Hackers hit church's collection plate
DES MOINES, Iowa - At St. Ambrose Cathedral in Des Moines, Iowa, a mid-day offering holds special meaning.
"It's gone," Bishop Richard Pates tells CBS News chief investigative correspondent Armen Keteyian. "You kind of have to take a deep breath and you have to trust in the Lord."
What was gone - all gone - was the more than $680,000 the diocese had just raised to help the homeless and abused women.
It was swiped in a covert attack by hackers.
"Why would they do it in a particular time, where we had the greatest amount of funds available?" Pates asked.
The Iowa heist is part of latest wave of cyber-crime: account takeover fraud. In it, crime gangs, many located in Eastern Europe, target small towns, community banks and civic organizations which often lack high-tech defenses.
Earlier this month the town of Pittsford in upstate New York was taken for $139,000; In 2010, a public library in Delray Beach, Florida was hit for $160,000; and a New Jersey beach town lost $600,000.
The heist begins with a technique known as spear phishing. In it, hackers lure an organizations financial officer with an email - a note that appears to be from a friend or the IRS - enticing them to click on a link.
That click opens the door to a malicious software infection that allows vital information, like bank passwords to be captured.
Criminal groups can then wipe out the account - ultimately transferring the cash to their own accounts, in places like Russia or the Ukraine - leaving victims high and dry.
"You're seeing a lot of this type of crime get reported now," said Ron Plesco, head of the National Cyber Forensics & Training Alliance in Pittsburgh. Together with the FBI it tracks breaches in account security around the world.
"No doubt in my mind this is organized crime," Plesco said. "Some of the most notorious - Russians, Romanians and others."
The FBI currently has more than 420 active investigations into account takeover fraud -- opening 1 to 2 new cases a week. Cyber crime is now a big industry. FBI agent Keith Mularski showed us how stolen bank accounts and credit card numbers are now sold on up to 40 black-market sites. One in Bulgaria is complete with electronic shopping carts -- just like many internet shopping sites.
"We went to the site and just registered a user name and put in the password, and we got access to it," Mularski said. "It's as easy as that."
As for The Diocese of Des Moines, its prayers were answered when the $680,000 was eventually covered by insurance and its bank.
Pittsford, NY wasn't so fortunate. It's recovered less than $5,000, because while individuals have some protection under the law, groups like towns and churches find it far more difficult to collect.