Krebs on Security's Brian Krebs reports that North Carolina's Park Sterling Bank (PSB) is suing customer Wallace & Pittman PLLC, a law firm, demanding that it repay a loan the bank had provided Wallace & Pittman with to cover funds stolen by hackers.
The hackers had initiated a fraudulent wire transfer for $336,000 from Wallace & Pittman's account on May 9, 2012, using the account's user name, password, PIN code and security questions. "PSB processed the wire transfer, which was sent to an intermediary bank -- JP Morgan Chase in New York City -- before being forwarded on to a bank in Moscow," Krebs writes.
According to Krebs, the law firm believes the account credentials were stolen via keylogging malware that had been delivered in a phishing e-mail posing as a message from the National Automated Clearing House Association (NACHA).
The bank provided the law firm with a credit for the stolen amount, with the understanding that the loan would have to be repaid by the end of the month. Soon after, though, the law firm filed a complaint against the bank in court, obtained a temporary restraining order keeping the bank from retrieving the money, and removed all funds from its accounts at the bank.
Park Sterling Bank is now suing Wallace & Pittman for the funds transferred plus interest.
In response, the law firm says the credit was never identified as a loan. "Wallace & Pittman said the bank didn’t start calling it a provisional credit until nearly 10 days after it credited the law firm’s account; to backstop its claim, the firm produced an online ledger transaction that purports to show that the return of $336,600.61 to the firm’s accounts was initially classified as a 'reverse previous wire entry,'" Krebs writes.
Additionally, Wallace & Pittman claims PSB's security measures were insufficient, stating, "The bank was aware or should have questioned the legitimacy of an international wire transfer [and] was aware or should have been aware of various schemes involving fraudulent funds transfers, particularly those involving parties located in Russia."
For small businesses with online account access, Krebs offers a list of best practices to avoid a mishap like this here.