One of most sophisticated computer hacking rings in the world has been broken, claims Acting U.S. Attorney Sally Quillian Yates.
Four men were indicted on Tuesday for allegedly hacking into Atlanta, Ga.-based payment processor RBS WorldPay and stealing over $9 million from ATMs around the globe.
A federal grand jury returned indictments against Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person identified only as "Hacker 3."
A year ago, RBS WorldPay, owned by the Royal Bank of Scotland, was hacked in what Acting U.S. Attorney Sally Quillian Yates described as "perhaps the most sophisticated and organized computer fraud attack ever conducted."
On December 23, 2008, the company announced that on November 10 of that year, it had discovered "its computer system had been improperly accessed by an unauthorized party."
RBS WorldPay, which processes credit and debit transactions for other financial companies, said that certain personal information for 1.5 million cardholders and other individuals may have been affected and that as many as 1.1 million of these people may have had their social security numbers accessed.
According to the indictment, the alleged fraud arising from the incident involved far less information -- 44 payroll debit cards.
The indictment says that Covelin identified the vulnerability in RBS WorldPay's network that allowed the hackers to get in and that Pleshchuk and Tsurikov "developed a method by which the conspirators reverse engineered Personal Identification Numbers (PINs) from the encrypted data on the RBS WorldPay computer network."
The defendants were then able to raise the withdrawal limits on RBS WorldPay's prepaid payroll cards, which are linked to accounts that receive direct deposit payments for employees.
On or about November 8, 2008, the group allegedly coordinated a distributed series of ATM withdrawals during a twelve hour period "at over 2,100 ATMs located in at least 280 cities around the world, including in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada."
Over $9 million was stolen and the "cashers" -- associates who carried out the actual cash withdrawals -- were allowed to allowed to keep between 30% and 50% of the amount they withdrew, with the remainder being wired back to the hackers.
Having access to the RBS WorldPay network, Pleshchuk and Tsurikov allegedly monitored the withdrawals and then attempted to cover their tracks by destroying data on the network.
If convicted, the four men face up to 20 years in prison for wire fraud charges; up to five years in prison for conspiracy to commit computer fraud; as many as 10 years in prison for each count of computer fraud; a two-year mandatory minimum sentence for aggravated identity theft; and fines up to $3.5 million dollars, according to the U.S. Department of Justice.
By Thomas Claburn
Thursday, November 12, 2009
Wednesday, October 28, 2009
Hackers grab data from Swiss foreign ministry - computerweekly.com - 27 Oct 09
Hackers have broken in to the Swiss foreign ministry's computer system in an attempt to steal data, forcing parts of it to be shut down for several days.
The "professional virus attack" allowed outsiders to access the computer system to obtain information, the ministry said, but it gave no details on the nature or extent of the breach.
The "well hidden" software used to carry out the data breach was discovered by government and Microsoft technicians on Thursday last week, according to reports.
"In concrete terms, foreign ministry staff cannot use the internet for the time being but can use the internal network," a spokesman said.
The Swiss Finance Ministry and Interior Ministry also experienced computer problems last week, but no link has been established between the three incidents.
By Warwick Ashford
The "professional virus attack" allowed outsiders to access the computer system to obtain information, the ministry said, but it gave no details on the nature or extent of the breach.
The "well hidden" software used to carry out the data breach was discovered by government and Microsoft technicians on Thursday last week, according to reports.
"In concrete terms, foreign ministry staff cannot use the internet for the time being but can use the internal network," a spokesman said.
The Swiss Finance Ministry and Interior Ministry also experienced computer problems last week, but no link has been established between the three incidents.
By Warwick Ashford
Guardian jobs site hacked, 500,000 records stolen - information-age.com - 26 Oct 09
The details of over half a million jobseekers were stolen by hackers who are believed to have compromised the Guardian's job listing website
The Guardian’s job website has notified nearly half a million of its users that their personal details are at risk following a “deliberate and sophisticated” criminal data breach, “of which the Guardian is a victim in addition to some of our users.”
The incident is currently being investigated by the Police Central e-crime unit and details are scarce. However, the company that built the media group’s job board software, Madgex, said the system was now secure.
The information compromised represents a potential goldmine to an identity fraudster. While the stolen records are only a small proportion of the 10 million unique users who access the site each year, the details contained in CVs – names, dates of birth, addresses and work and education history – are more than enough to begin the hijacking process.
Unusually, considering the reaction to similar incidents by other companies, the Guardian made no offer of identity theft support services in its letter to those customers compromised, instead suggesting users have a notice placed on their credit file indicating they are at risk of identity fraud.
“We would like to assure you that we are absolutely committed to protecting the privacy of our users and we are treating this situation with the utmost seriousness,” the company said in a statement.
Hackers also stole details from jobseeker site Monster.co.uk in January this year, including usernames, passwords, telephone numbers and email addresses, although the company said no CVs were compromised.
By JJ Robinson
The Guardian’s job website has notified nearly half a million of its users that their personal details are at risk following a “deliberate and sophisticated” criminal data breach, “of which the Guardian is a victim in addition to some of our users.”
The incident is currently being investigated by the Police Central e-crime unit and details are scarce. However, the company that built the media group’s job board software, Madgex, said the system was now secure.
The information compromised represents a potential goldmine to an identity fraudster. While the stolen records are only a small proportion of the 10 million unique users who access the site each year, the details contained in CVs – names, dates of birth, addresses and work and education history – are more than enough to begin the hijacking process.
Unusually, considering the reaction to similar incidents by other companies, the Guardian made no offer of identity theft support services in its letter to those customers compromised, instead suggesting users have a notice placed on their credit file indicating they are at risk of identity fraud.
“We would like to assure you that we are absolutely committed to protecting the privacy of our users and we are treating this situation with the utmost seriousness,” the company said in a statement.
Hackers also stole details from jobseeker site Monster.co.uk in January this year, including usernames, passwords, telephone numbers and email addresses, although the company said no CVs were compromised.
By JJ Robinson
FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms - voices.washingtonpost.com -
Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.
According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries like Moldova, Russia and Ukraine.
Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, said criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and medium-sized businesses, and have successfully made off with about $40 million of that money.
Normally, the FBI isn't eager to discuss losses, or even acknowledge the existence of specific cases. What's more, the agency is keen to avoid making any statements that might spook consumers or businesses away from online banking. But Chabinsky said the FBI is taking the unusual step of floating financial loss figures in order to grab the attention of those most at risk so they can adopt safeguards.
"We don't believe there's cause for a crisis of confidence in online banking, but we want to make sure we message this early before this becomes a much larger problem," Chabinsky told Security Fix in an interview Wednesday. "Our concern is that these numbers will grow if we don't educate people now to take precautions, and if we could nip some of this in the bud, not only will it lessen the problem, but it will serve as a deterrent to the extent the bad guys see this as an easy way to make money."
The FBI said the $40 million loss figure stems from some 205 cases that date back to 2004, though it declined to offer a year-by-year breakdown of those cases. Several bank fraud experts interviewed for this story said they were aware of very few reports of this type of cyber crime before the latter half of 2008.
"There may have been a handful of cases of this specific type of crime before 2009, but attacks like this and in this volume really only picked up toward the end of last year," said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses.
Chabinsky said businesses can insulate themselves from this type of fraud by doing their online banking from a dedicated, locked-down computer that is not used for everyday Web browsing or e-mail. That's because the malicious software that thieves use to steal online banking user names and passwords typically is installed when the recipient of a spam e-mail opens a poisoned attachment or clicks a link that leads to a booby-trapped Web site.
"What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer," Chabinsky said.
While the biggest source of the vulnerability may reside on the customer's end, some fraud experts believe the perpetrators of this type of cyber crime are merely gravitating toward less obvious weaknesses in the commercial online banking system.
Avivah Litan, a financial fraud analyst with Gartner Inc., said many of the largest banks have taken a page from the credit card companies, investing heavily in anti-fraud solutions that look for transaction anomalies and other activity that may indicate a customer's account has been compromised.
But Litan said many companies being victimized by this type of crime bank at small and regional financial institutions that do not have fraud pattern detection technologies in place. Rather, she said, these institutions are relying on additional layers of customer protections, such as security tokens - approaches that can easily be subverted when the customer's computer is under control of the thieves.
"Many [commercial] institutions aren't even looking at new anti-fraud technologies because they don't take the direct loss when their business customers get hit," Litan said. "Banks may be worried about the reputation loss from these kinds of incidents, but so far these attacks aren't widespread knowledge."
Last week, I wrote about Genlabs Corp. a Chino, Calif. chemical manufacturing firm that lost $437,000 last month after thieves broke into the company's bank account and sent transfers to roughly 50 different money mules. The attackers succeeded despite the fact that the company's bank -- California Bank & Trust -- requires the user to enter their password in addition to the output from a key fob that generates a new six-digit number every 60 seconds.
Genlabs was just one of 48 victims I have heard from or reached out to over the past five months. While not everyone was willing to tell me the name of their bank, those that did almost universally named local and regional institutions.
If you review the chart below -- which details how much the thieves tried to steal from each victim and how much they made off with -- you'll notice that several of the figures in the "amount unrecovered" column total $0. In nearly all of those cases, the victim banked at a very small institution, the kind where employees apparently still know their customers by name and by sight.
Take the case of Holdiman Motor, a car dealership in Cedar Falls, Iowa. Earlier this year, hackers tried to initiate a series of bogus payroll transfers totaling $60,000 to several individuals the company has never done business with before. Owner Tom Holdiman said the perpetrators failed because the company's bank -- Lincoln Savings Bank -- noticed that the timing of the transactions was unusual and alerted Holdiman's controller.
"With the other banks you're just a number," Holdiman said. "That's why we're with them."
In the 48 attacks I've confirmed since May, thieves attempted to steal more than $7.3 million from these organizations. In many cases, I was unable to learn how much victims had actually lost. A number of companies told me they did not want to be identified by name, and have not responded to requests for follow-up interviews. Some victim companies that spotted the fraud early enough were able to work with their bank to retrieve some or all of the stolen funds. Other victims recovered nothing, and are in various stages of suing their banks to recover some of the losses.
Nevertheless, it is clear that the stories published here have encouraged more and more victims to come forward. In the month of September alone, I learned of at least 20 previously unpublicized cases in which hackers tried to take a total of more than $3.3 million from small- to mid-sized organizations across the country.
Below is a chart showing the victim entities that I have confirmed over the past five months. That same chart -- including monthly and cumulative dollar loss totals -- is available in Excel and HTML format. Some victims are identified only by their industry or specialty to preserve their anonymity. If a victim's name is hyperlinked, readers can click the link to read a prior Security Fix blog post that includes mention of their specific incident.
By Brian Krebs
According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries like Moldova, Russia and Ukraine.
Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, said criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and medium-sized businesses, and have successfully made off with about $40 million of that money.
Normally, the FBI isn't eager to discuss losses, or even acknowledge the existence of specific cases. What's more, the agency is keen to avoid making any statements that might spook consumers or businesses away from online banking. But Chabinsky said the FBI is taking the unusual step of floating financial loss figures in order to grab the attention of those most at risk so they can adopt safeguards.
"We don't believe there's cause for a crisis of confidence in online banking, but we want to make sure we message this early before this becomes a much larger problem," Chabinsky told Security Fix in an interview Wednesday. "Our concern is that these numbers will grow if we don't educate people now to take precautions, and if we could nip some of this in the bud, not only will it lessen the problem, but it will serve as a deterrent to the extent the bad guys see this as an easy way to make money."
The FBI said the $40 million loss figure stems from some 205 cases that date back to 2004, though it declined to offer a year-by-year breakdown of those cases. Several bank fraud experts interviewed for this story said they were aware of very few reports of this type of cyber crime before the latter half of 2008.
"There may have been a handful of cases of this specific type of crime before 2009, but attacks like this and in this volume really only picked up toward the end of last year," said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Companies that bank online enjoy few of the protections afforded to consumers. Individuals who have their online bank account cleaned out because of a password-stealing computer virus usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Businesses often are not so lucky and must take losses.
Chabinsky said businesses can insulate themselves from this type of fraud by doing their online banking from a dedicated, locked-down computer that is not used for everyday Web browsing or e-mail. That's because the malicious software that thieves use to steal online banking user names and passwords typically is installed when the recipient of a spam e-mail opens a poisoned attachment or clicks a link that leads to a booby-trapped Web site.
"What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer," Chabinsky said.
While the biggest source of the vulnerability may reside on the customer's end, some fraud experts believe the perpetrators of this type of cyber crime are merely gravitating toward less obvious weaknesses in the commercial online banking system.
Avivah Litan, a financial fraud analyst with Gartner Inc., said many of the largest banks have taken a page from the credit card companies, investing heavily in anti-fraud solutions that look for transaction anomalies and other activity that may indicate a customer's account has been compromised.
But Litan said many companies being victimized by this type of crime bank at small and regional financial institutions that do not have fraud pattern detection technologies in place. Rather, she said, these institutions are relying on additional layers of customer protections, such as security tokens - approaches that can easily be subverted when the customer's computer is under control of the thieves.
"Many [commercial] institutions aren't even looking at new anti-fraud technologies because they don't take the direct loss when their business customers get hit," Litan said. "Banks may be worried about the reputation loss from these kinds of incidents, but so far these attacks aren't widespread knowledge."
Last week, I wrote about Genlabs Corp. a Chino, Calif. chemical manufacturing firm that lost $437,000 last month after thieves broke into the company's bank account and sent transfers to roughly 50 different money mules. The attackers succeeded despite the fact that the company's bank -- California Bank & Trust -- requires the user to enter their password in addition to the output from a key fob that generates a new six-digit number every 60 seconds.
Genlabs was just one of 48 victims I have heard from or reached out to over the past five months. While not everyone was willing to tell me the name of their bank, those that did almost universally named local and regional institutions.
If you review the chart below -- which details how much the thieves tried to steal from each victim and how much they made off with -- you'll notice that several of the figures in the "amount unrecovered" column total $0. In nearly all of those cases, the victim banked at a very small institution, the kind where employees apparently still know their customers by name and by sight.
Take the case of Holdiman Motor, a car dealership in Cedar Falls, Iowa. Earlier this year, hackers tried to initiate a series of bogus payroll transfers totaling $60,000 to several individuals the company has never done business with before. Owner Tom Holdiman said the perpetrators failed because the company's bank -- Lincoln Savings Bank -- noticed that the timing of the transactions was unusual and alerted Holdiman's controller.
"With the other banks you're just a number," Holdiman said. "That's why we're with them."
In the 48 attacks I've confirmed since May, thieves attempted to steal more than $7.3 million from these organizations. In many cases, I was unable to learn how much victims had actually lost. A number of companies told me they did not want to be identified by name, and have not responded to requests for follow-up interviews. Some victim companies that spotted the fraud early enough were able to work with their bank to retrieve some or all of the stolen funds. Other victims recovered nothing, and are in various stages of suing their banks to recover some of the losses.
Nevertheless, it is clear that the stories published here have encouraged more and more victims to come forward. In the month of September alone, I learned of at least 20 previously unpublicized cases in which hackers tried to take a total of more than $3.3 million from small- to mid-sized organizations across the country.
Below is a chart showing the victim entities that I have confirmed over the past five months. That same chart -- including monthly and cumulative dollar loss totals -- is available in Excel and HTML format. Some victims are identified only by their industry or specialty to preserve their anonymity. If a victim's name is hyperlinked, readers can click the link to read a prior Security Fix blog post that includes mention of their specific incident.
By Brian Krebs
$15.8m fine for spam - theaustralian.news.com.au - 24 Oct 09
THE operators of a mobile phone text scam that preyed on the desperate and dateless were yesterday slammed with $15.8million in fines for breaching anti-spam laws.
The fine, from Queensland's Federal Court, makes the operators -- who posted fake personals profiles on dating websites to harvest mobile phone numbers and lure men to pay up to $5 per message for SMS sex chat services -- the recipients of Australia's largest spam penalty.
It trumped the West Australian Federal Court's October 2006 imposition of $5.5m in fines against email marketing company Clarity1, of which $1m was levied against managing director Wayne Mansfield.
It was also the first time the Australian Communications and Media Authority had taken legal action over SMS spam.
By Andrew Colley
The fine, from Queensland's Federal Court, makes the operators -- who posted fake personals profiles on dating websites to harvest mobile phone numbers and lure men to pay up to $5 per message for SMS sex chat services -- the recipients of Australia's largest spam penalty.
It trumped the West Australian Federal Court's October 2006 imposition of $5.5m in fines against email marketing company Clarity1, of which $1m was levied against managing director Wayne Mansfield.
It was also the first time the Australian Communications and Media Authority had taken legal action over SMS spam.
By Andrew Colley
Windows 7 hoopla brings spam and malware attacks - mxlogic.com - 23 Oct 09
Cybercriminals hoping to profit from the hype over Microsoft's Windows 7 have targeted spam email campaigns offering special deals on the new operating system, but these deals are likely traps for distributing malware.
Security researchers at McAfee reported seeing a surge in Windows 7 related spam beginning in September, with subject lines such as "Microsoft Windows 7 special offers." These messages have reached as high as 1.88 percent of all spam, McAfee said.
"That might sound like a small number, but when you consider that daily spam volumes can reach 160 billion messages, it is not insignificant," McAfee's David Marcus said on the McAfee Labs Blog.
Microsoft is warning customers not to be fooled by offers of pirated versions of Microsoft software and products, which could contain malware that can take over a victim's PC and steal their personal data.
On the Microsoft Malware Protection Center blog, the company said it has seen spikes in a Trojan called Win32/Bifrose which comes included in a pirated version of Windows Vista called Vista Black Edition.
"So you see kids, illegal software is seldom free of all cost," Microsoft's Matt McCormack said in the post. "Chances are you're paying for it in ways you didn't consider
Security researchers at McAfee reported seeing a surge in Windows 7 related spam beginning in September, with subject lines such as "Microsoft Windows 7 special offers." These messages have reached as high as 1.88 percent of all spam, McAfee said.
"That might sound like a small number, but when you consider that daily spam volumes can reach 160 billion messages, it is not insignificant," McAfee's David Marcus said on the McAfee Labs Blog.
Microsoft is warning customers not to be fooled by offers of pirated versions of Microsoft software and products, which could contain malware that can take over a victim's PC and steal their personal data.
On the Microsoft Malware Protection Center blog, the company said it has seen spikes in a Trojan called Win32/Bifrose which comes included in a pirated version of Windows Vista called Vista Black Edition.
"So you see kids, illegal software is seldom free of all cost," Microsoft's Matt McCormack said in the post. "Chances are you're paying for it in ways you didn't consider
Subscribe to:
Posts (Atom)
