Digital bank robbers make off with $6.7 million

Digital bank robbers make off with $6.7 million

No Comments

During the holidays cybercriminals kept themselves busy, hacking websites and stealing all the data they could find. South African Postbank, a financial institution owned by SA Post Office, is one of the victims.

 

South African bank Postbank was robbed of $6.7 million earlier this month. But the thieves didn’t need masks and guns to pull off the job — just computers.

 

To pull off the heist, the hackers created a backdoor into one of the bank’s computers. From that hacked computer, they were able to access the rest of the network and issue the commands to distribute the $6.7 million to different accounts owned by the thieves. Those accounts were promptly emptied via ATM visits. Preliminary reports revealed that the cybercrime ring responsible for the theft opened a number of Postbank accounts all across the country and then, in the period between January 1 and January 3, they managed to access a Post Office employee’s computer from where they deposited money from other accounts into their own.

Since the crime didn’t raise any red flags with its automated fraud-detection programs, bank employees failed to notice the money was missing until the bank re-opened after the New Year’s holiday.

The irony is that 3 years ago the institution invested a large amount of money in their anti-fraud systems. However, as we can clearly see, anti-fraud systems aren’t worth much if the company doesn’t have a strict policy for the way their employees handle computers.

If the reports are true, then it is very likely that an employee with privileged rights must have fallen victim to a scam email designed to spread a malicious Trojan.


Fin24 reports that the National Intelligence Agency, which offers assistance when a government institution is compromised, has launched an investigation to precisely determine the causes that allowed for the incident to occur.

Bank representatives state that none of their customers are affected by the breach, but security experts believe that Postbank’s systems desperately need an upgrade.

Crooks don’t necessarily have to hack into a bank’s systems to gain access as it may be much easier to manipulate someone into handing over some information that can be utilized to just waltz in without being detected.

Lately, we’re presented with many cases in which a little bit of social engineering can perform much more efficiently than even the most sophisticated piece of malware. Take the thieves who stole 9 million dollars from payroll debit cards issued by RBS Worldpay.

AT&T iPad site hacker to fight on in court

AT&T iPad site hacker to fight on in court

apple-ipad-hacker

 

A hacker facing trial on charges that he and a cohort conspired to break into an AT&T Web site for 3G iPad users told CNET today that he will fight the charges “to the end.”

Andrew “Escher” Auernheimer, 26, was indicted several months ago on one count of conspiracy to gain unauthorized access to computers and one count of identity theft. He faces up to 10 years in prison and $500,000 in fines. Co-defendant Daniel Spitler pleaded guilty in June and a judge put the case on hold, reportedly because of plea negotiations.

But Auernheimer, whose hacker handle is “weev,” says he’s not going to cop a plea.

“I did not fold the two previous times when the FBI tried to frame me as a terrorist” for allegedly calling in a bomb threat to a synagogue, which he denies, he said in an e-mail. “I will not fold now when they try to libel me as a thief. My indictment conveys a message that I am some sort of identity thief.”

In a follow-up phone interview, Auernheimer said he has done “nothing ethically wrong” and is being persecuted for “telling the truth” by exposing a security hole in AT&T’s Web site that was leaking e-mail addresses and unique device numbers for about 120,000 3G iPad users last year, including government and high-profile corporate customers.

weev-aurenheimer-hacker

Andrew Auernheimer, aka “Weev,” in a photo from earlier this year.(Credit: Anonymous)

“I contend there is no crime in telling the truth or using AT&T’s, or anybody’s, publicly accessible data, to cite it to talk about how they made people’s data public,” he said. “There’s a continuance until January. There may be a trial then…I just want to fight this thing to the end.”

A Department of Justice spokesman declined to comment because the court case is pending.

Asked his thoughts on Spitler’s guilty plea, Auernheimer said he was sure that Spitler would “cooperate in some way.” “I don’t blame him. He’s a good guy,” he said of his former hacking partner. “It’s probably terrifying for most people to go through this process. I’ve been fighting ‘The Man’ for years.”

Spitler wrote a script called the “iPad 3G Account Slurper” and used it against AT&T servers to harvest the iPad user data. The Justice Department contends that he and Auernheimer plotted on how to take advantage of the security hole for profit, but Auernheimer claims they were merely trying to protect consumers and waited until AT&T knew about the hole and fixed it before allowing Gawker to publish the details.

“I’ve never once made a dime off embarrassing a large corporation. I’ve never attempted to make a dime and AT&T is basically a public figure that is open to criticism. I think it’s fair,” he said. “Embarrassing somebody by telling the truth is not malice. It’s necessary speech.”

The Justice Department has released excerpts of Internet Relay Chat (IRC) logs in which the hackers discussed selling the e-mail addresses to spammers, shorting AT&T stock before releasing details of the breach, and destroying evidence.

In one exchange, Auernheimer writes: “This could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails,” to which Spitler responds: “ipad but yeah.” Asked to comment about statements from the logs that would appear to be damaging to his case, Auernheimer said “It’s easy to misconstrue a true statement as evidence of malice…our acts reveal no malice. I went straight to the press and I told exactly what needed to be told.”

When asked why he didn’t go directly to AT&T first, he said: “AT&T has a commercial interest in not having their negligence with consumer data spoken about, ever…I used the press as a proxy and I waited for (AT&T) to patch before going public.”

Auernheimer, 26, said he is barred from using IRC, communicating with anyone in his hacking group or any potential witnesses or co-defendants, and doing random Web browsing, but can use the Internet for “commerce.”

He was forced to leave his Fayetteville, Ark., home because of a bail condition requiring him to stay in the jurisdiction, he added, and as a result, he is living in Jersey City, N.J. (Meanwhile, drug charges he was arrested on last year after an FBI sweep of his home in the AT&T case have been dropped, he said.)

He has a public defender and has raised about $10,000 for his legal defense fund, he said. While he waits for trial, he is learning the Erlang programming language and is “open to security work.”

“I definitely have a habit of pissing people off. I’m not apologetic for that,” said the self-described Internet “troll.” “I think that the people that get pissed off probably deserve it. It serves a social function.”

I have known and spoken with Andrew over a number of years in the hacking scene. Hopefully this one works out for him!

Read more:

The New Reality of Stealth Crimeware

The New Reality of Stealth Crimeware

No Comments

Anyone who has been in information security recently knows that it has gotten easier for cybercriminals to build stealth crimeware. The malware we deal with on a regular basis grows ever more difficult to find, while high-end targeted attacks such as Stuxnet and other advanced persistent threats (APTs, the abbreviation I hate) are using ever more advanced rootkit techniques to avoid detection.

Cybercriminals use clever stealth techniques to evade detection because it allows their malware to be more effective, live on a machine or network longer, and thus maximize the compromise. McAfee Labs is now at the point where we detect more than 110,000 new unique rootkits per quarter.

To make matters worse, there is another issue that many fail to recognize:

Today’s current OS-based security model is not adequate; cybercriminals know how to get past these defenses every time.

The security industry has to find a new vantage point on cybercriminal behavior to stop and uncover their stealth techniques. It is time for our industry to start looking at security beyond the operating system to gain a more effective view of how cybercriminals operate.

We delve into these and many other issues in our latest report: “The New Reality of Stealth Crimeware,” written by myself and Thom Sawicki of Intel. Download it here.

[wp-pdf-view swf=”https://www.infostruction.com/wp-content/uploads/2011/07/wp-reality-of-stealth-crimeware.pdf” width=”500″ height=”400″ /]

Introduction

Stealth is the art of travelling undetected, of being invisible. Stealth technology allows military aircraft,
Ninjas, and malware to sneak up on the enemy to launch an attack, gain intelligence, or take over
systems and data.

Although stealth techniques are used in sophisticated attacks like Conficker and Operation Aurora, the
Stuxnet attack offers a new blueprint—and benchmark—for how committed criminals can use stealth
techniques to steal data or target computing systems. Stuxnet innovations included a combination of
five zero-day vulnerabilities, three rootkits, and two stolen digital certificates. Powerful toolkits, like what is available in the Zeus Crimeware Toolkit, make stealth malware development a “point- and-click” endeavor, no longer restricted to the most knowledgeable programmers. While there are no definitive industry figures, McAfee Labs estimates that about 15 percent of malware uses sophisticated stealth technique to hide and spread malicious threats that can cause significant damage.1 These attacks form the cornerstone—the “persistent” part—of advanced persistent threats (APTs).

2011 Verizon Data Breach Report

2011 Verizon Data Breach Report

No Comments

Verizon’s 2011 Data Breach Investigations, a study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit.

 

 

 

 

Verizon’s 2010 Data Breach Report found that the number of data breaches quintupled from 2009, highlighting the shift as cyber-criminals target smaller businesses.

While the number of data breaches soared in 2010, the amount of information lost has dropped dramatically, according to Verizon’s latest data breach survey. The contradiction underscores what some security experts have been saying: attackers are increasingly targeting smaller companies because it’s easier.

Released April 19, the latest “2011 Verizon Data Breach Investigations Report” from Verizon Business counted 760 data breaches in 2010, compared to only 141 data breaches in 2009. Verizon noted a dramatic decline of 97 percent in the number of compromised records in 2010, as compared to 2009.

Among some of the report’s key findings:

  • Hacking, at 50 percent, and malware, at 49 percent, are the most prominent types of attack, with many incidents involving weak or stolen credentials and passwords;
  • Physical attacks, such as skimming at ATMs, pay-at-the-pump gas terminals and POS systems, for the first time rank among the three most common ways to steal information, comprising 29 percent of all investigated cases;
  • Outsiders are responsible for 92 percent of breaches, while the percentage of insider attacks dropped from 49 percent in 2009 to 16 percent in 2010.

Attacks Remain Easy
According to the report, 83 percent of the databases hit in 2010 were targets of opportunity; 92 percent of the attacks were classified as “not highly difficult.”

  • 86 percent of the year’s breaches were discovered by third parties;
  • 97 percent were avoidable through simple or intermediate controls;
  • 89 percent of the corporate or organizational victims were not compliant with the Payment Card Industry Data Security Standard at the time of the hack.

Download the 2011 Data Breach.

2010 Verizon Data Breach Report

2010 Verizon Data Breach Report

No Comments

The 2010 Verizon and U.S. Secret Service breach report is full of enlightening facts, figures and statistics. I highly recommend you read it cover to cover. It breaks down the breaches by demographic, threat agents, threat actions, attack difficulty and targeting, vertical, and time span. It also compares how PCI compliance affected the number and severity of breaches. This is the first year that Verizon has teamed up with the Secret Service to expand reporting on breach incidents. This reporting is highly regarded as a source for intrusions into the customers of Verizon’s widely adopted communications services. DBIR series now spans six years, 900+ breaches, and over 900 million compromised records.

https://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Highlights:

  • Who is behind Data Breaches?
  • 70% resulted from external agents (-9%)
    48% were caused by insiders (+26%)
    11% implicated business partners (-23%)
    27% involved multiple parties (-12%)

  • How Do Breaches Occur?
  • 48% involved privilege misuse (+26%)
    40% resulted from hacking (-24%)
    38% utilized malware (<>)
    28% employed social tactics (+16%)
    15% comprised physical attacks (+6%)

  • What commonalities exist?
    98% of all data breached came from servers (-1%)
    85% of attacks were not considered highly difficult (+2%)
    61% were discovered by a third party (-8%)
    86% of victims had evidence of the breach in their log files
    96% of breaches were avoidable through simple or intermediate controls (+9%)
    79% of victims subject to PCI DSS had not achieved compliance

Older Reports:

2009: https://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

2008: https://www.verizonbusiness.com/resources/security/databreachreport.pdf