wrote, “We have yet to execute an outgoing wire
transfer since our agreement was signed in 2009. As our competent
banking partner, we expect and trust you to at least verify
suspicious, extremely large, and unusual withdrawal requests. One was
made by a one day old account.”

The bank pushed back in an email dated June 18, sent by Senior Vice
President, Anthony White. It stated the bank’s position and pointed
out numerous missteps made by the town of Hollywood Park including IT
equipment that “had been infected with multiple viruses and malicious
software.”

The bank executive wrote, “It appears that a fraudster took control of
a City employee’s PC and used that employee’s security credentials to
access Cash Manager and initiate two wires. The fraudster then sent
pop-op messages to the same City employee and enticed the employee to
use another employee’s security credentials to approve the wires. The
City employee informed Frost Bank fraud officers and US Secret Service
that he had used security credentials belonging to another employee on
this occasion and on numerous previous occasions. Sharing log-in
security credentials is a serious compromise of electronic security
protocols and is a violation of the Treasury Management Agreement with
Frost Bank.”

The bank also brushed off the mayor’s assertion that they should have
noticed something was suspicious about the transactions.

“Both wires went to domestic banks. There was nothing unusual or
noteworthy about the wires that would have caused Frost to hold them.
The Town of Hollywood Park has initiated large wires via Cash Manager
previously. For example, the City executed a $400,000 wire on February
4, 2016,” White wrote.

Bill Day, senior vice president, corporate communication for Frost
Bank, said the letter sent by White last year remains the bank’s
position today. He said the incident “resulted from failed security
measures at Hollywood Park.” As far as they are concerned, the issue
has been resolved.

When asked if an updated depository agreement would have protected
Hollywood Park, Day said in an email, “For confidentiality reasons,
I’m not able to discuss specifics of customer accounts. I can say
generally that even if a depository agreement had expired, that does
not absolve either party from their respective responsibilities. For
example, an expired agreement doesn’t absolve an account owner from
ordinary care in managing their accounts and security. Also,
municipalities are required by state statute to issue a request for
proposal for bank services at least every five years, so it’s
incumbent on municipal customers to keep their accounts up to date.”

While Murphy was hopeful the two sides could come to an agreement to
recoup the nearly $200,000, it appears the city will likely never
recover the stolen money.

“I’m shocked and still disappointed. I’m still hopeful that they’ll
want to make us whole and do right by us,” Murphy said. “Fortunately,
we’ve been in sound financial shape and we can weather this storm. It
would have been a completely different story had that teller with
Wells Fargo not been alert and allowed the Secret Service to freeze
that $300,000.”

Murphy said the town is no longer banking with Frost and they have
improved their cyber security and continue to educate their citizens
about the dangers of cyber criminals.

The Secret Service said they couldn’t comment because the case is
still open but did confirm no arrests have been made.