Skip to comments.'Operation High Roller' bank hack nets cybercriminals £48 million
Posted on 06/26/2012 4:19:22 PM PDT by Kartographer
A global fraud ring has been targeting high net-worth businesses and individuals has netted the criminals an estimated 60 million (£48 million).
According to McAfee and Guardian Analytics which today issued a report on the fraud, "Dissecting Operation High Roller," the attacks, first identified this winter, have hit 60 or more institutions and the total amount stolen may in fact be may be much higher.
The two security firms say they have tracked "at least a dozen groups" that are relying on "server-side components and heavy automation" with about 60 servers processing thousands of attempted thefts from commercial accounts and the rich. This appears to be happening mainly in the European Union countries, though there's also evidence of it in Latin America and the US. These attacks are said to differ from the known malware-based SpyEye and Zeus attacks in that they are far more automated and usually done without human intervention.
(Excerpt) Read more at news.techworld.com ...
Spreading to America per McAfee:
How the high-tech mantra of automation and innovation helps a multi-tiered global fraud ring
target high net worth businesses and individuals. Building on established Zeus and SpyEye tactics,
this ring adds many breakthroughs: bypasses for physical multi-factor authentication, automated
mule account databases, server-based fraudulent transactions, and attempted transfers to mule
business accounts as high as 100,000 ($130,000 USD). Where Europe has been the primary target
for this and other financial fraud rings in the past, our research found the thefts spreading outside
Europe, including the United States and Colombia.
SHTF Plan Story on the hack with a link to Sky News Video Story:
The article doesn’t say how they are doing it but it looks like they’re getting a rootkit onto one of the banks computers then getting whatever credentials the banker uses to authenticate transactions, scanning for the high value accounts and using the bankers credentials transferring the loot out of country and eventually to some mobsters account in Russia.
There are automated tools available on the internet and some good YouTube training videos on how you can set up what’s known as a botnet that can be used for all sorts of bad things. This just looks like they’ve figured out how to fully automate the process so I would assume that means that most banks use the same software (or a limited set) for financial transactions, otherwise this would be tough to automate.
You would think that the IT departments at most of these places would be as good as you could afford but I imagine the bankers had to cut somewhere to keep those bonuses flowing. Not to worry though, you the tax payer will make good on all the loses.
The big banks I’ve worked with have better security than the US govt does. That said, its very difficult to get every vulnerability in every system.
American banks generally take security far more seriously than banks elsewhere.
We had a customer that had a server hacked with a phishing site created on one of their web servers. It appeared to be an automated attack which leveraged a vulnerability on wordpress. From there they were able to install several other files on the server. It was stopped before they could do anything else but we found other vulnerabilities which would have allowed them to gain access to most of the network.
This was on a linux server and they didn’t even need root to do this. It was all done through application software which hadn’t been properly patched.
OK I read the McAfee pdf on the attack. The banks weren’t compromised (thank God, other wise I’d never get any sleep at night). They did a standard spear phishing attack on the customers side, rootkitted them and then did a man in the middle attack on the smart card for the European customers and various attack methods on the US customers. Not anything blazingly new just very automated and sophisticated I am impressed.
As far as your comment on the US government versus the banks I can believe that for most of the US government but there are some parts that are very much ahead of the banking system. That said most of the government is doing a much better job than they used to and certainly much better than the private sector. There is a world of difference between the security at my work place and at my customers site (which is part of the US government).
“... It was all done through application software which hadnt been properly patched.”
That’s always the killer, if you don’t keep up with the security patches you’re dead meat.