Tiny Pacific Northwest Town Becomes Victim of Multiple Phishing, Ransomware Attacks

Aging systems in municipalities and governments can be some of the easiest targets for hackers — and the untrained employees make it even easier.

by Ryan Blethen, The Seattle Times / February 26, 2018
Shutterstock

(TNS) — That the email was sent by “Richard” was the first clue somebody was up to no good.

Yarrow Point, Wash., Mayor Richard “Dicker” Cahill usually goes by his nickname in messages. But that escaped the notice of the town’s financial coordinator when he wired $49,284 to an unidentified con artist as part of an email scam in August.

Cybercriminals weren’t finished with the affluent Eastside town of 1,000 residents that juts like a thumb into Lake Washington. In mid-October, Yarrow Point fell victim to a ransomware attack, which locked down some of the town’s computer systems, denied employees access to files and resulted in a nearly $10,000 bitcoin payment to attackers.

Yarrow Point isn’t alone. Municipalities and governments, which are usually loathe to act until problems occur, are often easy targets with aging systems and employees who have little training around best practices for spotting cybercrime.

And the loss can be more than just money. Security experts say organized criminals also can find ways to access city records and potentially disrupt critical services, such as emergency communications and infrastructure.

It could have been worse for Yarrow Point. The town was sent phishing emails in June and July. Town Clerk and Treasurer Anastasiya Warhol saw them as illegitimate and brought the email to the attention of Cahill and the IT company the town contracted with at the time. Word went out to the town’s staff to beware.

With a budget of about $2 million, Yarrow Point will recover from the loss, city officials said, but it never should have happened.

“It is an unacceptable activity,” Cahill said. “(But) it is not by any means going to cripple the town.”

City hall has taken measures to protect itself against further incidents by no longer allowing wire transfers and switching, as well as updating equipment and systems like email.

National Problem

What happened to Yarrow Point is happening to towns and cities of all sizes across the country, say security experts.

“Typically those campaigns are very broad and will hit many, many local governments,” said Brian Calkin, vice president of operations for the Center for Internet Security.

The best city employees can do is make sure systems are up-to-date and people are vigilant and aware that these phishing attempts and cyberattacks could happen.

Yarrow Point’s loss wasn’t as large as two other such thefts that hit a Skagit Valley town six years ago and a public hospital in Chelan County five years ago.

Burlington, Wash., fell victim to cyberthievery in 2012 when nearly $400,000 was stolen from its account with Bank of America.

Ukrainian and Russian thieves managed to steal more than $1 million from the bank account of Leavenworth’s Cascade Medical Center in 2013.

Cities, towns and institutions like hospitals are targets because they are easy to hit, said Mike Hamilton, founder and president of Critical Informatics, a Seattle-based company that helps governments and institutions with cybersecurity.

Small towns with small staffs like Yarrow Point are tempting for criminals because they lack protections against cyberattacks.

“The public sector is low-hanging fruit,” Hamilton said.

Criminals are finding all sorts of ways to steal from towns and companies, including impersonating CEOs and mayors, as was the case in Yarrow Point. One of the more colorful scams cited by Hamilton happened in a Kansas town where thieves hacked into a town’s database and put themselves on the payroll.

Both Hamilton and Calkin don’t believe the two incidents in Yarrow Point are related.

What worries Hamilton, who was Seattle’s chief information security officer, is that theft of money is only a glimpse of what criminals can do to a city. Records, city services, communication and infrastructure also are at risk.

“That is the real exposure,” he said. “This is really a canary in the coal mine, and local governments need to wake up.”

How it Happened

According to a police report on the incident, Yarrow Point’s woes began with an email sent to the town’s now-former fiscal coordinator, John Joplin, at 7:24 a.m. Aug. 16, asking:

"John, Are you at the office?

Thanks

Mayor Richard Cahill"

After a series of emails providing Joplin with the routing information for a Bank of America account in New York, and a recipient listed as Adebayo Mabel, Joplin transferred $14,624 by noon.

That’s despite two emails from Banner Bank — the bank used by Yarrow Point — saying “a forgot password attempt” occurred. Joplin apparently updated the password with Banner.

Banner also sent a security alert at 11:45 a.m. saying, “a wire transfer was created. If you suspect fraudulent activity, please contact our Customer Contact Center. …”

Joplin sent an email to the bogus address, saying, “Ok it is done…”

In the police report and in an interview with a reporter, Cahill said that the money was immediately withdrawn from the bank when the transfer was completed. Security video captured a possible suspect entering and leaving a Bank of America branch in New York, but no arrests have been reported by the FBI, the agency investigating the crime.

The scam artist wasn’t done. Joplin received another email from a person identifying himself as “Richard Cahill” at 9:07 a.m. Aug. 21.

"Good Morning , Are you in the Office today ?

Thanks

Mayor Richard Cahill"

The pretend mayor instructed Joplin to wire the same amount as five days earlier. Joplin noticed that the routing instructions, however, asked for $34,624. So Joplin replied, asked which amount was correct and ended up wiring the larger sum to a Sun Trust Bank in Miramar, Florida.

The phony recipient this time was a company called Ad Standards Inc., of Tampa, Florida. There is no such company in Tampa, but there is an Ad Standards Inc. from North Miami that was incorporated July 24, 2017. The company has no website or listed phone number.

The scam artist was getting greedy. A third email requesting a wire transfer for $64,624 was sent the next day, on Aug. 22. Like the transfer from the previous day, the money was to be sent to the same Sun Trust bank and the beneficiary was again Ad Standards Inc.

The third transfer request never happened.

Cahill discovered what had happened sometime between when Joplin sent the second wire and the following day, when Joplin copied him on an email discussing the validations of wire instructions.

Cahill told police that Joplin was authorized to make wire transfers “at the direction of the town.” Nonetheless, Joplin should have been suspicious of the wire requests and should have confirmed with Cahill and Warhol before proceeding with the transfers, Cahill said. The wire request should have seemed suspicious because, according to Cahill, Yarrow Point has never done a wire transfer.

Clyde Hill police reported the incident to the Seattle FBI office. Police didn’t get a chance to interview Joplin before handing the case to the FBI because he was in the hospital. Joplin declined to comment for this story.

Held for Ransom

Yarrow Point’s problems continued when, on Oct. 18, town employees couldn’t access certain files and some systems were locked.

Yarrow Point had been hit with ransomware, a type of software that can be used to block access to systems and files. The perpetrators of ransomware attacks will grant access once a ransom is paid. Yarrow Point ended up paying $9,170 worth of bitcoin to regain control.

The town immediately brought in a Bothell IT company, a Pennsylvania law firm that specializes in data privacy and information security, and a Chicago-based outfit that works with governments dealing with technological issues.

A forensic investigation by the firms couldn’t determine whether any information was taken. The impacted files had personal information, including Social Security numbers of current and past Yarrow Point employees, but no personal information of town residents.

Residents were made aware of the attack when town officials posted a notice to its website on Oct. 26. Warhol, Yarrow Point’s clerk and treasurer, said the notice was posted once they had a handle on what had happened.

The notice said the town was the victim of a “cyber incident that made certain files and systems inaccessible,” and that the town immediately began investigating and working with a forensic investigator and the Clyde Hill Police Department.

An updated notice appeared Dec. 4 citing the incident as a ransomware attack and assuring residents that “while we have no evidence that any systems or files with personal information were accessed or captured during this incident, we cannot rule it out for a certain period of time.”

The town on Nov. 30 mailed notices about what happened to about 30 former Yarrow Point employees, contractors and interns; the city currently employs three people full-time. The notices didn’t reference the ransom paid. Nor was the ransom reflected in Town Council minutes from the meetings where officials discussed the incident.

The loss of $49,248 from the email scam — the bitcoin payment was covered by insurance — likely won’t blow up the budget of a city with a median household income of $203,393, putting it well above the state median of $61,062.

Insurance didn’t cover the funds lost to the email scam because a town contractor, Joplin, executed the action.

Meanwhile, Yarrow Point spent $46,972.21 for the services of the three companies that helped with the ransomware attack.

Hunting for Easy Prey

Hamilton said scammers will do their homework about a town’s front office, going so far as to read emails from a mayor and imitating writing style.

What is a town, especially a small, spartanly staffed one, supposed to do? The days of relying on a firewall and passwords aren’t enough, said Hamilton, who is not working with Yarrow Point. Networks need to be monitored, which for a small government means outsourcing the work to capable contractors who ensure scammers move along to the next link in the chain.

“You don’t have to run faster than the bear. You have to run faster than the guy next to you,” Hamilton said.

Despite the security breakdown, Cahill insists that Yarrow Point is equipped to deal with email scams, if protocols are followed. Joplin is no longer a contract worker for the town — he worked there for 12 years before he became a contract employee in January 2017 — and the small administrative office has received a refresher on best practices. Cahill attended a security workshop put on by the insurance company AIG and the Washington Cities Insurance Authority.

The importance of being vigilant became clear last summer: Emails similar to those that tricked Joplin had been sent to Warhol, the clerk and treasurer, in June and July. On July 12, Warhol sent an email to Cahill and Arne Haslund, who at the time contracted with the city for IT work, asking if Cahill had sent the transfer request.

“Dicker- did you send this?

Arne- seems suspicious, is this something I should worry about? When I hit reply, the reply-to address was Richard Cahill”

Cahill said the matter was discussed with most of the town staff. Missing from the talk about the attempted scam was Joplin.

“I can’t say 100 percent that he was informed to be on the lookout,” Cahill said.

©2018 The Seattle Times Distributed by Tribune Content Agency, LLC.