Date: October 9, 2010
Source: Computer World
Abstract: Criminals who use the Zeus banking crimeware may be working on an new angle - corporate espionage.
That's what worries Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who has been closely monitoring the various criminal groups that use Zeus. Zeus typically steals online banking credentials and then uses that information to move money out of Internet accounts. In the past year, however, Warner has seen some Zeus hackers also try to figure out what companies their victims work for.
In some cases, the criminals will pop up a fake online bank login screen that asks the victim for a phone number and the name of his employer. In online forums, he's seen hackers speculate about how they might be able to sell access to computers associated with certain companies or government agencies.
"They want to know where you work," he said. "Your computer may be worth exploring more deeply because it may provide a gateway to the organization."
That's worrisome because Zeus could be a very powerful tool for stealing corporate secrets. It lets the criminals remotely control their victims' computers, scanning files and logging passwords and keystrokes. With Zeus, hackers can even tunnel through their victim's computer to break into corporate systems.
There are other reasons why Zeus's creators might want to know where you work, however. They could simply be trying to figure out whose data is the most valuable, said Paul Ferguson, a security researcher with Trend Micro. "A welding business might make more money, than say, a Girl Scout troop," he said via instant message.
Still, Ferguson believes that the crooks could make money by selling access to computers belonging to employees of certain companies. "I haven't personally seen that, but these guys are pretty devious."
This type of targeted corporate espionage has become a big problem in recent years, and many companies, including Google and Intel, have been hit with this type of attack.
Police arrested more than 100 alleged members of a Zeus gang last week, but that doesn't put an end to the problem. Zeus is widely sold for criminal use, and security experts say that there are dozens of other Zeus gangs out there. The group responsible for last year's Kneber worm outbreak is thought to be the largest Zeus outfit still in operation.
If Zeus operators really do start promoting their crimeware as corporate back-doors -- and Warner believes this is already happening -- that could mean new problems for corporate IT.
The biggest issue would be for home computers and laptops that are outside of corporate firewalls that still have access to company data via the Internet. Those systems could suddenly become a risk for IT staffers, Warner said.
Inside the firewall, a computer that suddenly starts sending data to Russia should be noticed right away. That might not be the case on a home network. "If you are an employee of a place that gives you access to sensitive data, your company needs to care if you have a malware infection at home," Warner said.The problem could be solved by either not letting people work from their home PCs or by providing workers with computers that can only be used for work, Warner said (Computer World, 2010).
Zeus Is Not The Only Threat To Online Banking
Date: October 13, 2010
Source: Computer World
Abstract: Online bank account users should not ignore the threat posed by obscure data-theft Trojans such as ‘Bugat’, ‘SpyEye’, and ‘Carberp’, security company Trusteer has warned.
One example is Bugat, on the face of it not the most frightening bank Trojan in circulation. Its incidence is low, and its incursions seem for the time being to be focussed on banks in the US rather than Europe.
However, according to Trusteer, there are signs that Bugat could now be favoured over the better-known Zeus, starting with a campaign from last week in which LinkedIn users were spammed as a method of spreading a new version further afield.
A similar attack was pioneered only days before that by Zeus, so such targeted Trojans could start to merge into one generalised threat distributing hard-to-block malware using identical channels.
“We are in an arms race with criminals. Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye which are just as deadly and quietly expanding their footprint across the internet,” commented Trusteer CEO, Mickey Boodaei.
The threat is that new versions of these Trojans keep appearing, which makes detection trickier. The inherently stealthy nature of such malware means that they can appear to be relatively inactive while doing great damage, as was the case with Zeus.Trusteer’s view is that bank Trojans need to be countered in the browser with tools such as its own Rapport plug-in rather than using conventional antivirus software. Other companies seem keen to jump on this approach with their own plug-ins and tools (Computer World, 2010).
Botnet Gang Targets Accounts Of Large US Broker
Date: October 18, 2010
Source: Computer World
Abstract: Criminals are using a Zeus botnet to pillage investment accounts at US broker Charles Schwab, a security researcher has said.
The attacks show that while authorities were arresting more than 100 members of one Zeus gang, rivals were adding lucrative investment accounts to their usual targets of online banks.
"They're expanding their horizons," said Derek Manky, project manager for cybersecurity and threat research at Fortinet. "We've seen some discussion of investment accounts [being targeted] by Zeus, but I've never seen proof that they actually are."
The Zeus infections stem from messages posing as LinkedIn reminders that include disguised links to malicious sites. Those sites then hit the Windows PC with numerous drive-by exploits, looking for one that works. Among the exploited vulnerabilities: the Windows Help & Support Center bug disclosed in June by a Google security engineer and patched by Microsoft in July.
Fortinet's analysis of the malware's configuration file uncovered evidence that the attacks pilfer money from Charles Schwab investment accounts, said Manky.
After sneaking onto a PC via an exploit, the Zeus bot watches for, then silently captures log-in credentials for a large number of online banks, as well as usernames and passwords for Schwab accounts.
The attack code also injects a bogus form that asks victims to provide additional information the thieves can later use to confirm that they are the legitimate owner of the Schwab investment account. On that form are fields asking for the user's mother's maiden name, driver license number and employer.
Manky speculated that the criminals based the original infection on fake LinkedIn messages because they expected a high correlation between LinkedIn membership and investment account ownership.
The Zeus attacks began in late September and peaked in early October, said Manky, who warned that because criminals commonly conduct campaigns in waves, more are likely. The botnet's command-and-control domains are still functioning, still receiving stolen information from infected PCs and still transmitting new orders to the botnet.
"They're injecting code silently into the live session while you're at the [legitimate] Schwab site," said Manky of the fake form. It would be impossible for a user to know that the form was bogus. "As far as you're concerned, you're still in a valid secure session, since they're piggybacking this malicious content."
Manky said the attackers use the injected form to acquire additional authentication information so that they can parry confirmation queries after they conduct online transactions using the stolen usernames and passwords.
Like most Zeus botnet gangs, this one siphons cash, then uses "money mules" to transfer funds to the brains behind the organization, Manky said. With access to investment accounts, the crooks can not only vacuum up cash, but also sell securities to restock the cash account for further withdrawals.
Although police in the US, the UK and Ukraine collared more than 100 members of a Zeus crimeware gang three weeks ago, experts warned that the arrests wouldn't stop the botnet. Other gangs can simply step into the void.Manky agreed. "Zeus is widely supported, has such a large pool of developers now, that the cat and mouse game will just continue," he said (Computer World, 2010).
Scottish Botnet Mastermind Pleads Guilty
Date: October 26, 2010
Source: Computer World
Abstract: The Scottish member of the infamous ‘mAnderson00p’ botnet gang has pleaded guilty to charges of distributing computer Trojans as part of a 2006 spam campaign.
Thirty-three year old Matthew Anderson, who adopted a variety of online names including ‘warpigs’ and ‘aobuluz’, used the cover of an apparently legitimate security business to plan campaigns that installed the ‘Ryknos’ Trojan (aka Breplibot/Stinkx).
These allowed the
operation to set up spam botnets and open back doors for data theft. He is
believed to have been able to spy on victims using a webcam, and to have stolen
private documents for CVs, wills, password lists and personal photographs.
"This organised online criminal network infected huge numbers of computers around the world, especially targeting UK businesses and individuals,” said DC Bob Burls of the Police Central e-Crime Unit.
“Matthew Anderson methodically exploited computer users not only for his own financial gain but also violating their privacy. They used sophisticated computer code to commit their crimes.”
Anderson was aided by two accomplices from England and Finland arrested with him in June 2006, one later released without charge and the other given an 18-day community service order. Sentencing is set for 22 November and is unlikely to be as lenient given that Anderson is now seen as the key member.At the time of the arrests in 2006, the bust was seen as a landmark in disrupting what was then still a relatively novel crime of creating criminal botnets. With the benefit of hindsight, this was merely an early warning of what has grown pretty much unchecked into a huge are of malware growth, that of hijacking ordinary PCs as spam relays. Botnets are now big business and form the core of e-crime (Computer World, 2010).
Zeus Trojan Targets Online Money Services
Date: January 21, 2011
Source: Computer World
Abstract: After a hit-and-run campaign against consumer online bank accounts in 2010, the Zeus Trojan now appears to be aggressively targeting a clutch of second-tier money exchange and payment services.
According to Israeli company Trusteer, which specialises in tracking the activities of Zeus and its variants, there are now at least 26 different configurations to attack one company alone, Money Bookers.
represents a separate set of slightly instructions on how to attack the sites
associated with a brand, with the number detected being in this example similar
in scale to the number of configurations that would be created to attack much
One thing that becomes clear is that along with the other services attacked – Web Money and Nochex, netSpend – this Zeus campaign is going after second-tier companies. Perhaps fearing attention, the criminals appear to be steering clear of large consumer payment services such as PayPal.
“As far as we know PayPal has very strong fraud detection and prevention capabilities similar to any large bank. While this is not an insurance against attacks, fraudsters are probably less likely to get money out of such websites,” commented Trusteer’s Amit Klein.
Ironically, the criminals have also gone after a service called e-gold, which several years ago was itself accused of being a conduit for money laundering. Configurations used against the site are sophisticated enough to try and trick the login screen into sending out an alternate password to access targeted accounts.
“We believe this trend of targeting online payment providers will continue as more retailers allow these alternate payment methods with their websites,” said Trusteer.What Trusteer hasn't been able to document is whether the attacks it has detected have been successful. If the pattern of attacks through 2009 and 2010 on consumers is any guide, knowledge of that dimension tends to come later as victims emerge (Computer World, 2012).
Police Charge Alleged SpyEye Trojan Gang
Date: April 11, 2011
Source: Computer World
Abstract: UK police arrested three men late last week in connection with using the SpyEye malware program to steal online banking details.
Two of the men were charged on Friday and appeared in Westminster Magistrates Court in London. Pavel Cyganoc, a 26 year old Lithuanian living in Birmingham, was charged with conspiracy to cause unauthorised modifications to computers, conspiracy to defraud and concealing proceeds from crime. Aldis Krummins, 45, a Latvian living in Goole, was charged with conspiracy to defraud and concealing proceeds of crime.
A third man, a 26 year old whose nationality was not revealed, was released on police bail but must return for further questioning in August, police said.
Police said the three
were arrested by the Police Central e-Crime Unit "in connection with an
international investigation into a group suspected of utilising malware to
infect personal computers and retrieve private banking details."
The investigation began in January and revolved around the group's use of a uniquely modified variation of the SpyEye malware, which harvests personal banking details and sends the credentials to a remote server controlled by hackers, police said. As part of their investigation, police also seized computer equipment and data.
UK police have frequently teamed up with other agencies such as the US Federal Bureau of Investigation and police forces in other European countries to execute raids and arrest cybercrime suspects, but police wouldn't say if arrests were made in other countries as part of this operation.
Security analysts have kept watch on the SpyEye malware for some time. Some say it shares code with Zeus, widely considered the reference in banking malware. Zeus is designed to evade security software, grab online banking credentials and execute transactions as people log into their accounts.Police have notched some successes against cybercrime organizations using Zeus. Last year, law enforcement agencies in the US and UK arrested dozens of "money mules," or people who were using their own personal accounts to receive stolen funds and transfer the money to other criminal accounts for a slice of the proceeds (Computer World, 2012).
Banking Warning: SpyEye Trojan Can Evade Security Systems To Steal Cash
Date: July 26, 2011
Source: Computer World
Abstract: Banks are facing more trouble from SpyEye, a piece of malicious Trojan software that steals money from customers' online banking accounts, according to new research from security vendor Trusteer.
SpyEye is a particularly nasty piece of malicious software: it can harvest credentials for online accounts and also initiate transactions as a person is logged into their account, literally making it possible to watch their bank balance drop by the second.
In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to try and block fraudulent transactions, said Mickey Boodai, Trusteer's chief executive.
Banks are now analysing how a person uses their site, looking at parameters such as how many pages a person looks at on the site, the amount of time a person spends on a page and the time it takes a person to execute a transaction. Other indicators include IP address, such as if a person who normally logs in from the Miami area suddenly logs in from St. Petersburg, Russia.
SpyEye works fast, and can automatically and quickly initiate a transaction much faster than an average person manually on the website. That's a key trigger for banks to block a transaction. So SpyEye's authors are now trying to mimic -- albeit in an automated way -- how a real person would navigate a website.
"They used to pay less attention to the way they execute transactions on the bank's website and now they are really trying to show normal user patterns," Boodai said. "
Boodai said he has little idea of how successful SpyEye's new evasion code is, although Trusteer does collect intelligence from banks that have distributed its browser security tool, Rapport, to their customers. Trusteer has also noticed that SpyEye in recent months has expanded the number of financial institutions it is able to target in an increasing number of countries.
New target countries include Russia, Saudi Arabia, Bahrain, Oman, Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru. What that means is that more criminal groups around the world are purchasing the SpyEye toolkit, Boodai said.
Financial institutions continue to increase their security spending to protect online transactions, said Avivah Litan, an analyst at Gartner who regularly consults banks on security issues.
Even to her, financial institutions are coy about revealing how hard they've been hit, but "everyone refers to Zeus or SpyEye -- some as common as the word 'teller'" Litan said.
Police have had some limited successes. In April, a 26-year-old Lithuanian and a 45-year-old Latvian were charged with conspiracy to cause unauthorized modifications to computers, conspiracy to defraud and concealing proceeds from crime for allegedly using SpyEye. A third, 26-year-old man whose nationality was not revealed was bailed pending further questioning.
SpyEye is actually a botnet with a network of command-and-control servers hosted around the world. As of Tuesday, some 46 command-and-control servers were online, according to the SpyEye Tracker, a website dedicated to gathering statistics about the malicious software.
That is sharply up.
In May, there were just 20 or so active servers responding to computers that
were infected with SpyEye, said Roman Hüssy, who runs the site. "SpyEye is
growing quite well," he said (Computer World, 2011).
Card 'Blackhat' Gets Prison For PIN Terminal Fraud
Date: October 17, 2011
Source: Computer World
Abstract: One of Europe’s elite ‘blackhat’ card fraud engineers has been sentenced to three years in prison at London’s Old Bailey for helping European gangs steal money using tampered chip and PIN terminals.
Twenty-six year old German national, Thomas Beeckman, was a talented electronics engineer who became a mastermind on how to subvert the technology used in European PIN entry devices, the small machines that customers use to pay using plastic credit or debit cards in shops.
The modified terminals were then re-exported back to the countries from which they had been stolen and introduced back into the chip and PIN system, allowing financial theft on an unspecified scale.
The advance Beeckman’s electronics skill offered the gangs was that the terminals appeared genuine, delaying the point at which fraud would be traced to the physical PIN device itself.
The criminal networks also cloned cards which had been compromised, exporting them to countries such as the US, which has no PIN security at the point of sale.
"By putting this individual behind bars the Dedicated Cheque and Plastic Crime Unit has prevented them from defrauding the banking industry and its customers of significant sums of money,” said detective sergeant Richard Maynard of Scotland Yard’s Dedicated Cheque and Plastic Crime Unit (DCPCU).
“There can be no doubt that the work of our specialist unit over the past few years has played a key part in driving card fraud down, and we continue to provide a clear warning to the organised gangs and those who work with them that we will track them down," he said.
How much Beeckman was paid in return for his Blackhat skills is unknown but he was reportedly able to support a wife and family in Thailand from the proceeds.
The German was eventually caught in June after a tip-off as he entered The Netherlands by bus from the UK. Modified terminals were found on his possession which police believe were to be planted in shops in Belgium and The Netherlands (Computer World, 2011).
SpyEye Banking Malware Continues To Plague Computers
Date: October 17, 2011
Source: Computer World
Abstract: SpyEye banking malware continues to plague computers across the world and is proving to be a difficult cybercrime to detect and remove from infected Windows PCs, according to two researchers from EMC's RSA security division.
Uri Rivner, who is head of new technologies for consumer identity protection, and Jason Rader, chief security strategist, both donned white lab coats for their session at the RSA security conference in London last week for a technical tear-down and review of SpyEye.
The two researchers also changed their titles: Rivner became part of the dangerous malware department at RSA General Hospital and Rader the head of research for the malware epidemic division of the US CDC (Centers for Disease Control and Prevention).
SpyEye has been around for more than a year and is the successor to the Zeus banking malware. SpyEye emerged after the author of Zeus, who went by the screen name "Slavik," stopped developing it. But another person by the name "Harderman" took over the project, Rivner said.
SpyEye is a kit that is sold to other online criminals. It's easy to use, and people need a high level of technical skills to conduct an attack.
A potential cybercriminal who buys the kit can use the nice graphical interface set up so-called "drop zones," or servers to receive stolen online banking credentials. SpyEye also has configuration files customised for attacking most online banking websites. For example, it can inject extra fields over a bank's website, asking for information other than a login and password, such as the victim's credit card number and PIN.
Those fields appear to be a seamless part of the legitimate website but actually are fake, exporting the entered data to the server in the cybercriminal's drop zone.
People are unlikely to notice they've been infected SpyEye, Rivner said. "Getting infected is very, very easy," he said.
SpyEye uses a variety of tricks to stay hidden, Rader said. It will inject itself in DLLs, or dynamic link libraries - code libraries used by applications - that are legitimate. SpyEye can also delete its own installation files. "It stays persistent," Rader said.
On October 12, Microsoft said it was updating its Malicious Software Removal Tool to detect malware in the SpyEye family.
The move is undoubtedly good for users, but the MSRT might have a hard time: Rader said full-featured antivirus security suites often miss new variants of SpyEye, taking an average of 45 days to add detect for fresh variants.The MSRT also can only detect malware if it is actually running on the machine and also cannot prevent a Windows computer from being infected by SpyEye, which some antivirus suites may be able to stop (Computer World, 2012).
Zeus Trojan Masterminds Found Guilty Of £3 Million Online Fraud
Date: November 3, 2011
Source: Computer World
Abstract: The last two people found guilty of being part of the gang behind the UK’s biggest ever cybercrime phishing spree have each been sentenced to nearly five years in jail.
Ukrainians Yuriy Konovalenko, 29, and Yevhen Kulibaba, 33, were the ringleaders of the largely UK-based gang that police believe managed to steal at least £4.3 million ($6.9 million) between September 2009 and March 2010 by deploying the Zeus Trojan to raid online bank accounts in several countries.
The full scale of their crimes might never be known with some estimates putting the sums stolen from the gang’s activities above £20 million, which would make it one of the largest crybercrime heists ever to reach court anywhere in the world. Police have connected the pair directly to almost £3 million of the uncovered thefts.
There has been a slow
drip of sentences handed out to the gang members in what turned out to be a
hugely complex investigation, ‘Operation Lath’, which saw 13 people charged
with a variety of offences connected to the gang’s activities.
Last month, Kulibaba’s wife, Latvian national Karina Kostromina, was sentenced to two years in prison for carrying out money laundering for the gang.
"These defendants were part of an organised network of computer criminals operating a state-of-the art international online banking fraud, through which they stole many millions of pounds from individuals and businesses in the UK and United States,” said detective inspector Colin Wetherill of the Metropolitan Police’s Police Central E-Crime Unit (PCeU).
"The investigation involved unprecedented levels of cooperation between the Metropolitan Police, the UK banks, the FBI and other UK and international law enforcement agencies,” he said.The huge success of the gang’s attacks on online bank accounts probably had something to do with timing. The malware family used, Zeus (also known as SpyEye) was not easily detected by some security systems and the banks concerned clearly underestimated the speed with which it could compromise the accounts of users (Computer World, 2011).
Bank Of Scotland Says ‘Majority’ Of Online Banking Problems Now Fixed
Date: November 9, 2011
Source: Computer World
Abstract: The Bank of Scotland has announced that most of the problems that customers have been experiencing with their online bank accounts have now been resolved.
The problems arose following a systems migration carried out by parent company Lloyds Banking Group more than two months ago. RBS and HSBC online banking services also had outages recently due to a systems upgrade and a mainframe outage, respectively.
It is estimated, however, that there remains around 360 customers, of the three million who use BoS’s internet banking service, who are still having post-migration issues.
“The majority of the issues that related to the impacted customers have now been resolved.
“We are now working primarily on individual customer issues, many of which are unique to those customers,” a spokesperson for the bank said.
The bank was forced
to admit to the problems existing last month, after it continued to receive
customer complaints from customers via Computerworld UK. It initially said that “faults logged due to the systems
changes have been rectified”.
The fact that the issues have not been entirely resolved by today, however, means that the bank is exceeding the deadline it gave to some customers for when they could expect their online banking service to return to normal.
One customer had been told in an email that the problems she was experiencing would not be fixed until 7 November, for example.
The Bank of Scotland said that any customers still experiencing problems should contact the internet banking helpdesk on 0845 602 000, or on +44 113 279 8302 from outside the UK. It can also be contacted via textphone on 0845 732 3436.“We continue to welcome customer feedback on issues as it is important to us that we resolve them,” the bank said (Computer World, 2011).
SpyEye Malware Borrows Zeus Trick To Mask Bank Fraud
Date: January 5, 2012
Source: Computer World
Abstract: A powerful bank-fraud software program, SpyEye, has been seen with a feature designed to keep victims in the dark long after fraud has taken place, according to security vendor Trusteer.
SpyEye is notable for its ability to inject new fields into a Web page, a technique called HTML injection, which can ask banking customers for sensitive information they normally would not be asked. The requested data can include logins and passwords or a debit card number. It can also use HTML injection to hide fraudulent transfers of money out of an account by displaying an inaccurate bank balance.
Trusteer noticed that SpyEye also hides fraudulent transactions even after a person has logged out and logged back into their account. The latest feature is designed with the same goal of keeping users unaware of fraud. The next time users log into their bank accounts, SpyEye will check its records to see what fraudulent transactions were made with the account, then simply delete them from the Web page, said Amit Klein, Trusteer's CEO. The account balance is also altered.
It appears that SpyEye has borrowed more from Zeus, a famous piece of banking malware that is now commonly available and considered the parent of SpyEye. The two pieces of malware were competitors, but in 2010 merged. Zeus also has the capability to hide its fraudulent transactions from victims.
"Zeus uses the stored balance details to inject into the same page at a later time to persistently hide the fact that money was fraudulently transferred from the user's account," according to a September 2011 report by Ryan Sherstobitoff, an independent security researcher, in the Information Systems Security Association Journal.Trusteer has seen the technique used when a fraudster uses SpyEye to capture a person's debit card details. When those details are obtained, the fraudster conducts a purchase over the Web or phone, and SpyEye masks the transaction, Klein said. It does not affect, however, the bank's ability to see the fraud, he said (Computer World, 2012).
Warns Of New Zeus Malware Variant, Gameover
Date: January 9, 2012
Source: Computer World
Abstract: So long as people click on unsolicited attachments in email, scammers will invent new ways to take their money, identities and more.
The FBI today issued a warning on one such new Internet blight called "Gameover," which, once ensconced on your PC, can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions.
The FBI said it has seen an increase in the use of Gameover, which is an email phishing scheme that invokes the names of prominent government financial institutions, including the National Automated Clearing House Association (NACHA), the Federal Reserve Bank or the Federal Deposit Insurance Corporation (FDIC).
The FBI says Gameover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information.
Here's how the FBI
describes the scam: "Typically, you receive an unsolicited email from
NACHA, the Federal Reserve or the FDIC telling you that there's a problem with
your bank account or a recent ACH transaction. ACH stands for Automated
Clearing House, a network for a wide variety of financial transactions in the
"The sender has included a link in the email for you that will supposedly help you resolve whatever the issue is. Unfortunately, the link goes to a phony website, and once you're there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information.
"After the perpetrators access your account, they conduct what's called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution's server with traffic in an effort to deny legitimate users access to the site, probably in an attempt to deflect attention from what the bad guys are doing."
The FBI went on to say some of the funds stolen from bank accounts go towards the purchase of precious stones and expensive watches from high end jewellery shops."The criminals contact these jewellery stores, tell them what they'd like to buy, and promise they will wire the money the next day. So the next day, a person involved in the money laundering aspect of the crime, called a 'money mule', comes into the store to pick up the merchandise. After verifying that the money is in the store's account, the jewellery is turned over to the mule, who then gives the items to the organisers of the scheme or converts them for cash and uses money transfer services to launder the funds" (Computer World, 2012).
Arrest Computer Programmer For Stealing US Treasury Code
Date: January 23, 2012
Source: Computer World
Abstract: The FBI said it arrested a computer programmer in New York this week and charged him with stealing proprietary software code from the Federal Reserve Bank of New York. The software known as the Government-Wide Accounting and Reporting Program (GWA) handles all manner of US government financial transactions.
Stealing the code for his own business
"As alleged in the complaint, between May 2011 and August 11, 2011, Bo Zhang was a contract employee assigned to the Federal Reserve Board of New York (FRBNY) to work on further developing a specific portion of the GWA's source code which the United States has spent approximately £6.1 million ($9.5 million) to develop. In the summer of 2011, Zhang allegedly stole the GWA Code," said the FBI in a statement.
"According to the complaint, Zhang admitted that in July 2011, while working at the FRBNY, he checked out and copied the GWA Code onto his hard drive at the FRBNY; he subsequently copied the GWA Code onto a bank-owned external hard drive; and he connected that external hard-drive to his private office computer, his home computer, and his laptop. Zhang stated that he used the GWA Code in connection with a private business he ran training individuals in computer programming."
"Zhang took advantage of the access that came with his trusted position to steal highly sensitive proprietary software. His intentions with regard to that software are immaterial. Stealing it and copying it threatened the security of vitally important source code," said FBI Assistant Director in Charge Janice Fedarcyk in a statement.
Previously worked for Goldman Sachs
Now free on bond but due back in court in February, Zhang, 32, of Queens, New York, faces a maximum term of 10 years in prison and a £160,000 ($250,000) fine if guilty.
While the FBI didn't identify which company Zhang currently worked for, Bloomberg.com reported he in the past had worked for at Goldman Sachs Group Inc. (GS) and Bank of America Corp.Bloomberg.com also said Matt Anderson, a Treasury spokesman, said the department has worked to strengthen security procedures for Federal Reserve contractors working on Financial Management Service projects. "There was no compromise of any transaction data, personal identifying information or federal funds," Anderson said (Computer World, 2012).
Arrests Financial Software Copyright Fugitive On His Return To The US
Date: February 3, 2012
Source: Computer World
Abstract: The FBI today said it arrested a man on charges of illegally reproducing and distributing more than 100 copyrighted commercial software programs who had fled the country after being indicted last year.
Naveed Sheikh, 31,
formerly of Baltimore, was arrested at Dulles Airport as he was trying to get
back into the US. According to the FBI, a year ago Sheikh knew he was under
investigation and fled to Pakistan shortly before being indicted on 13 January,
According to the FBI, from February 2004 to April 2008, Sheikh reproduced and distributed more than 100 copyrighted commercial software programs for which he allegedly received over £167,000 ($265,000). The copyrighted works are said to be worth millions of pounds.
Sheikh allegedly advertised through his Internet website and sold infringing copyrighted commercial software at prices well below the suggested retail prices of legitimate, authorized copies of the software. Some of the copyrighted works included Microsoft Money 2006 Small Business, Adobe After Effects Pro 7.0, Veritas NetBackUp Pro 5.1, Solid Works Office 2000 Premium, Quicken Premier Home and Business 2006 and Apple iLife 2006.
The FBI said Sheikh advised purchasers that software programs could be mailed to purchasers on compact discs and downloaded from the Internet. Sheikh created DVD-Rs and CD-Rs with copyright infringing software programs and crack codes. Crack codes let people modify software to remove or disable security protections. Sheikh allegedly requested that purchasers send money orders for infringing software to a P.O. box he maintained in Towson, Md., the FBI stated.
Sheikh also permitted customers to pay for infringing software through credit card charges and electronic fund transfers. Sheikh paid a company that hosted Internet domains to register multiple Internet domains, including ezencode.com, lazer-toners.com, and coark.net. Sheikh's computer server, which was located in Scranton, Pa., hosted his website. Sheikh used computers in Bel Air, Md., and other computers to contact and control his computer server, the FBI stated.The indictment seeks the forfeiture of £167,000 and any property derived from or traceable to the proceeds of the scheme. He could get up to five years in prison. No hearing date has been set (Computer World, 2012).
Shylock Online Banking Malware Raises Ugly Head
Date: February 17, 2012
Source: Computer World
Abstract: Web security firm Trusteer issued a warning this week about the return "with a vengeance" of Shylock, a polymorphic financial malware variant the company discovered last September that is now showing up again in end user machines.
It is aimed primarily at global financial institutions. Trusteer codenamed it Shylock because, "every new build bundles random excerpts from Shakespeare's 'The Merchant of Venice' in its binary," according to Trusteer CTO Amit Klein.
"These are designed to change the malware's file signature to avoid detection by antivirus programs," wrote Klein.
In an interview, Klein said there are hints in Shylock terminology to suggest it comes from Russia or the Ukraine. But who is involved and exactly where it is coming from remain unknown. "These are very difficult to track," he said.
Klein said the authors of the malware are running a surgical operation aimed at specific targets, a dozen or so large banks, some payment card providers and several web mail providers. Shylock amounts to customised financial fraud capabilities for the malware, including an improved methodology for injecting code into additional browser processes to take control of the victim's computer, according to Trusteer.
So far, while it does not appear to have caused widespread damage, Klein said Trusteer has received some reports from banks regarding compromised machines where fraud took place before they cleaned them.
And he suspects the reason Shylock has not been seen much in recent months is because it has been under development and improvement. "It is malware in progress," he said. "They keep throwing in new features, and perhaps have decided it's stable enough to distribute."
Klein said Shylock is distinguished by its ability to almost completely avoid detection by antivirus scanners after installation, using a unique three step process.
First, it doesn't run
as a separate process, but embeds itself within applications running on a
machine. Second, once it detects antivirus scanning, it deletes its own files
and registry entries, and remains active only in memory. That would normally
mean it could not survive a system shutdown/reboot. But, Klein says, that is
where its third capability comes in to hijack the Windows shutdown.
"It hooks into the Windows shutdown procedure and reinstates the files and registry keys (previously removed) just before the system is completely shut down and after all other applications are closed (including antivirus)," he said.
Beyond that, Klein said Shylock is "pretty sophisticated" malware that not only has its own HTML language, "but appears to have a converter that can take Zeus or SpyEye and turn it into its own format."
Trusteer said machines running its primary product, Rapport, designed to help online banks, brokerages and retailers secure the consumer desktop from financial malware attacks and fraudulent websites, are not vulnerable to Shylock. Klein said machines already infected can get rid of it by installing Rapport. About the only other way to eliminate a Shylock infection, if the machine does not have an internal battery, is to unplug its power source. But that will also clean the memory."If you unplug the computer and force a brutal shutdown, the memory will be reset and Shylock will be gone," Klein said. "But Windows is going to whine a bit when it wakes up next. It's tricky to turn off a computer in this way, and you can't be sure it will restart properly" (Computer World, 2012).
Trojan Intercepting Bank Text Messages
Date: February 22, 2011
Source: Computer World
Abstract: A version of the Zeus malware that intercepts one-time passcodes sent by SMS (Short Message Service) is targeting customers of the financial institution ING in Poland.
The security vendor F-Secure blogged on Monday about the issue, which was analyzed on the website of security consultant Piotr Konieczny. F-Secure wrote that it appears to be the same style of attack found by the Spanish security company S21sec last September, which marked a disconcerting evolution in Zeus, one of the most advanced banking Trojans designed to steal passwords.
Zeus has changed its tactics, since some banks are now using one-time passcodes sent by SMS to authorize transactions performed on a desktop machine. First, attackers infect a person's desktop or laptop. Then, when that person logs into a financial institution such as ING, it injects HTML fields into the legitimate Web page.
Those fields ask for a person's mobile phone number and the model of their phone. When that information is entered, the attacker sends an SMS leading to a website that will install a mobile application that intercepts SMSes and forwards messages to another number controlled by the attackers. The Zeus mobile component will work on some Symbian and Blackberry devices.
Once that setup is complete, the attacker can simply do a transfer whenever it is convenient, such as when an account has just received a deposit. An attacker can log onto the account, receive the SMS code and begin transferring money.
ING officials contacted in the Netherlands on Monday afternoon did not have an immediate comment.The SMS ability of Zeus has prompted vendors such as Cloudmark to warn about how SMS spam, or SMS messages designed to enable other malware, are a growing threat. Cloudmark sells a system to operators that analyses SMS messages and can filter ones that have spam or other offensive content (Computer World, 2012).
HMRC Sets Up New Cyber-Crime Team To Tackle Tax Fraud
Date: March 13, 2012
Source: Computer World
Abstract: H er Majesty’s Revenue and Customs (HMRC) has revealed plans to establish a new cyber-crime team that will be used to proactively tackle tax fraud being carried out by organised criminals.
The team will aim to protect the Exchequer from cyber criminals that are using increasingly sophisticated ways to target its repayment systems.
Funding will be provided by the National Cyber Security Programme to recruit technical experts, analysts and investigators.
“As more and more of HMRC’s systems move online, cyber criminals will look to exploit any opportunity to attack the repayment system,” said David Gauke, Exchequer Secretary.
“In the last year alone, customers reported over 200,000 bogus emails purporting to come from HMRC and, as a result, HMRC shut down close to 1,000 bogus websites,” he added.
HMRC is also planning to deploy new technology to enable investigators with real-time intelligence of criminal activities, which will then be presented to its operational risk and security teams.In recent years the government has classed cyber security as a top priority for the country, where £650m has been allocated as part of the National Cyber Security Programme to fight against cyber-attacks up until 2014 (Computer World, 2012).
Police Arrest Online Banking Fraudster
Date: March 14, 2012
Source: Computer World
Abstract: The Metropolitan Police Service's Police Central e-Crime Unit (PCeU) has arrested a man for committing online banking fraud.
A 37-year-old man from Belvedere in Kent was arrested in connection with computer misuse offences.
It follows a recent study from the UK Cards Association, which said that technology had helped to significantly reduce the amount of money lost through credit and debit card fraud to an 11-year low.
An unnamed high street bank had reported to the police that online accounts had been compromised over an 18-month period. The PCeU carried out an investigation which found that accounts had been accessed without authority, money stolen and personal details had been changed.
The police seized computer equipment from the suspect's address, and will now be examining the devices. The man has been taken into custody at a south London police station.
Detective Inspector Mark Raymond at the PCeU said: "Online crime is never victimless. Such offences are indiscriminate and will be fully investigated where allegations are made."Online banking is generally very safe providing individuals keep their operating systems and anti-virus software regularly updated to avoid online hackers and fraudsters. Sound independent advice can be found at 'getsafeonline.org'" (Computer World, 2012).
Trojan Stealing Credit Card Details From Hotel Reception Software
Date: April 19, 2012
Source: Computer World
Abstract: A remote access computer Trojan (RAT) designed to steal credit card details from hotel point-of-sale (PoS) applications is being sold on the underground forums, according to researchers from security firm Trusteer.
The researchers found an advertisement on a black market forum for a custom RAT designed to infect hotel front desk computers and steal customer credit card and billing information.
The seller was offering the computer Trojan, together with instructions on how to trick hotel front desk managers into installing it on their computers, for $280 (£175). The seller also claimed that the malware won't be detected by any antivirus program when it's delivered to the buyer.
Malware writers often repackage their malicious installers with new algorithms in order to evade signature-based antivirus detection, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender.
The repackaged samples can then be delivered via email or instant messaging without being stopped at the network perimeter. However, if an antivirus product with strong heuristic and behavioural detection capabilities is running on the targeted systems, the malware should be blocked at execution time, Botezatu said.
The hotel RAT's seller specified in the ad that the malware doesn't collect card security numbers, also known as CVV or CID, but this doesn't necessarily make the rest of the stolen information less useful to cybercriminals.
Some merchants are allowed to charge cards without the CVV details, especially in the US, Botezatu said. However, even if that wasn't the case, the data can still be used to phish the security codes from the card owners themselves or to search for the codes in existing data dumps that resulted from older phishing attacks, he said.
Most remote access computer Trojans have the capability to take screenshots, record keystrokes, download/upload files and execute arbitrary code, which makes them suitable for many types of cybercriminal operations.
The hotel RAT advertisement included screenshots of a particular PoS application, but its functionality might not be restricted to that specific program.
"The strength of RATs is their generic nature - they can be used to attack many different applications in use by many industries," said Amit Klein, Trusteer's chief technology officer. "We've seen RATs used against internal applications, banking applications, defense industries, etc."
Hotels typically have a limited IT staff or knowledge of malware and they handle a large number of credit cards on a daily basis, which makes them a perfect target, said Yaron Dycian, Trusteer's vice president of products.
The fact that the RAT's creator decided to target the hospitality industry is consistent with a recently observed change in the focus of cybercriminals - an expansion from online banking attacks to attacks against PoS systems."I think the main reason for this shift, or diversification, is the fact that POS machines, and some business machines serve as 'mini repositories' where information about many victims can be collected at once," Klein said. "This is in contrast with consumer machines which typically expose one or two accounts" (Computer World, 2012).
Android Malware Being Delivered On Hacked Websites In Drive-By Download Attack
Date: May 3, 2012
Source: Computer World
Abstract: Android malware is being spread by hacked websites in a new attack vector crafted for the mobile operating system, according to analysts at Lookout Mobile Security.
The style of attack is known as a drive-by download and is common on the desktop; when someone visits a hacked website, malware can transparently infect the computer if it doesn't have up-to-date patches.
"This appears to be the first time that compromised websites have been used to distribute malware targeting Android devices," Lookout said.
Lookout said it
noticed that "numerous" websites had been compromised to execute the
attack, although those sites had low traffic. The company expects the impact to
Android users will be low. The malware that tries to install itself, dubbed
"NotCompatible," appears to be a TCP relay or a proxy.
"This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy," Lookout said. "This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government."
NotCompatible will automatically start downloading if the hacked website detects an Android device is visiting by looking at the web browser's user-agent string, which specifies the device's operating system.
The hacked websites have an hidden iframe, which is a window that brings other content into the target web site, at the bottom of a page. The iframe causes the browser to pull content from two other malicious websites hosting NotCompatible. If a PC accesses either of those websites, a "not found" error is displayed, Lookout said.After the malware downloads, the device will ask a user to install the application. But for it to be installed, the Android device's settings must have "unknown sources" enabled, Lookout said. If the setting is not enabled, only applications from the Android Market, now called the Google Play store, can be installed (Computer World, 2012).
Banks Say Hackers More Aggressive In Attacking Customer Accounts
Date: June 15, 2012
Source: Computer World
Abstract: A survey of large financial institutions shows they faced more attacks by hackers to take over customer banking accounts last year than in the two previous years, and about a third of these attacks succeeded.
The total number of attacks to try and break in and transfer money out of hacked customer accounts was up to 314 over the course of 2011, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC), which released findings of its survey of 95 financial institutions and five service providers. That's an increase from 87 attacks against bank accounts in 2009 and 239 in 2010.
FS-ISAC is the group that coordinates on security issues with the Department of Homeland Security. The survey was conducted by the American Bankers Association.
The actual dollar losses taken by the financial institutions last year was $777,064, down from a high of $3.12 million in 2010. Dollar loss for customers was $489,672 in 2011, as compared with $1.16 million in 2010.
Banks responding to the survey said they were beefing up defenses against account takeovers through customer education, more use of multi-factor authentication, and shutting down customers' online access to a commercial system once anomalous behavior is detected.
Increasingly, banks are extending strong authentication to their customers to prevent successful takeovers of accounts by hackers, whose strategy is often to use malware to take control of the computer of someone authorised to make payments or other high-dollar transfers related to corporate accounts.
These authentication methods can take many forms. United Bank & Trust for instance, increased security for customers through a method that automatically phones the customer making an online funds transfer to verify the details about the transaction before it's actually executed.
Called PhoneFactor, this authentication method is now used for what the bank regards as high-risk transactions, says Marsha Whitehouse, vice president of treasury management at United Bank & Trust. This would ordinarily be associated with an individual authorised to make ACH or fund transfers via a corporate account.Through an automated process, PhoneFactor immediately places a phone call to verify details about the transaction request. Whitehouse says, "It improves security" (Computer World, 2012).
Generation Of Bank Trojans Can Hide Transfers
Date: June 20, 2012
Source: Computer World
Abstract: Improved online bank security has driven cybercriminals to start using a type of Trojan tool that automates money theft from compromised accounts in ways that are invisible to account holders, Trend Micro has discovered.
Established man-in-the-middle bank Trojan attacks – by Zeus and SpyEye for instance – finesse bank transfer credential requests by splashing bogus credential screens at users. According to Automatic Transfer System, a New Cybercrime Tool a way has been found to hide even this activity from users using what Trend dubs Automatic Transfer Systems (ATS).
What this means is that bank Trojan attacks can display misleading account balances and hide illegal transactions from account holders, greatly delaying the discovery of thefts.
A fascinating dimension of the ATS story is that these scripts require bank-by-bank customisation by a dedicated coder who has access to an account on the targeted bank.
This is provided by an aftermarket of mostly East European programmers who sell their skills at what can be a tricky undertaking – one mistake and the attack will quickly fail – to cybercriminals willing to pay.
How successful is the new method? In many cases not very, but that’s true of all Trojan attacks; banks detect transfers as unusual whether they were authorised or not, and block them. However, Trend said it had seen others where sizable sums had made it into mule accounts, that is legitimate cover accounts inside the targeted institution used as intermediaries.
At the moment, banks in the UK, Germany and Italy were the most attacked by ATS, a reflection of the extra security layers such as two-factor authentication that had been adopted in these countries.
“ATS infection is difficult to determine since ATSs silently perform fraudulent transactions in the background. It is, therefore, a good practice to frequently monitor banking statements using methods other than doing so online (i.e., checking balances over the phone or monitoring bank statements sent via mail),” said Trend Micro researcher, Loucif Kharouni.Trend’s answer to the ATS menace is yet more security software. Not everyone agrees. A University of Cambridge analysis earlier this week suggested that a more cost-effective strategy would be for countries to bolster that trifling sums currently spent on chasing and prosecuting cybercriminals (Computer World, 2012).
Security: Fake Android Antivirus App Linked To Zeus Banking Trojan
Date: June 20, 2012
Source: Computer World
Abstract: A fake Android security application discovered recently is most likely a mobile component of the Zeus banking malware, security researchers from antivirus firm Kaspersky Lab said this week.
Called Android Security Suite Premium, the rogue app is capable of stealing SMS messages and uploading them to a remote server. When launched, the app displays a shield image that has long been associated with Windows fake antivirus programs, also known as FakeAV or scareware.
"How could I ever forget such an identifiable logo," Nathan Collier, a threat research analyst at antivirus firm Webroot, said . "Now that the developers of the popular FakeAV malware have entered into the mobile world expect to to see a lot more variations of this."
However, this might not be a mobile scareware app, but a new variant of ZitMo - Zeus in the Mobile, said Kaspersky Lab senior malware analyst Denis Maslennikov.
ZitMo apps are malicious mobile applications that are used by cybercriminals in conjunction with the Zeus computer Trojan in order to steal money from online banking accounts. They appeared back in 2010 as a response to banks implementing mobile-based security measures.
Their purpose is to steal mobile transaction authorisation numbers (mTANs) sent by banks to their customers via SMS messages. Without mTANs, fraudsters wouldn't be able to authorise transactions initiated with stolen credentials.
The registration information for the domain names where Android Security Suite Premium uploads stolen SMS messages matches the registration information for 2011 Zeus command-and-control domains, Maslennikov said. This, coupled with the app's SMS-stealing functionality makes it likely that this is a new ZitMo version.Even though this app displays an activation code when opened, it doesn't display fake security alerts and doesn't ask users for money like scareware applications do, Maslennikov said. "It's not a fake AV - 100%" (Computer World, 2012).
Earn £48 Million In 'Operation High Roller' Bank Hack
Date: June 26, 2012
Source: Computer World
Abstract: A global fraud ring has been targeting high net-worth businesses and individuals has netted the criminals an estimated €60 million (£48 million).
According to McAfee and Guardian Analytics which today issued a report on the fraud, "Dissecting Operation High Roller," the attacks, first identified this winter, have hit 60 or more institutions and the total amount stolen may in fact be may be much higher.
The two security firms say they have tracked "at least a dozen groups" that are relying on "server-side components and heavy automation" with about 60 servers processing thousands of attempted thefts from commercial accounts and the rich. This appears to be happening mainly in the European Union countries, though there's also evidence of it in Latin America and the US. These attacks are said to differ from the known malware-based SpyEye and Zeus attacks in that they are far more automated and usually done without human intervention.
"The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multi-faceted automation in a global fraud campaign," said Dave Marcus, McAfee director of advanced research and threat intelligence.
McAfee and Guardian Analytics first spotted evidence of these crime activities in late January in an attack on a bank in Germany in which the victim log data on the server "showed the fraudsters compromised 176 accounts and attempted to transfer nearly one million Euros to mule accounts in Portugal, Greece, and the United Kingdom." The average account targeted held about €509,000
An attack against the German bank was highly automated, and in their report, the security firms say they had seen something similar in an earlier attack on a bank in Italy that involved SpyEye and Zeus malware to transfer funds but was more automated than anything they'd seen before.
The report says all manner of banking institutions have been targeted: credit union, large global bank and regional banks. In March, the fraudsters hit the Netherlands banking system with this newer style of server-side automated attack. They circumvented endpoint security and monitoring tools used for fraud detection at the institution, the report says. The server was based in San Jose, California, and has also apparently been used against victims in the US whose accounts contained at least $1 million.
A hit against two banks in the Netherlands reached into more than 5,000 business accounts. The attempted fraud was estimated to be €35.58 million. Later in March, the security firms also became aware of attacks in Latin America, where more than a dozen businesses in Colombia were targeted, each having an account balance between $500,000 and $2 million. The server used in this wave of attacks was hosted in La Brea, California, though there was evidence of fraudsters logging in from Moscow to "manipulate some of the transactions in an attempt to transfer arbitrary amounts as high as 50% - 80% of the victim's balance." McAfee and Guardian Analytics say they've shared their findings with law enforcement agencies.
According to the report, the wave of Operation High Roller attacks builds on Zeus/SpyEye malware to compromise the victims' computers and skim credentials in order to execute a fraudulent transaction from a bank account. But although "there can be live intervention" in the High Roller attacks, most of them have been "completely automated, allowing for repeated thefts once the system has been launched at a particular bank or for a given Internet banking platform."
According to the report, these "updated attacks found in the Netherlands and the US move fraudulent transaction processing from the client to the server. Fraudulent activities - including the actual account log-in - are performed from a fraudster's server that is located at a 'bullet proof' ISP (one with crime-friendly usage policies), locked down against changes, and moved frequently to avoid discovery. After each move, the web injects are updated to link to the new location."
In addition, the attacks up the ante on evasive maneuvers. According to the report, code customisation that includes rootkits for client-side malware and encrypted links help hide the criminal attack process and avoid antivirus scans. "And some of the web serves move dynamically so that blacklisting and reputation-centric technologies are not effective." The report says the techniques used are basically "a significant breakthrough for the fraudsters" because they represent the "defeat of two-factor authentication that uses physical devices."
The report goes on to state: "We are working to assess and improve the defenses at McAfee and Guardian Analytics financial service customers. This attack should not be successful where companies have layered controls and detection software correctly. We are working to map out appropriate security configurations, such as activation of real-time threat intelligence on client hosts and use of hardware-assisted security to defeat evasive malware."The report points to the need for anomaly-detection software and strengthening of endpoint controls for consumers. But Operation High Roller was "successful," the security firms acknowledge. "Our research found attacks succeeding in the most respected financial institutions, as well as the small, specialised credit unions and regional banks that may have felt they presented too paltry a target" (Computer World, 2012).
Men Jailed Over SpyEye Banking Malware
Date: July 2, 2012
Source: Computer World
Abstract: Two men who used malware SpyEye to steal and use personal banking and credit card data from unsuspecting victims’ online accounts have been jailed for offences under the Computer Misuse Act.
SpyEye is a computer Trojan horse that specifically targets online banking users. Like its older cousin Zeus, SpyEye is no longer being developed by its original author, but is still widely used by cybercriminals in their operations.
Pavel Cyganok, 28, a Lithuanian national living in Birmingham was sentenced to five years, while Ilja Zakrevski, 26, an Estonian national, has been sentenced to four years.
Meanwhile, a third man, Aldis Krummins, 45, a Latvian living in Goole, was found guilty of money laundering in relation to the investigation, and sentenced to two years.
The investigation began in January and revolved around the group's use of a uniquely modified variation of SpyEye, which harvests personal banking details and sends the credentials to a remote server controlled by hackers, police said. As part of their investigation, police also seized computer equipment and data.
Detective Constable Bob Burls from the Metropolitan Police Central e-crime Unit (PCeU) said: “The defendants, during the course of their enterprise, developed a highly-organised IT infrastructure to enable their criminality, including in some cases, the automatic infection of innocent computer users with their malicious code.”
The PCeU was first contacted by Estonian Police in March 2010 about Zavrevski, whom they suspected was targeting UK financial institutions with SpyEye.
The stolen data was stored in databases, known as Command and Control servers, around the world, with one server in the UK.
found that about 1,000 computers had been infected and connected to this
server, and detectives were also able to identify compromised bank accounts of
UK, Danish and Dutch citizens, and how they had been misused and defrauded.
The culprits used the stolen banking details to buy additional IT infrastructure and pay for their domestic utilities and lifestyles.
They also used the credit card data to purchase luxury goods online in bulk, which they resold via online auction sites. Some of the £100,000 made from these sales was laundered within online accounts that the cybercriminals controlled.
Zakrevski was linked to the investigation when the police found a computer located in Estonia connected to his online username, ASAP911, which was periodically checking how many infected computers were connecting to the server. He was extradited to the UK and charged in July 2011.Meanwhile, Cyganok was arrested at his home address in April 2012, and was found to be logged into a number of the command and control servers at the time (Computer World, 2012).
Trojan Attacks SMS Smartphone Bank Security
Date: July 11, 2012
Source: Computer World
Abstract: Security company Trusteer is warning about an Android Trojan that is being distributed by criminals to beat the SMS smartphone authentication systems employed by European banks to verify money transfers.
Man-in-the middle (MitM) attacks on 2FA technology via mobiles started around a year ago based on the simple observation that the apparent strength of SMS verification is also its weakness if hackers are able to compromise the handset itself.
The SMS one-time passcode or transaction PIN looks like a way of shutting out online bank fraudsters who have gained access to a user's online account so criminals have devoted time to working out how to intercept that code.
Trusteer has now seen the first mobile attacks based on the recent 'Tatanga' Trojan, as well as new configurations of the infamous SpyEye Trojan it has named 'SPITMO' (SpyEye in the mobile).
Users infected by the Windows Trojan are asked for their mobile numbers before being directed to a website that installs what is claimed to be a mobile security application. Once they have entered an 'activation code' – actually just a way for the attackers to know the mobile is live – the attackers are free to capture any traffic sent to that device.
The mechanics of the attack vary by country and that is perhaps the biggest feature of this attack – it targets a range of major European online banks, particularly those in Spain and Germany.
“Once fraudsters have
infected a victim’s web and mobile endpoints, very few security mechanisms can
prevent fraud from occurring,” said Trusteer CTO, Amit Klein, whose company
offers in-browser tools that specialise in blocking such attacks.
Where are the attacks based? Perhaps China or the US, both countries from which the fake websites were registered but nobody can be sure.
“This discovery confirms that Man-in-the-Mobile attacks are focusing primarily on Android devices. Multiple studies show that Android devices account for more than 60 percent of smartphone market in the targeted countries,” he said.
“Android popularity and the relative ease of developing and distributing Android applications are probably the reasons why Cybercriminals have singled out this particular platform for mobile malware attacks. “
The attack is really about finding a way around the two-factor authentication systems that are starting to become common on many online banking systems, including those accessed via mobiles. Given the relative simplicity of the social engineering involved this now looks like a serious avenue of attack.“With nearly 60 percent of the market and a reputation for weak app security, it’s no surprise that Android has become the preferred target for financial malware,” emphasised Klein (Computer World, 2012).
Alert After Ransom Trojan Locks Up 1,100 PCs
Date: August 2, 2012
Source: Computer World
Abstract: UK authorities have issued an urgent warning about a ransomware attack has successfully extorted money from dozens of victims by impersonating the country’s Police Central e-Crime Unit (PCeU).
Ransom attacks using threats that pose as the PCeU and other European police forces in order to issue fine threats have become common in the last two years, but it is still unusual for any hard numbers on infection rates or victim numbers to come to light.
The latest unidentified attack had infected 1,100 computers in the UK, successfully conning 36 people into paying £100 each to the criminals, police said. The true numbers will be much larger because official reports only show a snapshot of what is happening.
The procedure for such attacks is always very similar. Users visit or are redirected to a porn or gambling site that hits them with a drive-by attack, usually based on a software vulnerability in a browser plug-in. The user’s PC is then hijacked and the users asked for money in order to regain control.
Sometimes the attack will issue threats, including that the user will be exposed for visiting a porn site (whether they have or not), while on other occasions the demand is a straight ‘pay us or you will not be able to use your PC.’
“This is a fraud and
users are advised NOT to pay out any monies or hand out any bank details,”
urged the PCeU.
“This scam is now affecting many countries in Europe and further afield, with each email tailored to include the branding of that country's law enforcement agency. Europol are coordinating with Europe's law enforcement agencies on this matter,” the PCeU said.
Users can advise of such attacks on the PCeU’s website. This won’t help get lost money back – victims should phone their credit card company immediately – but will help police plot new attacks before they successfully infect more computers.Another variation on the theme has been to impersonate software companies such as Microsoft, threatening the end user by claiming they are using a pirated copy of Windows. The criminals just never let up (Computer World, 2012).
Financial Sector IT Systems ‘No Longer Fit For Purpose’, Says Report
Date: August 6, 2012
Source: Computer World
Abstract: The financial sector is underpinned by infrastructure and IT systems that are ‘no longer fit for purpose’, according to a new report by IT industry association Intellect.
Entitled ‘Biting the bullet’, the report says that the 2008 banking crisis and failures in the retail banking sector demonstrate the weakness of the overall financial system, which is the result of decades of ad-hoc technology investment combined with merger and acquisition activity that has created silos of information and duplicate processes.
A recent example saw millions of RBS customers not able to gain access to funds in their bank accounts after a botched upgrade that was made to batch processing software CA 7 from CA Technologies, which impacted some accounts for more than a month. The IT failure has cost the bank a minimum of £125 million.
The report says: “Poor quality financial infrastructure makes it impossible for regulatory authorities to build a macro view of the whole financial system that would enable them to identify and mitigate risk.
“Given the widely-recognised and urgent need to strengthen financial regulation, this is a real problem.”
Intellect believes that financial infrastructure is fragmented, which inhibits the ability of banks to draw accurate data from across their operations. This results in regulators not receiving critical information in suitable time frames, and even when it is made available, there isn’t a high level of confidence that it accurately reflects the full exposures and positions of individual firms and the financial system as a whole.
“Fundamentally, global efforts to standardise data across the financial system in order to increase its transparency, will be undermined if the poor state of the financial system’s infrastructure is not addressed and the regulatory authorities are not empowered with the right tools to fulfil their duties,” said Intellect.
The report also argues that this poor infrastructure restricts the ability of banks to share information across their disparate departments and operations, which in turn inhibits their ability to fully understand their customers.
This inadequate infrastructure is the direct result of the banks’ reluctance to invest in areas that do not create an immediate return on investment (ROI). Cash is being spent on products and services that yield a short-term return on investment, such as systems to support algorithmic and high frequency trading, rather than core legacy systems.
The report reads: “Unlike other industries where technological capability is a key competitive differentiator and a foundation for better, more customer-centric service delivery, the financial services industry has often treated large parts of its infrastructure as an afterthought.
“As a result, the infrastructure underpinning the banks has become unfit for purpose over the years. Infrastructure and core systems have been upgraded on a patchwork basis rendering them even more complex – and therefore more prone to failure – as systems changes are perennially bolted on to what is already there, rather than replaced by more modern core systems that are better suited to the provision of modern banking services.”
Intellect recommended that to ensure change is implemented, the Financial Policy Committee needs to understand and set out what capabilities, such as data quality, dashboards and predictive analytics, it will require in the future for it to perform its financial stability role. This will help set minimum infrastructure standards for banks, as they will be required to meet certain regulatory standards.
It also suggested that an ‘industry utility’ should be created through which data from banks would flow to the regulatory authorities. It uses faster payments as an example of where the industry has worked together to create a utility that has delivered benefits to customers, banks and the wider economy.Finally, it called for individual institutions to address their legacy systems and make a commitment to ensure that their infrastructure is fit for purpose and upgraded to minimum standards set by regulatory authorities (Computer World, 2012).
Lloyds Head Of Security For Online Banking Admits £2.5M Fraud
Date: August 7, 2012
Source: Computer World
Abstract: A former head of fraud and security for digital banking at Lloyds Bank has admitted to committing £2.5 million fraud.
Jessica Harper, 50, was accused of filing false invoices to claim payments for more than three years, between September 2008 and December 2011.
Earlier this year, she was charged with one count of fraud by abuse of position for the false claims, which amounted to £2,463,750 in total. She has pleaded guilty of this charge at Southwark Crown Court, according to the BBC.
According to her lawyer Carol Hawley, Harper is currently selling her £700,000 home to repay some of the stolen money.Harper will be sentenced on 21 September (Computer World, 2012).
Shylock Malware Injects Rogue Phone Numbers In Online Banking Websites
Date: August 9, 2012
Source: Computer World
Abstract: New configurations of the Shylock financial malware inject attacker-controlled phone numbers into the contact pages of online banking websites, according to security researchers from antivirus vendor Symantec.
By doing this, the attackers attempt to trick victims into calling them instead of the bank if they become suspicious during an online banking session, Symantec researcher Alan Neville.
have advised users for years to call their banks in order to verify the
authenticity of any unusual error messages or requests they encounter while
performing online banking operations. This type of attack could defeat that
"While the exact motive of the attackers is not clear, we speculate that it is either an attempt to extract sensitive login credentials from victims during a telephone conversation or an attempt to block victims from notifying their bank of a problem with their account, giving the attackers more time to perform activities," Neville said.
The new Shylock variant targets banks from the UK, Neville said. "The numbers being used by the attacker are easy to create online and are disposable."
The Shylock malware, named after a character from Shakespeare's The Merchant of Venice, was first discovered in September 2011 and its main purpose is to steal online banking credentials and other financial information.
Like most financial Trojan programs, Shylock is capable of injecting rogue content into websites accessed from infected computers. The injected content is customized for every targeted website and is pulled from a configuration file.
Shylock attackers are known for being creative with their scams. Back in February, researchers from security vendor Trusteer reported that a Shylock variant was modifying online banking websites to inform users that their computers couldn't be identified and they needed to speak with a bank representative in order to verify their account information.The malware then injected a web chat window into the browsing session, connecting targeted users with the attackers instead of their bank's employees (Computer World, 2012).
Title: Islamic Hackers Threaten Bank Of America And NY Stock Exchange
Date: September 19, 2012
Abstract: The Bank of America’s online banking site suffered occasional problems Tuesday after threats on the internet that a cyber-attack would be launched on the bank and other US targets in protest at a film mocking Islam.
A message on pastebin.com claiming to be from ‘cyber fighters of Izz ad-din Al qassam’- a reference to the military wing of Hamas- declared that it would attack the Bank of America and the New York Stock Exchange as a first step in a campaign against “American Zionist Capitalists”.
The posting promised to continue aggressive actions until the “erasing of the nasty movie”, which although YouTube has blocked in volatile regions, remains available in other parts of the world.
The film in question, a privately funded short-movie, mocking the Prophet Mohammad, has ignited days of demonstrations.The uproar has left many dead across the Arab world, including Africa, Asia and some Western countries.
A Bank of America spokesman told Reuters that the website had suffered some problems but was available to customers.
But customers contacted by Reuters in Michigan, Ohio, Georgia and New York said they couldn’t access the site.
The threat to the New York Stock Exchange has seemingly not materialized as trading continued as normal.
Bill Pennington, chief strategy officer at WhiteHat Security, told the weekly magazine InformationWeek that the problems on the Bank of America website do not necessarily mean they’ve been hacked.
“It’s reasonable to suppose it could be a coincidence,” he said, citing the recent GoDaddy outage, which was an internal technical error for which hackers claimed responsibility.
But he did concede that the website’s problems could also be the result of hackers, saying that hacking was “pretty easy”.
He said that only the perpetrators and possibly the victims [the Bank of America] will ever really know what happened.Pennington warned that businesses should expect more attacks, “It’s probably going to get worse before it gets better,” he said (RT, 2012).
Title: Cyberwar Or Not, Are We Ready For Extreme Scenarios? Are We Ready For
Date: September 20, 2012
Abstract: Earlier this week I ran into an article by my friend Raf Los (Wh1t3rabbit) titled “Cyber War - Fact from Fiction in the shadow of the Tallinn Manual” discussing among other things whether attacks such as Stuxnet and Flame can be considered cyberwar or not. The question is important from a legal perspective because in our democracies parliaments have to be involved before a government can declare war.
I responded to Raf by putting a comment on his blog, pointing out that, from a practical perspective, whether this is cyberwar or not is irrelevant. The technology has disrupted Iran’s manufacturing of radio-active material.
Above all, what Stuxnet and Flame demonstrate is an escalation in the technologies used to disrupt operations. And both have been discovered because people have looked out for them. What other, even more advanced, technologies are out there that we do not know of? Who is controlling them and are we absolutely sure they are fully under control?
Although I could not find it online, I remember a short Charlie Chaplin film where he is instructed to fire a canon — a canon that keeps following him shooting in his direction. Let me use this as an analogy. Could any of these sophisticated hacking tools backfire? Remember, in April 2010 15% of the global internet traffic was hijacked by China. How many CIOs are keeping these incidents in the back of their mind when planning their enterprise security?
Indeed, we increasingly rely on cloud computing. In particular, public cloud is seen as the future for many services. The availability of the Internet is taken for granted. But what happens if the Internet grinds to a halt because of massive attacks or hijacking?
Fundamentally we should ask ourselves two questions:
1. Do we have the technologies to stop propagating any threat within our IT systems?
2. Can we continue operate without Internet access, at least for a period of time?
The Internet is a globally distributed network comprised by many voluntarily interconnected autonomous networks says Wikipedia. It operates without a central governing body. In 2005 the Internet Governance Forum (IGF) was established, to open an ongoing, non-binding conversation among multiple stakeholders about the future of Internet governance. In other words the Internet is wide open and could be disrupted massively for political or financial reasons. We should keep that in mind.You will probably react by telling me I’m paranoid. Frankly I’m not, but I find it important we think through extreme scenarios to ensure we keep our key information and processes safe. This is all about scenario planning. So, in your mind, what is the risk such scenario ever takes place? If you feel it’s a possibility, even a remote one, review your operations and assess how resilient they are. In other words, how long do you think your enterprise will be able to continue operate without international internet access for example? Is the time adequate in your mind? What could you do to become more resilient? These are the questions you should ask yourself. They will help you identify the vulnerabilities in your IT operations and address them. Even if the extreme scenario you used to identify them never materializes, it will help you be prepared in case of cloud outage, partial internet unavailability or other dysfunctions. How are you making sure your environment stays safe? (CIO, 2012).
Title: Panetta Talks Cyber Issues With Chinese, But Experts See No Decline In
Date: September 20, 2012
Source: Fox News
Abstract: Despite several years of escalating diplomacy and warnings, the U.S. is making little headway in its efforts to tamp down aggressive Chinese cyberattacks against American companies and the government.
U.S. Defense Secretary Leon Panetta, who is wrapping up three days of meetings with military and civilian leaders, said he has brought the issue up at every session and come away with little more than agreements to talk again.
Meanwhile, cybersecurity analysts say the computer-based attacks emanating from China continue unabated, and in fact are expanding and focusing more intently on critical American oil, gas and other energy companies.
“No diplomatic actions have made a difference,” said Richard Bejtlich, chief security officer for the Virginia-based cybersecurity firm Mandiant. “They remain aggressive — they’re kicked out one day and try to get back in the next day.”
He said the China-backed hackers’ tactics are also evolving, and they are more often going after corporate computer systems by breaching software weaknesses, rather than simply trying to get into a network by duping an individual employee. And he said they appear to be increasingly targeting lucrative energy companies.
Efforts by officials across the U.S. government have not seemed to have any impact, Bejtlich said, adding: “The Chinese don’t seem to care. So I don’t have any hope that the dialogue is reaching anyone of any note.”
Panetta, who is leaving China on Thursday, met with China’s leader-in-waiting, Xi Jinping, Wednesday and afterward told reporters that he urged Xi and other leaders to have an ongoing dialogue with the United States about the cyber threat.
“I think it’s clear that they want to engage in a dialogue on this issue,” Panetta said, “and I guess that’s the most important thing. That’s the beginning of trying to perhaps be able to develop an approach to dealing with cyber issues that has some semblance of order here as opposed to having countries basically all flying in the dark.”
Chinese officials have steadfastly denied the cyberattacks, saying they also are victims of computer hackers and breaches.
But nine months ago senior U.S. intelligence officials for the first time publicly accused China of systematically stealing American high-tech data for its own national economic gain. It was the most forceful and detailed airing of U.S. allegations against Beijing after years of private complaints, and it launched a more open push to combat the attacks.
James Lewis, a cybersecurity expert with the Center for Strategic and International Studies, said the U.S. is starting to push the Chinese harder on the issue, but the administration needs to do more.
“The damage from Chinese cyber espionage is easy to overstate but that doesn’t mean we should accept it,” he said. “The Bush administration was unaware of the problem; this administration needs to come up with a more dynamic response.”
Cyber experts and U.S. officials agree that one of the biggest threats is the possibility of a miscalculation when a cyber breach triggers a clash between the two nations and there is no underlying relationship that can be used to discuss or work out the problem.
“How do you make sure something doesn’t go off course and become a flashpoint for a bigger crisis?” Lewis said.
He added that the People’s Liberation Army has been more confrontational lately, and lingering questions remain about the relationship between the Chinese political leaders and the military, and whether the civilian officials can effectively rein in the PLA.
Bejtlich and others describe a hierarchy of hackers in China that includes three main groups: those who are employed directly by the government, those who are affiliated with universities or quasi-government agencies and the so-called patriotic hackers who work on their own but direct their attacks against the U.S. and Western interests.
Bejtlich said some of the state-sponsored hackers appear to moonlight, stealing data from Western companies perhaps as a way of making more money. As long as they don’t present a threat to China or Chinese companies, it is tolerated.
Panetta has warned repeatedly that cyberattacks and cyberwarfare could set off the next war. And U.S. officials and security experts say government and private industry systems are constantly being probed, breached and attacked. A key threat is an attack against critical infrastructure, including the electric grid, power plants or financial networks, that could plunge the U.S. into crisis.
Officials have said that at this point the main threats from China are
intelligence espionage and the theft of corporate and high-tech data, rather
than an all-out act of war. But they warn that hackers in China, many of whom
work for, are backed by or are tolerated by the Chinese government, are capable
of highly sophisticated attacks (Fox News, 2012).
Title: Officials See Iran, Not Outrage Over Film, Behind Cyber Attacks On US
Date: September 20, 2012
Source: NBC News
Abstract: National security officials told NBC News that the continuing cyber attacks this week that slowed the websites of JPMorgan Chase and Bank of America are being carried out by the government of Iran. One of those sources said the claim by hackers that the attacks were prompted by the online video mocking the Prophet Muhammad is just a cover story.
A group of purported hackers in the Middle East has claimed credit for problems at the websites of both banks, citing the online video mocking the founder of Islam. One security source called that statement "a cover" for the Iranian government's operations.
The attack is described by one source, a former U.S. official familiar with the attacks, as being "significant and ongoing" and looking to cause "functional and significant damage." Also, one source suggested the attacks were in response to U.S. sanctions on Iranian banks.
The consumer banking website of Bank of America was unavailable to some customers on Tuesday, and JPMorgan Chase on Wednesday had the same problems, which multiple sources linked to a denial-of-service attack, in which a website is bogged down by a large number of requests. A Chase spokesman said Wednesday that the consumer site was intermittently unavailable to some customers, but did not acknowledge then that there was an attack. On Thursday, Chase said slowness continued but was resolved by late afternoon Eastern Time. Bank of America acknowledged on Tuesday that its site had experienced slowness, but would not say what caused it.
Senior U.S. officials acknowledge that Iranian attacks have been the subject of intense interest by U.S. intelligence for several weeks. Last week, the Joint Chiefs of Staff's Intelligence Directorate, known as J-2, confirmed continuing Iranian cyber attacks against U.S. financial institutions in a report described as "highly classified." The report was posted on internal classified U.S. government sites last Friday, September 14.
Because of the level of classification, the officials refused to provide or confirm any specifics on these attacks. However, one official noted that Iran's uranium enrichment program had been the target of the STUXNET worm in 2010. The worm was reportedly developed by the U.S. and Israel. "The Iranians are very familiar with the environment,” quipped the official.
A conservative website, FreeBeacon.com, initially reported on the Pentagon analysis, quoting it as saying, “Iran’s cyber aggression should be viewed as a component, alongside efforts like support for terrorism, to the larger covert war Tehran is waging against the west.” U.S officials did not deny the FreeBeacon report when queried by NBC News.
A financial services industry group, the Financial Services Information Sharing and Analysis Center, warned U.S. banks, brokerages and insurers late Wednesday to be on heightened alert for cyber attacks. FS-ISAC also raised its raised the cyber threat level to "high" from "elevated" in an advisory to members, citing "recent credible intelligence regarding the potential" for cyber attacks as its reason for the move.
The former head of cyber-security for the White House testified Thursday
that “we were waiting for something like this from Iran.” Frank Cilluffo,
who served as Special Assistant to the President for Homeland Security under
President George W. Bush, is currently an associate vice president at George
Washington University and heads the Homeland Security Policy
Institute. Cilluffo testified in a previously scheduled appearance before
the U.S. House of Representatives’ Committee on Homeland Security, saying “the
government of Iran and its terrorist proxies are serious concerns in the cyber
context. What Iran may lack in capability, it makes up for in intent.
They do not need highly sophisticated capabilities—just intent and cash—as
there exists an arms bazaar of cyber weapons, allowing Iran to buy or rent the
tools they need or seek.”
The statement by the purported Muslim hackers, posted on Tuesday on Pastebin, an online bulletin board, reads in full: "In the name of Allah the companionate the merciful. My soul is devoted to you Dear Prophet of Allah. Dear Muslim youths, Muslims Nations and are noblemen. When Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam. All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary to stop spreading this movie. We will attack them for this insult with all we have. All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as much as needed such that they say that they are sorry about that insult. We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type. Down with modern infidels. Allah is the Greatest. Allah is the Greatest."
There was no report of an attack on the New York Stock Exchange.
Also on Thursday, the U.S. disclosed that it has bought $70,000 worth of air time on seven Pakistani television channels to air an ad which shows President Barack Obama and Secretary of State Hillary Clinton denouncing the anti-Islamic video. In the ad, President Obama says, "Since our founding the United States has been a nation that respects all faiths. We reject all efforts to denigrate religious beliefs of others." Clinton appears after Obama and says, "Let me state very clearly that the United States has absolutely nothing to do with this video. We absolutely reject its contents. America's commitment to religious tolerance goes back to the very beginning of our nation."Pakistan was added Wednesday to the State Department's list of countries to which Americans should avoid travel, joining Lebanon and Tunisia, following protests across the Middle East and North Africa and the attack on the U.S. consulate in Benghazi, Libya, in which American Ambassador Chris Stevens was killed (NBC News, 2012).
Title: Islamist Group Warns Of New Cyber Attacks On US Banks
Date: September 25, 2012
Source: France 24
Abstract: An Islamist group on Tuesday said it will carry out new cyber attacks on US banking targets, according to SITE Intelligence Group, following similar attacks last week in response to an anti-Islam film.
In a statement a group of hackers calling themselves the "Cyber Fighters of Izz al-Din al-Qassam" said they planned to attack the website of Wells Fargo bank on Tuesday, that of US Bank on Wednesday and the PNC Bank on Thursday, SITE said.
Last week the websites of US banks Chase (a JPMorgan Chase affiliate) and Bank of America suffered a suspected cyber attack following threats against them by the same group.
"Operation Ababil began with Bank of America. The second stage was the attack on the biggest bank of the United States, Chase. This series of attacks will continue until this heinous film disappears from the internet," said a message signed by the group and posted to the Pastebin.com website.
In the latest statement the group claimed the attacks were in retaliation for the release of the controversial movie "Innocence of Muslims," which has led to massive protests across the Muslim world.
The statement warned that "the operation might eventually target
Israeli, French, and British financial institutions" as well, according to
SITE (France 24, 2012).
Title: Mysterious Algorithm Was 4% of Trading Activity Last Week
Date: October 8, 2012
Abstract: A single mysterious computer program that placed orders — and then subsequently canceled them — made up 4 percent of all quote traffic in the U.S. stock market last week, according to the top tracker of high-frequency trading activity. The motive of the algorithm is still unclear.
The program placed orders in 25-millisecond bursts involving about 500 stocks, according to Nanex, a market data firm. The algorithm never executed a single trade, and it abruptly ended at about 10:30 a.m. ET Friday.
“Just goes to show you how just one person can have such an outsized impact on the market,” said Eric Hunsader, head of Nanex and the No. 1 detector of trading anomalies watching Wall Street today. “Exchanges are just not monitoring it.”
Hunsader’s sonar picked up that this was a single high-frequency trader
after seeing the program’s pattern (200 fake quotes, then 400, then 1,000)
repeated over and over. Also, it was being routed from the same place,
“My guess is that the algo was testing the market, as high-frequency frequently does,” says Jon Najarian, co-founder of TradeMonster.com. “As soon as they add bandwidth, the HFT crowd sees how quickly they can top out to create latency.” (Read More: Unclear What Caused Kraft Spike: Nanex Founder.)
Translation: The ultimate goal of many of these programs is to gum up the system so it slows down the quote feed to others and allows the computer traders (with their co-located servers at the exchanges) to gain a money-making arbitrage opportunity.
The scariest part of this single program was that its millions of quotes accounted for 10 percent of the bandwidth that is allowed for trading on any given day, according to Nanex. (The size of the bandwidth pipe is determined by a group made up of the exchanges called the Consolidated Quote System.) (Read More: Cuban, Cooperman: Curb High-Frequency Trading.)
“This is pretty out there to see this affect this many stocks at the same time,” said Hunsader, adding that high-frequency traders are doing anything to “tip the odds in their favor.”
A Senate panel at the end of September sought answers on high-frequency trading, as investigators look into the best way to stop wealth-destroying events such as the Knight Capital Group computer glitch in August and the market “flash crash” two years ago. (Read More: Ex-Insider Calls High-Frequency Trading ‘Cheating’.)
Regulators are trying to see how they can rein in the practice, which
accounts for 70 percent of trading each day, without slowing down progress and
profits for Wall Street and the U.S. exchanges.
“I feel a tax on order-stuffing is what the markets need at this point,” said David Greenberg of Greenberg Capital. “This will cut down on the number of erroneous bids and offers placed into the market at any given time and should help stabilize the trading environment.”
Title: Three Bank Websites Threatened In Ongoing Cyber ‘Operation’
Date: October 8, 2012
Source: Fox Business
Abstract: A group claiming to be allied with radical Muslims threatened Monday to attack the websites of three financial companies as part of an ongoing cyber “operation” that it said is retribution for an anti-Islam film trailer.
The so-called “Izz ad-Din al-Qassam Cyber Fighters” posted a specific timetable for its attack program on PasteBin.com, a website commonly used by hackers to brag about exploits. The posting said the website of Capital One Financial (COF) would be hit on Tuesday, followed by SunTrust (STI) on Wednesday and Regions Financial (RF) on Thursday. It also hinted at more attacks next week.
None of the banks could be immediately reached for comment on the matter. In the past, such attacks have sometimes caused websites to slow to a crawl or become inaccessible for some users; however, the impact cannot be gauged in advance.
While none of the financial firms commented specifically on the attacks, or confirmed that they were the subject of an attack, security experts reckon the sites were the subject of distributed-denial-of-service (DDoS) efforts. Such exploits are fairly rudimentary in that they essentially flood web servers with requests, making it difficult or impossible for the sites to be accessed. Customer information is generally not at risk as a result of this method.
FlashPoint Partners, a security company that specializes in cyber attacks, said in a report Monday that this fresh round of attacks would “likely to be limited to large scale DDoS attacks.”Izz ad-Din al-Qassam said in the posting that the attacks are reprisal for "an insulting film," a reference to the ‘Innocence of Muslims’ trailer that ridiculed the Prophet Mohammad. It threatened to continue attacking what it called “financial centers” until the trailer is removed from the Web (Fox Business, 2012).
Cybercriminals Plot Massive Banking Trojan Atack
Date: October 8, 2012
Source: Computer World
Abstract: An international gang of cyber crooks is plotting a major campaign to steal money from the online accounts of thousands of consumers at 30 or more major US banks, security firm RSA warned.
In an advisory Thursday, RSA said it has information suggesting the gang plans to unleash a little-known Trojan program to infiltrate computers belonging to US banking customers and to use the hijacked machines to initiate fraudulent wire transfers from their accounts.
If successful, the effort could turn out to be one of the largest organized banking-Trojan operations to date, Mor Ahuvia, cybercrime communications specialist with RSA's FraudAction team, said today. The gang is now recruiting about 100 botmasters, each of whom would be responsible for carrying out Trojan attacks against US banking customers in return for a share of the loot, she said.
Each botmaster will be backed by an "investor" who will provide money to buy the hardware and software needed for the attacks, Ahuvia said.
"This is the first time we are seeing a financially motivated cyber crime operation being orchestrated at this scale," Ahivia said. "We have seen DDoS attacks and hacking before. But we have never seen it being organized at this scale."
RSA's warning comes at a time when US banks are already on high alert. Over the past two weeks, the online operations of several major banks, including JP Morgan Chase, Bank of America, Citigroup and Wells Fargo were disrupted by what appeared to be coordinated denial-of-service attacks.
A little-known group called "Cyber fighters of Izz ad-din Al qassam" claimed credit for the attacks, but some security experts think a nation may have been behind the campaign because of the scale and organized nature of the attacks.
In mid-September, the Financial Services Information Sharing and Analysis Center (FS-ISAC) warned banks to be on guard against cyberattackers seeking to steal employee network login credentials to conduct extensive wire transfer fraud. Specifically, the alert warned banks to watch out for hackers using spam, phishing emails, Remote Access Trojans and keystroke loggers to try and pry loose bank employee usernames and passwords.
FS-ISAC also noted that the FBI had seen a new trend where cyber criminals use stolen bank employee credentials to transfer hundreds of thousands of dollars from customer accounts to overseas locations.
Over the past few years, cyber crooks have siphoned off millions of dollars from small businesses, school districts and local governments by stealing online usernames and passwords and using those credentials to make the transfers.
The latest discussion suggests that they now have individual consumer accounts in their crosshairs, Ahuvia said, warning that the gang plans to attempt to infiltrate computers in the US with a little known Trojan malware program called Gozi Prinimalka.
The malware is an updated version of a much older banking Trojan, Gozi, which was used by cyber criminals to steal millions of dollars from US banks. The group's plan apparently is to plant the Trojan program on numerous websites and to infect computers when users visit those sites.
The Trojan is triggered when the user of an infected computer types out certain words -- such as the name of a specific bank -- into a URL string.
Unlike the original Gozi, the new version is capable not only of communicating with a central command-and-control server but also of duplicating the victim's PC settings. The Trojan essentially supports a virtual machine cloning feature that can duplicate the infected PC's screen resolutions, cookies, time zone, browser type and version and other settings. That allow the attacker to access a victim's bank website using a computer that appears to have the infected PC's real IP address and other settings, Ahuvia said.
"Impersonated victims' accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank's website," she said in her alert.
Victims of fraudulent wire transfers will not immediately know of the theft because the gang plans on using VoIP flooding software to prevent victims from getting bank notifications on their mobile devices, she added.
Consumers need to ensure that their browsers are properly updated to protect against drive by downloads, she said. They also need to watch for any suspicious behavior or transactions on their accounts.RSA has also notified US law enforcement and its own FraudAction Global Blocking Network about the threat, she said. Banks, meanwhile, should consider implementing stronger authentication procedures and anomaly detection tools for spotting unusual wire transfers (Computer World, 2012).
Cyber Attacks On Banks Inspire Secret Technocratic Network To Protect Financial
Date: October 12, 2012
Source: Occupy Corporatism
Abstract: Last month, mainstream media reported on the cyber-attacks to our banking institutions that disrupted business and caused havoc for customers. National Security officials stated that although the attacks have begun to subside, they are remaining vigilant.
A nameless, faceless group of alleged Iranian hackers is being blamed for the attacks to JPMorgan Chase, Bank of America (BoA), Wells Fargo, US Bancorp and Citigroup. Initially, the hacker group claimed they were upset by the 14 minute trailer produced by the US government and distributed by Israeli citizen and FBI informant, Sam Bacile. Now their story is changing and Iran is the culprit behind these attacks.
US intelligence fueled by the Joint Chiefs of Staff’s Intelligence Directorate (J-2) claims that Iran has been focusing on schemes to attack the US using a cyber army to target US financial institutions – although this information is derived from a “highly classified” document.
According to Pentagon analysis, “Iran’s cyber aggression should be viewed as a component, alongside efforts like support for terrorism, to the larger covert war Tehran is waging against the west.”
The cyber threat level of these banks has been raised to “high” by the industry.
Senator Joseph Lieberman was quick to point out that he believed the Iranian government was to blame and that “I don’t believe these were just hackers who were skilled enough … to cause a disruption of the websites … of Bank of America and JP Morgan Chase.”
Lieberman continued: “I think this was done by Iran and the Quds Force, which has its own developing cyber attack capacity,” he continued. “And I believe it was in response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”
The US cyber attacks have taken advantage of our vulnerability “which is part of why they are doing it,” Lieberman said. “And it’s a warning to us that if we take action against their nuclear weapons development program that they have the capacity to strike back at us.”
Gholam Reza Jalali, head of Iran’s Civil Defense Organization, denies Iranian involvement. “Iran has not hacked the U.S. banks.”
Frank J. Cilluffo, director of the Homeland Security Policy Institute , told the House Committee on Homeland Security that “the government of Iran and its terrorist proxies are serious concerns in the cyber context. What Iran may lack in capability, it makes up for in intent. They do not need highly sophisticated capabilities – just intent and cash – as there exists an arms bazaar of cyber weapons, allowing Iran to buy or rent the tools they need or seek.”
Thanks to this rhetoric, the White House is actively pursuing a cybersecurity executive order that would not only usurp Congress, but also give the executive branch more over-reaching power to declare law without approval by the citizens of the US.
Confidence in the American banking system is dwindling as the cyber-attacks compound the problem. Keeping the public in the dark about the purpose behind the attacks allows the propaganda surrounding them to become more effective.
Mainstream “experts” claim that Islamic cyber terrorism justifies more stringent cybersecurity measures. Banks like JPMorgan Chase and Bank of America support these controls because they facilitate more secrecy within banking institutions.
A fact that is not reported in the mainstream media readily is that denial of service attacks, as the alleged Islamic cyber army chose to enact, are accomplished without any actual hacking. The ATMs, banking information and data is not stolen or disturbed. Denial of service attacks are a lockout of the customer from the public banking website.
This means that the attacks were designed to play on the ignorance of the public. Using the Hegelian Dialectic, financial institutions in tandem with the mainstream media blow the actual problem out of proportion, stirring the psyche of the public to believe that the situation was worse than it was.
Why wouldn’t hackers destroy documents of actually disrupt banking transactions? Because the scheme was perpetrated by the banking cartels in conjunction with the White House to not only bring about draconian cybersecurity, but also explain how a false flag concerning our banking system will occur in the near future.
Supporting this fake threat are “experts” like Rodney Joffe, senior vice president of the cybersecurity firm Sterling, who said: “The nature of this attack is sophisticated enough or large enough that even the largest of the financial institutions would find it difficult to defend against.”
This style of propaganda keeps the average American in fear that somewhere in the stratosphere there are Islamic extremists waiting to destroy the US. It is the same fear-mongering that occurred just after 9/11 to gain support for the coming “war on terror” – which never seems to end when the terror is state-sponsored.
Verizon Communications has jumped into the mix to assist in investigations into cyber attacks. Verizon, along with the federal government through the authority of the National Cybersecurity and Communications Integration Center (NCCIC) are perfecting control tools.
The “campaign” seeks
to identify the nameless, faceless perpetrators and commandeer their computers.
More information is considered classified.
At a recent conference last month called the Cybersecurity Summit, influential members of the cyber-world gathered to discuss how they will implement controls on the internet to stop the Islamic cyber army.
The items up for discussion revolved around building infrastructure that “protect” commerce for public and private institutions with regard to cybersecurity. And with technological advances motivating the market, these think-tankers believe that the executive branch of the government must act before it is too late.
Speaking at the conference were:
• Janet Napolitano,
secretary of DHS
• Sean McGurk, director of control system security for Verizon
• Paul Nguyen, vice president of cyber solutions for Knowledge Consulting Group
• Dr. Catherine Lotrionte, associate director of law, science and global security at Georgetown University
The banking institutions have decided to join forces to fight the cyber-attacks, along with the federal government so that technological vulnerabilities are identified and eliminated. Morgan Stanley and Goldman Sachs are discussing converging on a shared data center where secret banking information can be kept under wraps so that hackers cannot steal information as well as sound an alarm when other banks are under attack.This new network of technocrats will privatize customer banking information in the name of security while allowing the banksters to further hide their questionable dealings. Banks across America will be able to communicate in covert means that will never be released to the general public. The days of banking scandals are over because their network will prevent them for being caught (Occupy Corporatism, 2012).
Renews Internet Attacks On U.S. Banks
Date: October 17, 2012
Abstract: Iranian hackers renewed a campaign of cyberattacks against U.S. banks this week, targeting Capital One Financial Corp. and BB&T Corp. and openly defying U.S. warnings to halt, U.S. officials and others involved in the investigation into the attacks said.
The attacks, which disrupted the banks' websites, showed the ability of the Iranian group to sustain its cyberassault on the nation's largest banks for a fifth week, even as it announced its plans to attack in advance.U.S. officials said the attacks against banks, and others against Middle Eastern energy companies, were sponsored by the Iranian government (WSJ, 2012).
Napolitano: US Financial Institutions 'Actively Under Attack' By Hackers
Date: October 31, 2012
Source: The Hill
Abstract: Homeland Security Secretary Janet Napolitano on Wednesday warned that some of the largest U.S. financial institutions "are actively under attack" from cyber hackers.
While Napolitano sounded the alarm about the attacks at a cybersecurity event hosted by The Washington Post, she declined to provide any details about them.
"Right now, financial institutions are actively under attack. We know that. I'm not giving you any classified information," she said. "I will say this has involved some of our nation's largest institutions. We've also had our stock exchanges attacked over the last [few] years, so we know ... there are vulnerabilities. We're working with them on that."
When asked by Post
editor Mary Jordan about whether hackers are stealing information or money
from banks, Napolitano answered "yes" and then quickly added, "I
really don't want to go into that per se."
"All I want to say is that there are active matters going on with financial institutions," she said.
The public websites of Wells Fargo, Bank of America, JP Morgan Chase and others were hit by a series of denial of service attacks this fall, which made their sites inaccessible to customers. A denial of service attack inundates a Web server with large numbers of page requests until the site fails to load. It does not let the hackers siphon sensitive information from its victim.
After Hurricane Sandy wreaked havoc on the East Coast, Napolitano said people should look than no further than the damage caused by the massive storm to understand the need to boost the nation's cybersecurity protections.
"One of the possible areas of attack, of course, is attacks on our nation's control systems — the control systems the operate our utilities, our water plants, our pipelines, our financial institutions," Napolitano said. "If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities."
"The urgency and the immediacy of the cyber problem; the cyberattacks that we are undergoing and continuing to undergo can not be overestimated," she said.
The Department of Homeland Security (DHS) oversees the protection of unclassified computer networks for civilian agencies. The Obama administration has tasked DHS with coordinating cybersecurity efforts between the federal government and private industry.
Napolitano said President Obama has made cybersecurity a priority and invested money into DHS's cyber programs, noting that the department's workforce has increased roughly 600 percent over the last few years. The president has also "constantly asked for double-digit increases in the cyber budget" at the department and it is actively looking to hire more skilled cybersecurity professionals.
The DHS secretary also called for Congress to pass legislation that would help protect the nation's critical infrastructure from cyberattacks and said there may be another attempt during the lame-duck session to pass a bill that failed in the Senate this August. However, Napolitano cautioned that the likelihood of the Senate taking another crack at the bill "probably depends on the outcome of Tuesday's election."
Senate Republicans blocked the bill because they argued it would add additional costs onto businesses and saddle them with new security rules.
She said that "when" President Obama is reelected, "I think he will have to consider an executive order that covers many of the areas that legislation would cover."
Yet she warned that an executive order "is not a compete substitute for legislation" and "there are some things that only legislation can provide," such as liability protection for companies that follow a set of cybersecurity best practices.
Title: Massive Bank Cyberattack Planned
Date: December 13, 2012
Source: CNN Money
Abstract: Security firm McAfee on Thursday released a report warning that a massive cyberattack on 30 U.S. banks has been planned, with the goal of stealing millions of dollars from consumers' bank accounts.
RSA startled the security world with its announcement that a gang of cybercriminals had developed a sophisticated Trojan aimed at funneling money out of bank accounts from Chase (JPM, Fortune 500), Citibank (C, Fortune 500), Wells Fargo (WFC, Fortune 500), eBay (EBAY, Fortune 500) subsidiary PayPal and dozens of other large banks. Known as "Project Blitzkrieg," the plan has been successfully tested on at least 300 guinea pig bank accounts in the United States, and the crime ring had plans to launch its attack in full force in the spring of 2013, according to McAfee, a unit of Intel (INTC, Fortune 500). (McAfee was founded by John McAfee, who is wanted for questioning as part of a Belize murder investigation, but he no longer has any ties to the company.)
Project Blitzkrieg began with a massive cybercriminal recruiting campaign, promising each recruit of a share of the stolen funds in exchange for their hacking ability and busywork. With the backing of two Russian cybercriminals, including a prominent cyber mafia leader nicknamed "NSD," the recruits were tasked with infecting U.S. computers with a particular strain of malware, cloning the computers, entering stolen usernames and passwords, and transferring funds out of those users' accounts.
The scheme was fairly innovative. U.S. banks' alarm bells get tripped when customers try to access their accounts from unrecognized computers (particularly overseas), so banks typically require users to answer security questions. Cloning computers lets the cybercriminals appear to the banks as though they are the customers themselves, accessing their accounts from their home PCs -- thereby avoiding the security questions.
And since most banks place transfer limits on accounts, recruiting hundreds of criminals to draw smallish amounts out of thousands of accounts is a way to duck those limits. The thieves could collectively siphon off millions of stolen dollars.
As terrifying as that sounds, the fact that the project is out in the open is a huge deterrent. RSA first uncovered the scheme in the fall, and independent security researcher Brian Krebs linked the report to NSD in the following days. Since then, the project appears to have gone dark.
NSD has effectively disappeared from chat forums, Krebs told CNNMoney.
"I can't find him anywhere," Krebs said. "Either bringing this to light scuttled any plans to go forward, or it's still moving ahead cautiously under a much more protective cover."
In either case, knowing what they're up against could be a blessing for banks. McAfee said it is coordinating with law enforcement officials and working with several banks to prepare them for the potential attacks.
The financial industry is accustomed to fending off skilled cyberthieves. It gets hit every day by thousands of attacks on its infrastructure and networks, according to Bill Wansley, a senior vice president at Booz Allen Hamilton who specializes in cybersecurity issues.
Those are just the attacks that get discovered. Not a single financial industry network that Booz Allen examined has been malware-free, he noted.
"If you catch something early on, you can minimize the threat," Wansley said. "It's definitely worthwhile to get a heads up."
For example, in September an Iranian group claiming to be the "Cyber Fighters of Izz ad-Din al-Qassam" announced that it would launch a major denial-of-service attack against the largest U.S. banks. Few took the threat that seriously, but Booz Allen took advantage of the heads-up to work with some of the targeted banks.
What followed was the largest direct denial-of-service attack ever recorded, preventing the public from accessing the websites of Chase, Bank of America (BAC, Fortune 500), Wells Fargo, US Bank (USB, Fortune 500) and PNC Bank (PNC, Fortune 500) -- intermittently for some, and as much as a day for others. The banks that were better prepared were the least affected, he said. (Who actually sponsored the attacks remains a subject of debate. Security experts believe the Iranian government had a hand in them.)
The Cyber Fighters are at it again, declaring that they will be launching attacks on banks' websites this week as part of "Operation Ababil." The banks are preparing.
"Security is core to our mission and safeguarding our customers' information is at the foundation of all we do," said Wells Fargo spokeswoman Sara Hawkins. "We constantly monitor the environment, assess potential threats, and take action as warranted."
"Protecting Citi and its clients from criminal information security threats is a critical priority for us," said a Citigroup spokeswoman. "We have a focused information security strategy and dedicated resources to execute it."
Chase and PayPal did not respond to requests for comment.
Still, the war against cybercriminals isn't going so well for the financial industry. In July, threat detection software maker Lookingglass found that 18 of 24 of the world's largest banks were infected with popular strains of malware that the industry believed had been eradicated, suggesting that banks are prone to re-infections. In June, McAfee uncovered "Operation High Roller" -- a cyberattack that could have stolen as much as $80 million from more than 60 banks.
Since consumers are federally protected from taking the hit when funds are stolen from their accounts, the banks eat the loss. And as the attacks grow more sophisticated, their annual price tag keeps rising."There are absolutely attacks going on right now that we don't know about, some of them minor, some major," Wansley said. "There's a lot going on out there, and frankly, we're only seeing the frequency and severity pick up" (CNN Money, 2012).
Title: Iran Denies Responsibility For U.S. Bank Cyber Attacks
Date: January 11, 2013
Source: Fox Business
Abstract: Iran said it was not involved in a long string of cyber attacks that have disrupted the websites of a slew of American national and regional banks since fall of last year. The Islamic Republic also accused the U.S. and Israel of repeatedly attacking its technological infrastructure.
“Iran respects the international law and refrains from targeting other nations' economic or financial institutions,” the country’s mission to the United Nations said in a statement Thursday, according to the semi-official FARS News Agency.
The report from FARS also specifically references the cyber attacks on U.S. financial companies, saying “raising such groundless accusations are aimed at sullying Iran's image and fabricating pretexts to push ahead with and step up illegal actions against the Iranian nation and government.”
Several U.S. media reports, including one Tuesday by the New York Times, have said U.S. government officials believe the attacks could be state-sponsored, potentially originating in Iran. These reports say there is a view among some in the intelligence community that Iran could be lashing out in retaliation for the painful economic sanctions the U.S. and allies have levied in a bid to get the country to drop its nuclear program.
However, security researchers have broadly lacked specific evidence pointing to Iran. FOX Business first reported in October 2012 that the cyber terrorists have taken a new, and more sophisticated, spin on a type of attack that have been used for years against websites.
Essentially, the attackers have compromised batches of Web servers with high levels of Internet connectivity, and use them to flood targeted websites with requests, rendering them either very slow or completely inaccessible to many users. The attackers have also been incredibly quick at changing their methods as defenses have evolved, individuals in the security community have said. Traditionally, hackers have relied on taking over considerably larger numbers of personal computers, which generally doesn’t provide the same horsepower as these new attacks.
The so-called denial-of-service attacks are difficult to defend against and have hit a wide range of financial institutions, including: J.P. Morgan Chase (JPM), Bank of America (BAC), and Citigroup (C). Smaller regional banks like SunTrust Banks (STI) and PNC Financial Services (PNC) have also come under attack.
The report in FARS also said Iran believes the U.S. was responsible for a handful of attacks against its technological infrastructure. In particular, it referenced one against its Culture Ministry, another against its Oil Ministry and yet another against its Science, Research and Technology Ministry.These relatively benign attacks come after the U.S. reportedly deployed a worm called Stuxnet that hammered Iran’s nuclear facilities in 2010 (Fox Business, 2013).
Title: Federal Reserve Data Hacked By Anonymous
Date: February 6, 2013
Abstract: Days after the personal information of over 4,000 banking executives was leaked to the Web by a group affiliated with the hacktivist movement Anonymous, the Federal Reserve admits to having suffered an online security breach.
Spokespeople for the Fed alerted customers on Tuesday that private information stored online was compromised during a weekend hack, all but confirming the source for a trove of data published two days earlier by the loose-knit Anonymous collective.
"The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," a spokeswoman for the bank tells Reuters.
Currently, the Fed maintains that the incident was mild in nature, “did not affect critical operations” of the bank and has been resolved. An admission from the Fed does suggest, however, that hackers are capable of compromising data that is presumably well protected.
During Sunday’s Super Bowl, the Twitter account @OpLastResort announced that personal info pertaining to thousands of banking executives had been obtained, and a tweet directing followers to a hacked Alabama Criminal Justice Information Center website linked to the data. Now the Fed says that an emergency notification system was indeed breached, thus compromising private but not necessarily secret user names, phone numbers and other credentials stored on the server.
The exploit, admits the Fed, allowed for the release of user contact data stored within its Emergency Communications System, or ECS, “a system used by the Federal Reserve and state banking departments to notify depository institutions of operational status in the event of natural or other disasters.”
“Information obtained from the registrants consisted of mailing address, business phone, mobile phone, business email and fax. Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised, but nonetheless, have been reset as a precautionary measure,” continues a spokesperson for the St. Louis Fed in a statement first obtained by ZDNet.
A source speaking to ZDNet on condition of anonymity adds, "The banks on the list were not compromised." On the website Reddit, however, one user claims to have called some of the phone numbers published on the Alabama CJIC site and adds some insight into the severity of the breach.
“What must be so problematic for the Federal Reserve is not the information so much as this file was stolen from their computers at all. The ramifications of that kind of loss of control is severe,” Reddit user PericlesMortimer writes.OpLastResort is an Anonymous faction of sorts that was spawned after last month’s untimely death of Reddit co-founder and computer whiz Aaron Swartz, who committed suicide at age 26 while awaiting trial. The US government was charging Swartz with violating the Computed Fraud and Abuse Act because he allegedly accessed millions of academic and scholarly articles from the website JSTOR without explicit authorization. Swartz was facing decades in prison if convicted, but OpLastResort and similar campaigns have strived in recent weeks to make progress in reforming the CFAA (RT, 2013).
Title: Cyber-Criminals Are Targeting Phones And Bank Info
Date: February 21, 2013
Abstract: As recent high-profile attacks at major companies like Facebook and Apple, major publications like the New York Times and Washington Post and the U.S. government itself have made clear, cyber-crime is a very real and growing concern for everyone.
The latest threat report from security firm McAfee highlights the need for vigilance on mobile devices and a change in how people and companies approach security.
Smartphones and tablets are increasingly hot targets for cyber-criminals, and the volume of mobile threats is growing much faster than it did for PCs. The amount of malware detected by McAfee on the devices in 2012 was 44 times what it was the previous year.
The company estimates that 95% of all mobile malware ever devised has been created in the past year alone, and the vast majority of that is made for the Android operating system.
But McAfee's worldwide chief technology officer, Mike Fey, warns against looking at the the number of threats targeting Android and assuming that other platforms are safer. Criminals are targeting the operating system partially because it is so open, and also because they tend to focus on the platform they think will be around the longest.
What makes these portable devices such juicy targets for criminals is that they are rife with personal and financial information. For example, many phones have banking features baked in, and criminals can use "Trojan horse" viruses to milk them dry using SMS services that charge per text.
Malware isn't even the biggest issue for mobile users at the moment, says Fey. Phone owners should be more concerned about visiting a site that will do something malicious on their behalf.
"A huge amount of mischief on the Internet happens without anything being downloaded," said Fey.
It's much easier to execute these kinds of scams on smartphones than on desktop computers. With small screens and pared-down mobile sites, cyber-criminals can create a legitimate-looking banking site and trick the person into entering personal information needed to access an account, such as an account number, password and mother's maiden name.
Many intrusions begin in this type of simple way, often with a bad link in an e-mail or on a social network or a webpage that directs a person to a compromised or malicious site.
"There's a reason why those old-school attacks keep getting used," said Fey. "They work."
The McAfee report found that the volume of suspicious URLs jumped significantly in late 2012, averaging 4.6 million a month. In addition to mimicking sites to phish for information, the links can download malware onto a mobile device.
That software can send private data like passwords back to the attackers, or it can add the computer to a botnet -- a network of infected computers controlled by cyber-criminals.
The software is downloaded so quickly that most people won't even notice. It's no longer the case that a computer will feel sluggish if there's malware installed, points out Fey. Decent malware won't even be noticeable.
Apple and Facebook traced their recent breaches to similar incidents. Employees visited hacked sites for developers that installed malware on their machines. These hacks, along with Twitter's January breach that resulted in 250,000 user accounts possibly being compromised, were the work of Eastern European gangs searching for intellectual property or other information to resell, according to Bloomberg.
A recent report from security company Mandiant described what it believed to be a powerful computer-hacking operation in Shanghai run by the Chinese military. This alleged high-tech espionage targets U.S. companies in an attempt to steal trade secrets. The issue is so serious that the U.S. government released an extensive report on Wednesday that includes instructions for corporations on how to improve their security.
Regular people will not be immune to the problems plaguing corporations and governments, according to Fey. Once these weapons, such as malware, are out in the world, they spread. Attackers can steal the code written by one government and use it to go after other targets.
While the origins of recent attacks have been grabbing headlines, Fey warns against turning all of our attention to the "bad guys" instead of the systemic security issues on the companies' side.
"It's not about who's attaching you, it's about the fact that you're vulnerable," said Fey. He said putting a face on the cyber-criminals "makes it sound like you can go negotiate with an entity to stop them. That's never been the case with cyberattacks."
The current approach of discovering threats, then fighting them, has to change, according to Fey; he called it "a thousand percent unsustainable."
New threats are popping up constantly, creating a never-ending game of security whack-a-mole.
There are new highly sophisticated attacks that insert themselves below the operating system and can steal all a device's data before wiping it clean. Ransomware is on the rise, in which a criminal steals data or takes control of a computer or mobile device, only releasing their hold when they receive payment. A new attack called Blitzkrieg uses phishing schemes to install a Trojan, which monitors web traffic and scrapes banking information in order to transfer money out of the victims' accounts.
In order to address all these threats, Fey said, the industry needs to rethink security from the ground up, designing more secure products from the start instead of just constantly chasing threats.
"We have to take some of the most complex security issues and simplify them into easy-to-solve problems," he said (CNN, 2013).
Title: FBI Probing Whether Political Figures’ Financial Records Were
Date: March 12, 2013
Source: Washington Post
Abstract: The FBI is investigating whether the financial records and other personal information of leading political figures, including Vice President Biden and first lady Michelle Obama, may have been illicitly accessed and published online, according to Justice Department officials.
A Web site posted what appear to be credit reports, banking information, Social Security numbers and addresses for several officials, as well as a number of celebrities. In addition to Biden and Obama, the site purported to have obtained records of Attorney General Eric H. Holder Jr., former secretary of state Hillary Rodham Clinton and FBI Director Robert S. Mueller III.
The Web site used the Internet suffix .su, which suggested that it was based in Russia or a post-Soviet republic.
It was unclear how the documents, if confirmed as authentic, could have been obtained. A Justice Department official, speaking on the condition of anonymity because the investigation is ongoing, said the FBI is trying to determine whether it might be a case of identity theft, hacking or perhaps both.
The White House declined to comment.
Much of the posted material was drawn from credit reports from organizations such as TransUnion and Equifax.
Tim Klein, a spokesman for the credit reporting agency Equifax, said the company was investigating “fraudulent and unauthorized access” to four consumer credit reports and is working closely with law enforcement officials.
“Nothing is more important to us than data security, and we have stringent measures in place for protecting the data entrusted to us,” Equifax said in a statement. “We enable consumers to access their credit reports through a variety of channels, including annualcreditreport.com, which is a free service. In order for a consumer to have access to their credit report through this channel, they must provide Personally Identifiable Information that should be known only to the individual.”
TransUnion did not respond to a request for comment.
To obtain free credit reports, consumers are typically required to answer about five to seven questions that detail information such as the applicant’s monthly mortgage payment, who holds their car loan or the last payment amount on a particular credit card. It is not known how that kind of information was obtained about those whose credit reports were posted.
The Web site that posted the purported records also disclosed what it claims were the records of celebrities including Kim Kardashian, Ashton Kutcher, Arnold Schwarzenegger, Beyonce and Jay-Z.
In what appears to be a separate incident, former secretary of state Colin L. Powell’s Facebook and personal e-mail accounts also were hacked this week.
An unidentified hacker asserted responsibility for the breach in an e-mail sent early Tuesday to dozens of Washington journalists. The e-mail contained 16 images showing screenshots of Powell’s digital correspondence. None of the e-mails between Powell and his acquaintances — dated from 2005 to 2012 — appeared to be particularly revealing.
The images bore the handwritten word “GUCCIFER,” the name used by the hacker who obtained e-mails from the accounts of at least six Bush family members last month.
Powell told The Washington Post that he was aware his account had been breached. “I can confirm that the hacker was able to get into my old e-mails, and I’m taking precautions,” Powell said.
The day before, Powell’s Facebook page was hacked, with an unidentified person posting incendiary messages.
Powell later posted a message on his Facebook wall apologizing for the incident. “I’m sorry you have to see all the stupid, obscene posts that are popping up. Please ignore as we are working with fb to take care of this problem. I appreciate your patience,” he wrote.
Sari Horwitz, Julie Tate and Karen DeYoung
contributed to this report (Washington
Title: Hackers Publish CIA Director Brennan's Financial Records
Date: March 15, 2013
Abstract: CIA Director John Brennan is the latest member of the Obama administration to have heir personal financial records leaked on the Web.
A credit report alleged to belong to Brennan, one of the newest additions to US President Barack Obama’s official cabinet, was published Friday afternoon on the website Exposed.Su. The site made headlines earlier in the week after it published Social Security Numbers, home addresses and credit reports for a number of influential Americans from both Washington and Hollywood.
The dossier on Brennan is the latest addition to the site and puts him in the company of a handful of other Obama administration officials, including Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder and former SEcretarty of State Hillary Clinton.
Additionally, Exposed.su has released sensitive information this week allegedly belonging to first lady Michelle Obama, actors Mel Gibson and Tom Cruise and the chief of the Los Angeles Police Department.
The FBI, Secret Service and the LAPD all confirmed that they were investigating the leaks when the website was first discovered earlier in the week. Since then, though, he administrators of Exposed have continued to publish information on celebrities and politicians, all the while eluding the authorities.
The page posted on Friday with information on Mr. Brennan includes what is alleged to be the CIA director’s home address, phone numbers, Social Security Number and a credit report as prepared by the company TransUnion. Earlier in the week, a spokesperson for TransUnion told Forbes that they “immediately launched an investigation” within moments of hearing about the initial leaks.
RT called one telephone number alleged to belong to Mr. Brennan included in the report and was told he was unavailable for comment. RT was told that Mr. Brennan would likely not speak to the media about a "leaked credit report," but was first asked if the phonecall was with a matter related to the government.
The credit report was created on Friday, March 15, and includes information on the director’s past student loans, American Express cards and auto leases, among other details.And if you’re wondering, yes, the head of the Central Intelligence Agency is indeed up-to-date in terms of paying both his Banana Republic and Brooks Brothers cards. His account with retailers Nordstrom, however, is a whole other story (RT, 2013).
Title: Chase Bank Customers Temporarily See '0' Balance
Date: March 18, 2013
Source: ABC 7 News
Abstract: Millions of Chase Bank customers across the U.S. who use online and mobile banking saw their checking and savings accounts with a zero balance on Monday.
The banking giant said the problem was an internal glitch.
"We have a technology problem regarding customers' balance information," Chase said in a statement. "It has nothing to do with cyber threats. It is an internal issue. We are very sorry to our customers for the inconvenience. This began earlier this evening. It is not confined to the West Coast."
The problem lasted a few hours. It was resolved around 7:30 p.m. PT.Last week, the bank said it was victimized by a "distributed denial of service" attack. Chase websites were replaced with a message that said the system was temporarily down, but mobile apps were still available (ABC 7 News, 2013).
Title: South Korean Banks And Media Report Computer Network Crash, Causing
Speculation Of North Korea Cyberattack
Date: March 20, 2013
Source: Fox News
Abstract: A cyberattack caused computer networks at major South Korean banks and top TV broadcasters to crash simultaneously Wednesday, paralyzing bank machines across the country and prompting speculation of North Korean involvement.
Screens went blank at 2 p.m. (0500 GMT), the state-run Korea Information Security Agency said, and more than seven hours later some systems were still down.
Police and South Korean officials couldn't immediately determine responsibility and North Korea's state media made no immediate comments on the shutdown. But some experts suspected a cyberattack orchestrated by Pyongyang. The rivals have exchanged threats amid joint U.S.-South Korean military drills and in the wake of U.N. sanctions meant to punish North Korea over its nuclear test last month.
The network paralysis took place just days after North Korea accused South Korea and the U.S. of staging a cyberattack that shut down its websites for two days last week. Loxley Pacific, the Thailand-based Internet service provider, confirmed the North Korean outage but did not say what caused it.
The South Korean shutdown did not affect government agencies or potential targets such as power plants or transportation systems, and there were no immediate reports that bank customers' records were compromised, but the disruption froze part of the country's commerce.
Some customers were unable to use the debit or credit cards that many rely on more than cash. At one Starbucks in downtown Seoul, customers were asked to pay for their coffee in cash, and lines formed outside disabled bank machines.
Shinhan Bank, a major South Korean lender, reported a two-hour system shutdown, including online banking and automated teller machines. It said networks later came back online and that banking was back to normal. Shinhan said no customer records or accounts were compromised.
Another big bank, Nonghyup, said its system eventually came back online. Officials didn't answer a call seeking details on the safety of customer records. Jeju Bank said some of its branches also reported network shutdowns.
Broadcasters KBS and MBC said their computers went down at 2 p.m., but that the shutdown did not affect TV broadcasts. Computers were still down about seven hours after the shutdown began, according to the state-run Korea Communications Commission, South Korea's telecom regulator.
The YTN cable news channel also said the company's internal computer network was paralyzed. Footage showed workers staring at blank computer screens.
KBS employees said they watched helplessly as files stored on their computers began disappearing.
Last year, North Korea threatened to attack several news companies, including KBC and MBC, over their reports critical of children's' festivals in the North.
'It's got to be a hacking attack. Such simultaneous shutdowns cannot be caused by technical glitches.'
- Lim Jong-in, dean of Korea University's Graduate School of Information Security
"It's got to be a hacking attack," said Lim Jong-in, dean of Korea University's Graduate School of Information Security. "Such simultaneous shutdowns cannot be caused by technical glitches."
The Korea Information Security Agency had reported that an image of skulls and a hacking claim had popped up on some of the computers that shut down, but later said those who reported the skulls did not work for the five companies whose computers suffered massive outages. KISA was investigating the skull images as well.
"If it plays out that this was a state-sponsored attack, that's pretty bald faced and definitely an escalation in the tensions between the two countries," said James Barnett, former chief of public safety and homeland security for the U.S. Federal Communications Commission.
An ominous question is what other businesses, in South Korea or elsewhere, may also be in the sights of the attacker, said Barnett, who heads the cybersecurity practice at Washington law firm Venable.
"This needs to be a wake-up call," he said. "This can happen anywhere."
An official at the Korea Communications Commission said investigators speculate that malicious code was spread from company servers that send automatic updates of security software and virus patches.
LG Uplus Corp., which provides network services for the companies that suffered outages, saw no signs of a cyberattack on its networks, company spokesman Lee Jung-hwan said.
The South Korean military raised its cyberattack readiness level but saw no signs of cyberattacks on its networks, the Defense Ministry said.
No government computers were affected, officials said. President Park Geun-hye called for quick efforts to get systems back online, according to her spokeswoman, Kim Haing.
The shutdown raised worries about the overall vulnerability to attacks in South Korea, a world leader in broadband and mobile Internet access. Previous hacking attacks at private companies compromised millions of people's personal data. Past malware attacks also disabled access to government agency websites and destroyed files in personal computers.
Seoul believes North Korea runs an Internet warfare unit aimed at hacking U.S. and South Korean government and military networks to gather information and disrupt service.
Seoul blames North Korean hackers for several cyberattacks in recent years. Pyongyang has either denied or ignored those charges. Hackers operating from IP addresses in China have also been blamed.
In 2011, computer security software maker McAfee Inc. said North Korea or its sympathizers likely were responsible for a cyberattack against South Korean government and banking websites earlier that year. The analysis also said North Korea appeared to be linked to a 2009 massive computer-based attack that brought down U.S. government Internet sites. Pyongyang denied involvement.
"North Korea has almost certainly done similar attacks before," said Tim Junio, a cybersecurity fellow at Stanford University's Center for International Security and Cooperation. "Part of why this wasn't more consequential is probably because South Korea took the first major incident seriously and deployed a bunch of organizational and technical innovations to reduce response time during future North Korea attacks."
South Korea has created a National Cybersecurity Center, a national monitoring sector and a Cyber Command modeled after the U.S. Cyber Command.
"These companies have security monitoring centers getting fed info from all over Korea to help detect incidents quickly and push technical solutions," he said. "They also have formal relationships with the government and sectors within their companies dedicated to national security work, including North Korean malware."
The shutdown comes amid rising rhetoric and threats of attack from Pyongyang over the U.N. sanctions. Washington also expanded sanctions against North Korea this month in a bid to cripple the government's ability to develop its nuclear program.
North Korea has threatened revenge for the sanctions and for ongoing U.S.-South Korean military drills, which the allies describe as routine but which Pyongyang says are rehearsals for invasion.
On Wednesday, North Korean leader Kim Jong Un inspected military drills in which drone planes hit targets and rockets shot down mock enemy cruise missiles. Kim told officers the North should "destroy the enemies without mercy so that not a single man can survive to sign a document of surrender when a battle starts," according to the official Korean Central News Agency.
Last week, North Korea's Committee for the Peaceful Reunification of Korea warned South Korea's "reptile media" that the North was prepared to conduct a "sophisticated strike" on Seoul.
North Korea also has claimed cyberattacks by the U.S. and South Korea. The North's official Korean Central News Agency accused the countries of expanding an aggressive stance against Pyongyang into cyberspace with "intensive and persistent virus attacks."
South Korea denied the allegation and the U.S. military declined to comment.
Lim said he believes hackers in China were likely culprits in the outage in Pyongyang, but that North Korea was probably responsible for Wednesday's attack.
"Hackers attack media companies usually because of a political desire to cause confusion in society," he said. "Political attacks on South Korea come from North Koreans."
Orchestrating the mass shutdown of the networks of major companies would have taken at least one to six months of planning and coordination, said Kwon Seok-chul, chief executive officer of Seoul-based cybersecurity firm Cuvepia Inc.
Kwon, who analyzed personal computers at one of the three broadcasters shut down Wednesday, said he hasn't yet seen signs that the malware was distributed by North Korea.
"But hackers left indications in computer files that mean this could be the first of many attacks," he said.Lim said tracking the source of the outage would take months (Fox News, 2013).
Title: South Korea Blames The North For
Cyberattacks That Hit Banks, Broadcasters
Date: April 10, 2013
Abstract: South Korea accused North Korea Wednesday of carrying out a wave of cyberattacks that paralyzed the networks of major South Korean banks and broadcasters last month.
An official investigation found that many of the malignant codes employed in the attacks were similar to ones used by the North previously, said Lee Seung-won, an official at the South Korean science ministry.
Although some observers said at the time of the computer crashes that they suspected North Korean involvement, this is the first time that Seoul has formally pointed the finger at Pyongyang.
The allegations coincide with a tense situation on the Korean Peninsula, with the North making repeated threats of war. South Korean and U.S. officials have warned that a North Korean missile test could take place at any moment.
South Korea believes North Korea had spent at least eight months preparing for the cyberattacks, which also affected hundreds of individual citizens' computers and websites that cover North Korea, Lee said at a news briefing Wednesday.
There didn't appear to be any immediate reaction on North Korean state-run media to the South Korean accusations.
The main hacking attack took place on March 20, hitting more than 48,000 computers at the South Korean banks and broadcasters, authorities said.
It infected the companies' computer networks with a malicious program, or malware, that slowed or shut down systems.
The South's investigation found evidence including IP addresses and other elements used in the cyberattacks that it said proved North Korean responsibility.
The hackers routed the attacks through more 10 different countries, Lee said.South Korea has accused the North of similar hacking attacks before, including incidents in 2010 and 2012 that also targeted banks and media organizations. Pyongyang has rejected the allegations (CNN, 2013).
Title: Stocks Gyrate Wildly After Fake
Date: April 23, 2013
Source: USA Today
Abstract: A fake tweet with terror overtones caused financial markets to gyrate wildly for a few minutes this afternoon, the latest reminder of how technical snafus and terrorism fears can still move markets in a heartbeat.
The Dow Jones industrial average was cruising along Tuesday, up more than 150 points, before briefly plunging and then rebounding around 1:07 p.m. EST after a fake tweet on the Associated Press' Twitter site reported that two bombs had gone off at the White House and injured President Obama.
The Dow dropped nearly 143 points in a three-minute span from 1:07 p.m. ET to 1:10 p.m. ET. It plunged from 14,698.25 to 14,555.96 in that short span. But the Dow had regained all of its losses by 1:17 p.m. ET, once the AP noted on its website that its Twitter account had been hacked and that the report was untrue. The White House also confirmed that the tweet was a hoax.
The sharp drop was reminiscent of the "Flash Crash" on May 6, 2010, when the Dow tumbled almost 1,000 points in a matter of minutes due to computers-gone-wild.
Gary Kaltbaum, president of Kaltbaum Capital Management, watched the Dow's rapid plunge on his trading station. His first thought was that the market only goes down this fast if something terrible has happened.
“Fake press releases have temporarily hit trading in individual stocks for years. With Twitter comes the ability to PR bomb the whole market.”
— Jeffrey Kleintop, chief market strategist at LPL Financial
"My exact words were, 'Who is getting bombed? And what the heck is going on?'" he recalled, adding that he quickly accessed Twitter to try to find out what had moved the market and saw the phony tweet with his own eyes. He wondered if it could really be true. "I was thinking, is it possible" that the White House has been bombed?
The market's move had financial consequences for those traders or investors who had downside stops, or pre-arranged sell orders that are triggered if a stock, stock index or futures contract fell to a certain level. "Some people lost money on that move," says Kaltbaum.
He cited a hypothetical example of how an investor in Citigroup stock could lose money. Prior to the fake tweet, Citi shares were trading at $46.49 and then quickly plunged to $45.88 before rebounding to $46.47. If an investor had a stop, or sell order at, say $45.90, that investor would have been sold out of his position and missed the rebound to $46.47 and suffered a loss of 1.2%. On the other end, if people had a buy in at lower levels and the auto buy kicked in when the market dropped, they could then sell on the rebound and would have made 1.2%.
It is unclear whether trades caused by the phony tweet will stand. Both the New York Stock Exchange and the Securities and Exchange Commission declined to comment.
"Whoever did it wanted the maximum effect, and he got it until the tweet was proved to be a dupe," says Kaltbaum.
The market's zany and unexpected plunge and recovery was the latest reminder of how quickly the market can move in an investment world driven by computers that transact trades in nanoseconds. It also shows just how jittery Wall Street is when it comes to terror attacks.
Jeffrey Kleintop, chief market strategist at LPL Financial, responded to the market's quick drop due to the hacker's false tweet on the AP's Twitter account with his own tweet that said: "Fake press releases have temporarily hit trading in individual stocks for years. With Twitter comes the ability to PR bomb the whole market."
Citing a facsimile of the false tweet, CNBC reported that the tweet stated:
"Breaking: 2 explosions in White House and Barack Obama injured" (USA Today, 2013).
Title: In Hours, Thieves Took $45 Million
In A.T.M. Scheme
Date: May 9, 2013
Abstract: It was a brazen bank heist, but a 21st-century version in which the criminals never wore ski masks, threatened a teller or set foot in a vault.
Elvis Rafael Rodriguez, left, and Emir Yasser Yeje, two of those charged in Brooklyn on Thursday, posed in March with approximately $40,000 in cash that the authorities say they were laundering.
In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of A.T.M.'s in a matter of hours.
In New York City alone, the thieves responsible for A.T.M. withdrawals struck 2,904 machines over 10 hours starting on Feb. 19, withdrawing $2.4 million.
The operation included sophisticated computer experts operating in the shadowy world of Internet hacking, manipulating financial information with the stroke of a few keys, as well as common street criminals, who used that information to loot the automated teller machines.
The first to be caught was a street crew operating in New York, their pictures captured as, prosecutors said, they traveled the city withdrawing money and stuffing backpacks with cash.
On Thursday, federal prosecutors in Brooklyn unsealed an indictment charging eight men — including their suspected ringleader, who was found dead in the Dominican Republic last month. The indictment and criminal complaints in the case offer a glimpse into what the authorities said was one of the most sophisticated and effective cybercrime attacks ever uncovered.
It was, prosecutors said, one of the largest heists in New York City history, rivaling the 1978 Lufthansa robbery, which inspired a scene in the movie “Goodfellas.”
Beyond the sheer amount of money involved, law enforcement officials said, the thefts underscored the vulnerability of financial institutions around the world to clever criminals working to stay a step ahead of the latest technologies designed to thwart them.
“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” said Loretta E. Lynch, the United States attorney in Brooklyn. “Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of A.T.M.'s in a matter of hours.”
The indictment outlined how the criminals were able to steal data from banks, relay that information to a far-flung network of so-called cashing crews, and then have the stolen money laundered in purchases of luxury items like Rolex watches and expensive cars.
In the first operation, hackers infiltrated the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. Such companies are attractive to cybercriminals because they are considered less secure than financial institutions, computer security experts say.
The hackers, who are not named in the indictment, then raised the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RakBank, which is in United Arab Emirates.
Once the withdrawal limits have been eliminated, “even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution,” the indictment states. And by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly.
With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards. On Dec. 21, the cashing crews made 4,500 A.T.M. transactions worldwide, stealing $5 million, according to the indictment.
While the street crews were taking money out of bank machines, the computer experts were watching the financial transactions from afar, ensuring that they would not be shortchanged on their cut, according to court documents.
MasterCard alerted the Secret Service to the activity soon after the transactions were completed, said a law enforcement official, who declined to be identified discussing a continuing investigation.
Robert D. Rodriguez, a special agent with the Secret Service for 22 years and now the chairman of Security Innovation Network, said that in some ways the crime was as old as money itself: bad guys trying to find weaknesses in a system and exploiting that weakness.
“The difference today is that the dynamics of the Internet and cyberspace are so fast that we have a hard time staying ahead of the adversary,” he said. And because these crimes are global, he said, even when the authorities figure out who is behind them they might not be able to arrest them or persuade another law enforcement agency to take action.
After pulling off the December theft, the organization grew more bold, and two months later it struck again — this time nabbing $40 million.
On Feb. 19, cashing crews were in place at A.T.M.'s across Manhattan and in two dozen other countries waiting for word to spring into action.
This time, the hackers had infiltrated a credit-card processing company based in the United States that also handles Visa and MasterCard prepaid debit cards. Prosecutors did not disclose the company’s name.
After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion. Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours. In New York City, a team of eight people made 2,904 withdrawals, stealing $2.4 million.
Surveillance photos of one suspect at various A.T.M.'s showed the man’s backpack getting heavier and heavier, Ms. Lynch said, comparing the series of thefts to the caper at the center of the movie “Ocean’s Eleven.”
While the New York crew had a productive spree, the crews in Japan seem to have been the most successful, stealing around $10 million, probably because some banks in Japan allow withdrawals of as much as $10,000 from a single bank machine.
“The significance here is they are manipulating the financial system to be able to change these balance limits and withdrawal limits,” said Kim Peretti, a former prosecutor in the computer crime division of the Justice Department who is now a partner in the law firm Alston & Bird. “When you have a scheme like this, where the system can be manipulated to quickly get access to millions of dollars that in some sense did not exist before, it could be a systemic risk to our financial system.”
It was unclear to whom the hacked accounts belonged, and who might ultimately be responsible for the losses.
The indictment suggests a far-reaching operation, but there were few details about the people responsible for conducting the hacking or who might be leading the global operation. Law enforcement agencies in more than a dozen countries are still investigating, according to federal prosecutors. The authorities said the leader of the New York cashing crew was Alberto Lajud-Peña, 23, whose body was found in the Dominican Republic late last month. Seven other people were charged with conspiracy to commit “access device fraud” and money laundering.
The prosecutors said they were all American citizens and were based in Yonkers. The age of one defendant was given as 35; the others were all said to be 22 to 24. Mr. Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said.
On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched.Correction: May 11, 2013
An article on Friday about a sophisticated hacking crime in which $45 million was stolen from bank A.T.M.’s within hours misspelled, in some editions, the surname of a former prosecutor in the computer crime division of the Justice Department who commented on the case. She is Kim Peretti, not Paretti. The article also overstated the connection between the movie “Goodfellas” and the Lufthansa robbery in 1978, to which the A.T.M. case was compared. The Lufthansa robbery was only a plotline in the film; the movie itself was based on the book “Wise Guy,” written by Nicholas Pileggi, about the mobster Henry Hill (NYT, 2013).
Title: Cyber-Attacks Behind Possibly
Record-Breaking Bank Heist
Date: May 9, 2013
Abstract: It may be the largest bank robbery in history: A crime ring is accused of stealing $45 million from financial institutions from around the world.
But these criminals weren't wearing masks or waving guns. They were armed with computers.
The case by the U.S. Secret Service is being prosecuted by the U.S. attorney for the Eastern District of New York in Brooklyn, Loretta Lynch. Seven alleged members of the New York cell of this global cyber-crime operation have been arrested, CBS News senior correspondent John Miller reported on "CBS This Morning."
Miller, a former FBI assistant director, reported, "We've learned how they carried out this cyber-attack, and it's unlike anything ever seen before."
They call it the "unlimited operation," in which its associates - hundreds of them - were spread all over the world, and they targeted at least 26 countries. They struck twice, first in December, when they hacked into an Indian bank, and then withdrew money from ATMs all over the world, totaling $5 million. The second strike occurred in February. The hack targeted a Visa and MasterCard processor in the U.S. The loss this time totaled approximately $40 million.
Miller explained, "You know, this is- if you're a criminal, this is a gorgeous scheme. If you are a bank, this is your worst nightmare. And if you're a prosecutor like Loretta Lynch or the Secret Service agents involved in this case, it's a great caper, in terms of the case, but you realize you're just at the tip of the iceberg.
"What you have here is you've got backers. These are people who have got big money who are paying people to break into the bank systems, get the PIN numbers of debit card accounts and so on - those are the hackers. So the backers pay the hackers. Then you go to the cashers, and the cashers- once the backers have paid the hackers they've broken through, they've now gotten the PIN codes and they've raised the limits on the accounts to be unlimited for withdrawal, the cashers go out. When they get the PIN numbers and the signals on their smartphones, they're told 'go.' In the case in New York, the New York cell went up and down Broadway and in the course of two hours took $2.8 million out of ATMs from 116th Street to 23rd Street in a line."
The New York cell probably contained a dozen people, Miller said, adding, "But remember, there's 26 countries with a dozen people in each one of those countries who now have the codes and keep banging the machines until the machine runs out of money."
And this may be just the beginning, Miller said. "What you've got is surgical precision by the hackers to actually get through the bank firewalls, get administrative rights in their system, raise the limits. You've got the global nature of the organization, which is, you know, it may be based in the Middle East. Those are the kinds of banks they're targeting. But certainly they've got a global network of trusted associates who can do this. And, of course, the speed and coordination of the attacks. By the time it's almost over is when the bank is just figuring it out."Watch Miller's full report and analysis in the video above (CBS, 2013).
Title: Wall Street Goes To War With
Hackers In Quantum Dawn 2 Simulation
Date: June 13, 2013
Abstract: Quantum Dawn 2 is coming to Wall Street.
No, it’s not a video game or a bad zombie movie; it’s a simulated cyber attack to prepare banks, brokerages and exchanges for what has become an ever-bigger risk to their earnings and operations.
Organized by the trade group SIFMA, Quantum Dawn 2 will take place on June 28 – a summer Friday that, with any luck, will be a relatively quiet day in the real markets.The drill involves not just big Wall Street firms like Citigroup and Bank of America, but the Department of Homeland Security, the Treasury Department, the Federal Reserve, the Securities and Exchange Commission, according to SIFMA officials.
“We go through a pretty rigorous scenario where we look at multiple threats being thrown out at the U.S. equity markets,” said Karl Schimmeck, vice president of financial services operations at SIFMA.
During the exercise, which runs from 9 a.m. to 2:30 p.m. in New York, participants will receive blasts of vague and confusing information about what appears to be a hacker attack on fake trading and information platforms that are not plugged into actual markets. The participants may see “latency,” or unusual slowness, in trading, or viruses trying to invade the systems. They will also have to call one another to figure out what’s going on.
Then the Quantum Dawn drill will pause to allow executives to make decisions: should they slow down trading? Use different routing mechanisms to exchanges to get orders filled but avoid threats? When the process begins again, it will fast forward in “warp speed” to a new situation later in the day where conditions have worsened or changed.
“Our SIFMA command center at some point will run an escalation process,” said Schimmeck, an ex-Marine. “Our members will say, ‘We think we see a threat out there, this is something multiple firms are dealing with.’ We will facilitate a conference call where we share what we know, have our regulators participate and see if we can understand a threat, deal with a threat and then do a shared analysis so that no one is working on their own.”
It’s a rare situation, he said, in which fierce rivals are not trying to get a competitive edge – they’re trying to help one another survive.
About 40 firms will participate in the operation, having paid fees of $1,000, $5,000 or $10,000 depending on the size of their revenue. Each firm must send three executives: one from business continuity, one from information security, another from operations whose job is to keep trading, settlement and clearance running during market crises. A firm called Cyber Strategies, which works with the Department of Homeland Security on cyber threats, will receive the fees for overseeing the exercise.
As Quantum Dawn 2’s name indicates, this isn’t the first time that Wall Street firms have done this kind of drill. In November 2011, SIFMA organized the first Quantum Dawn, which was perhaps an even more interesting simulation.
“For Quantum Dawn 1, there was a cyber attack coordinated with armed gunmen running around Lower Manhattan, trying to gain entry to the exchanges and really just try to blow things up,” said Schimmeck.
In that operation, participants were all in one central location at a conference table, comparing notes and making decisions as they learned about various threats. In Quantum Dawn 2, they will all be stationed at their own offices, communicating with one another through emails and phone calls as they do in real life. A SIFMA marketing document says this drill will try to instill “greater ‘uncertainty’ and ‘fog of war’ for all players.”
These drills have become more important for Wall Street as financial firms have faced more frequent and sophisticated attacks on their networks. A couple of months ago, the FBI gave security clearances to dozens of bank executives to inform them about organized attacks against their systems.
Some attacks are evident, like distributed denial of service, or DDoS attacks, that shut down bank web sites or otherwise disrupt their operations. But even more nefarious are hidden bugs that hackers try to install into banks’ proprietary systems without them knowing, said Schimmeck. The hackers then lay in wait for vulnerable moments – like a natural disaster or market disruption – to attack.One mystery about Quantum Dawn remains: who came up with the name, and what does it mean? Schimmeck, who joined SIFMA from Goldman Sachs after the project’s inception, said he gets asked all the time but has no idea (Reuters, 2013).