Tag Archives: charged

MyPayrollHR arrest brings relief, but few answers

The FBI said Monday it arrested the head of MyPayrollHR and charged him with $70 million in bank fraud. The arrest is gratifying to some victims, who saw their paychecks vanish from their bank accounts just a few weeks ago. 

But the FBI’s arrest of Michael Mann, 49, doesn’t answer many of the questions hanging over this case, including where the still-missing funds have gone. Mann ran the parent company of MyPayrollHR, which suddenly shuttered Sept. 5.

The FBI complaint, filed in U.S. District Court in Albany, accuses Mann of creating businesses that were used in a scheme to obtain loans and lines of credit. It alleges the fraudulent activity may have dated as far back as 2010 or 2011 and may have totaled about $70 million. The complaint went on to say that Mann “wished to accept responsibility for his conduct and confess to a fraudulent scheme that he had been running for years.”

Mann also told the FBI that MyPayrollHR, which was founded in 2006, was legitimate. Indeed, customers had no inkling of the fraudulent behavior until the payroll money vanished. Funds were “reversed” or withdrawn from accounts used for direct payroll deposits.

“Now that Mann has been arrested, that will help shed a little light on things,” said Brad Mete, managing partner of two recruiting and staffing firms with 800 employees in Fort Lauderdale.

What happened to the money?

“But I still don’t know where the money is — especially the taxes we paid,” said Mete, a nearly three-year customer of MyPayrollHR.

Mete has more than $75,000 in withholding taxes from one pay period that disappeared with MyPayrollHR. But the government will still want its money, he said. He manages Affinity Resource, an employment agency, and IntellaPro LLC, a professional staffing firm. He doesn’t know whether the money has disappeared or is sitting frozen in a bank account.

Mete is trying to recoup the missing withholding taxes through a fraud complaint with the bank. He is investigating possible insurance coverage.

The National Automated Clearinghouse Association (NACHA), which develops rules and standards for the automated clearinghouse (ACH), an electronic funds transfer system, said its “ongoing investigation” of the incident “continues to show that fewer than 400 companies and approximately 8,000 employees experienced unauthorized payroll reversals.” This was in a written response to questions from SearchHRSoftware.com.

NACHA said that, as of Sept. 19, it estimates that “about 97% of people that had unauthorized reversals have had their funds restored.” The FBI put the total number of MyPayrollHR clients at about 1,000.

New regulations may be on the way

Mete questions NACHA’s claim that only 8,000 employees were affected. “There is no way it’s that little,” he said. Out of his two firms, 600 of his 800 employees were impacted by reversals, and he knows anecdotally from other firms that they had hundreds affected.

Mete suspects the industry will downplay the impact of the MyPayrollHR incident possibly to avoid new regulations. Regardless, new regulations may be on the way.

Last week, the New York State Senate announced a package of bills in response to MyPayrollHR. They include new criminal penalties for intentionally misappropriating payroll, tax credits for victims and restrictions on deductions from employee accounts.

NACHA defended the ACH system. It “has strong consumer protection measures in place. There are rules in place to prevent unauthorized withdrawals, and to allow consumers to be re-credited in the event that there are unauthorized withdrawals,” it said in an unsigned statement. 

“This is an unprecedented and isolated incident, and obviously, these rules were circumvented in this case,” NACHA said in its statement.

MyPayrollHR’s ACH provider was Cachet Financial Services in Pasadena, Calif. Cachet’s services include direct deposit for payroll processing firms. It provided the services to MyPayrollHR for about 12 years, it said in an earlier interview with SearchHRSoftware.com.

MyPayrollHR uploaded a file instructing Cachet to take money out of employer accounts. The money should have been put into a Cachet settlement account. But that didn’t happen. To fulfill the transaction, the ACH system took money out of Cachet’s holding account to pay employees. Cachet says it is out $26 million and is a victim of fraud.

Cachet initiated reversals to get its money back from employee accounts. Some accounts had two reversals, because the first reversal was not coded in accordance with NACHA standards. It then changed direction, and started a process urging banks to reject both its reversals.

Reversals were outside the rules

In its statement, NACHA said that “Cachet should not have sent any reversals in this incident. This is not permitted by the NACHA Rules, and is not in keeping with any industry standard or best practice.”

Lawsuits seeking class action status are now being filed against MyPayrollHR, and the ACH firms involved, including Cachet, which declined further comment.

The payroll problem is not completely resolved for Tanya Willis, executive director at Agape Animal Rescue in Nashville, but her organization may be in better shape than most.

Most of the seven shelter employees have been made whole by banks, which can take 45 to 60 days to fix the problem, according to Willis. One employee had a nearly $1 million deduction in a checking account. First Tennessee Bank, whose name appeared on the screenshot showing the negative $999,193.75 balance, declined to comment.

In an interview Monday, Willis said it appeared that the employee with the $1 million deduction had access to her accounts, but she wasn’t completely certain of the employee’s status.

Animal rescue is rescued by its supporters

The apparent fraud has cost Agape about $10,000 in withholding taxes for a calendar year quarter. But Agape appealed to the community for help.

“Our supporters and our donors stepped up and made us whole and we’re out saving dogs again,” Willis said. The shelter has been able to raise the money to pay their tax bill due Oct. 1, she said.

Willis worries about the for-profit businesses that can’t turn to donors to get help. “I know that there are still so many people in worse situations, and I’m thankful that we’ve been able to go to the community and raise the funds needed to get us back on track — but I want that for everybody,” she said.

Willis was contacted by the FBI, and she sent them every document she could think of to help the investigation.

Mann is cooperating with authorities

On Sept. 10, Mann met with the U.S. attorney in Albany, less than a week after MyPayrollHR closed.

Mann started cooperating with the FBI before the investigation began. It was about two-and-a-half weeks ago that his attorney, Michael Koenig at Hinckley, Allen & Snyder LLP, reached out to authorities.

In an email statement, Koenig said that he “pro-actively called the United States Attorney’s Office before any law enforcement or regulatory agency contacted Michael Mann.”

Mann “has been cooperating with authorities since that initial meeting, and will continue to do so, in order to fully and accurately detail what occurred,” Koenig said.

The five-page FBI complaint only hints at motive. The court filing said that Mann claimed “he committed the fraud in response to businesses and financial pressures, and that he used almost all of the fraudulently obtained funds to sustain certain businesses, and purchase and start new ones.”

Mann faces up to 30 years in prison and $1 million fine, according to the Justice Dept.

But the court document does provide insight into what might have triggered the sudden problem at MyPayrollHR.

There are still so many questions that employers have.
Melanie O’MalleyOwner, O’Malley’s Oven

Mann told authorities that Pioneer Bancorp Inc. was his largest creditor. The decision to siphon off money “was precipitated by [Mann’s] decision to route MyPayroll’s clients’ payroll payment to an account at Pioneer instead of directly to Cachet. He did this in order to temporarily reduce the amount of money he owed to Pioneer. When Pioneer froze Mann’s accounts, it also (inadvertently) stopped movement of MyPayrollHR’s clients’ payroll payments to Cachet.”

In a U.S. Securities and Exchange Commission filing Sept. 11, Pioneer described the “potentially fraudulent activity” without naming MyPayrollHR.

Much remains unsettled

A closed Facebook group for victims of MyPayrollHR now has over 2,000 members.

A moderator of the group, Melanie O’Malley, owner of O’Malley’s Oven, an Albany, NY bakery, and a MyPayrollHR customer, said much remains unsettled.

“Some employees are still missing money, and employers are at a complete loss,” O’Malley said.

She described the general reaction to news of Mann’s arrest as relief.

“There are still so many questions that employers have,” O’Malley said. “I think seeing charges gives us hope that perhaps we’ll get some answers, and a sense of our chances of recompense.”

Go to Original Article

Trend Micro apps on Mac accused of stealing data

Researchers charged that multiple apps in the Mac App Store were stealing data and Apple removed the offending apps from the store, but now Trend Micro is refuting the claims against its apps.

At least eight apps — six Trend Micro apps and two published by a developer who goes by the name “Yongming Zhang” — were found to be gathering data, including web browsing history, App Store browsing history and a list of installed apps, from user systems. Reports about the apps potentially stealing data first appeared on the Malwarebytes forum in late 2017, but the issues were confirmed recently by at least three individuals: Patrick Wardle, CEO and founder of Digita Security, a security researcher based in Germany who goes by the Twitter handle @privacyis1st, and Thomas Reed, director of Mac and mobile at Malwarebytes Labs.

Wardle dug into claims by @privacyis1st that the number four ranked paid app, published by “Yongming Zhang” in the Mac App Store — Adware Doctor — was stealing data. At first Wardle saw the app was behaving normally until it came time to “clean” the user system, when he observed the app stealing browser history data and a list of installed apps.

“From a security and privacy point of view, one of the main benefits of installing applications from the official Mac App Store is that such applications are sandboxed. (The other benefit is that Apple supposedly vets all submitted applications – but as we’ve clearly shown here, they (sometimes?) do a miserable job),” Wardle wrote in a blog post. “When an application runs inside a sandbox it is constrained by what files or user information it can access. For example, a sandboxed application from the Mac App Store should not be able to access a user’s sensitive browser history. But Adware Doctor clearly found [a way].”

Trend Micro apps and company response

Adware Doctor and another app — Open Any Files: RAR Support — were developed by an unknown developer whose identity is based on the name of a notorious Chinese serial killer, Zhang Yongming, who was executed in 2013 after being convicted on killing 11 boys and young men. In addition to these apps stealing data, Reed noted in his analysis that at least two Trend Micro apps appeared to be acting improperly.

Reed said he “saw the same data being collected and also uploaded in a file named file.zip to the same URL used by Open Any Files” in the app Dr. Antivirus. Reed said Open Any Files and the Trend Micro apps were uploading the zip file to Trend Micro servers.

“Unfortunately, other apps by the same developer are also collecting this data. We observed the same data being collected by Dr. Cleaner, minus the list of installed applications,” Reed wrote in his analysis. “There is really no good reason for a ‘cleaning’ app to be collecting this kind of user data, even if the users were informed, which was not the case.”

Trend Micro admitted that its apps — Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder — were removed from the Mac App Store, but denied that the apps were “stealing” data and sending that data to Chinese servers.

The company said in its response that the Trend Micro apps were collecting and uploading “a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation,” but claimed this functionality was “for security purposes” and that the actions were permitted by users as part of the EULA agreed to on installation.

Trend Micro linked to a support page for Dr. Cleaner that showed browser history as one of the types of data collected with user permission, but Reed said on Twitter that he kept archived copies of the apps and he did not find any in-app notifications about data collection.

Despite denying any wrongdoing, Trend Micro said it was taking steps to “reassure” users that their data was safe.

“First, we have completed the removal of browser collection features across our consumer products in question. Second, we have permanently dumped all legacy logs, which were stored on US-based AWS servers. This includes the one-time 24 hour log of browser history held for three months and permitted by users upon install,” Trend Micro wrote. “Third, we believe we identified a core issue which is humbly the result of the use of common code libraries. We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion. This has been corrected.”

It is unclear why Open Any Files was uploading data to Trend Micro servers or if Trend Micro was the only company with access to the data uploaded by any of the Trend Micro apps.

Trend Micro did not respond to questions at the time of this post.

Apple’s responsibility in the Mac App Store

Despite being a central figure in the story of the Trend Micro apps being removed from the Mac App Store, the one company that has kept quiet has been Apple. Apple has not made a public statement and did not respond to requests for comment at the time of this post.

Apple claims, “The safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it’s accepted by the store, and if there’s ever a problem with an app, Apple can quickly remove it from the store.” But, Wardle said “it’s questionable whether these statements actually hold true,” given the number of apps found to be stealing data and Wardle pointed out that the Mac App Store has known issues with fake reviews propping up bad apps.

Stefan Esser, CEO of Antid0te UG, a security audit firm based in Cologne, Germany, also criticized Apple’s response to the claims apps in its store were stealing data.

“The fact that Apple was informed about this weeks ago and [chose] to ignore and that they finally reacted after bad press like two days before their announcement of new products for you to buy is for sure just coincidence,” Esser wrote on Twitter.

And Reed said it’s best to not trust certain apps in the Mac App Store.

Lazarus Group hacker charged in Wannacry, Sony attacks

The Department of Justice has officially charged one member of the North Korean Lazarus Group for his role in the Wannacry attacks, the Sony Pictures breach, theft on the SWIFT banking system and more.

Nathan Shields, special agent for the FBI, filed an affidavit of complaint against the Lazarus Group hacker, Park Jin Hyok, on June 8, 2018, but the charges were made public Sept. 6.

Park was charged with conspiring to commit “unauthorized access to computer and obtaining information, with intent to defraud, and causing damage, and extortion related to computer intrusion” and wire fraud.

“The evidence set forth herein was obtained from multiple sources, including from analyzing compromised victim systems, approximately 100 search warrants for approximately 1,000 email and social media accounts accessed internationally by the subjects of the investigation, dozens of orders issued … and approximately 85 formal requests for evidence to foreign countries and additional requests for evidence and information to foreign investigating agencies,” Shields wrote in the affidavit.

Shields wrote that the affidavit was “made in support of a criminal complaint against, and arrest warrant” for Park, but there is no indication the DoJ knows where Park is currently located. The last mention in the affidavit noted Park returned to North Korea in 2014 after spending three years working for North Korean company Chosun Expo in China.

Although Park was the lone Lazarus Group hacker named in the filing, the entire North Korean team was implicated in the 2014 Sony Pictures breach, the 2016 theft of $81 million from Bangladesh Bank via the SWIFT network, the 2017 Wannacry ransomware attack as well as “numerous other attacks or intrusions on the entertainment, financial services, defense, technology and virtual currency industries, as well as academia and electric utilities.”

“In 2016 and 2017, the conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea,” the U.S. Attorney’s Office for the Central District of California wrote in its  press release. “The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.”

Confirmation of North Korean involvement

Park is the first Lazarus Group hacker named and officially charged by the U.S. government, but the Lazarus Group and North Korea has been connected to attacks before.

As far back as Dec. 2014, the FBI stated there was enough evidence to conclude that North Korea was behind the attack on Sony Pictures. And, in Dec. 2017 both the U.S. and U.K. governments blamed the Wannacry attacks on North Korea.

The affidavit detailed the use of the Brambul worm, which was malware attributed to the Lazarus Group in a US-CERT security alert issued by the FBI and Department of Homeland Security in May 2018.

However, while the confirmation of North Korean involvement was generally praised by experts, not all were happy that Park was the only Lazarus Group hacker to be named and charged.

Jake Williams, founder and CEO of Rendition Infosec, based in Atlanta, wrote on Twitter that it was a “human rights issue” to charge Park because the Lazarus Group hacker “likely had zero choice in his actions.”

Accused CIA leaker charged with stealing government property

The Department of Justice has formally charged the suspected CIA leaker with stealing government property and more in connection with the theft and transmission of national defense information.

The accused CIA leaker, Joshua Adam Schulte, has been in the custody of law enforcement since August 2017 when he was charged with possessing child pornography; the FBI reportedly thought it had enough evidence to charge him with stealing and leaking the Vault 7 files to WikiLeaks as early as January. Government prosecutors said in mid-May that there was a new indictment set to be filed and that superseding indictment was filed on Monday, June 18, by the U.S. Attorney’s Office for the Southern District of New York.

The new indictment lists 13 charges against Schulte, including charges of illegally gathering and transmitting national defense information, theft of government property, unauthorized access of a computer to obtain information from a government agency and obstruction of justice, in addition to three charges related to child pornography.

Manhattan U.S. Attorney Geoffrey S. Berman wrote in a public statement that the accused CIA leaker, Schulte, was a former employee of the CIA and “allegedly used his access at the agency to transmit classified material to an outside organization.”

“We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities,” Berman wrote. “Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

The Vault 7 data provided to WikiLeaks by a CIA leaker included close to 9,000 documents, including hacking tools and zero-day exploits for iOS, Android, Windows and more. The CIA has never admitted that the Vault 7 data was its own and the indictment itself does not refer to the stolen data being from the CIA.

However, the press release from the DOJ did write: “On March 7, 2017, Organization-1 released on the Internet classified national defense material belonging to the CIA (the “Classified Information”). In 2016, SCHULTE, who was then employed by the CIA, stole the Classified Information from a computer network at the CIA and later transmitted it to Organization-1. SCHULTE also intentionally caused damage without authorization to a CIA computer system by granting himself unauthorized access to the system, deleting records of his activities, and denying others access to the system. SCHULTE subsequently made material false statements to FBI agents concerning his conduct at the CIA.”