I like this in particular. It highlights the social manipulation part of such a exploit.
>To draw attention away from the massive transfers, the hackers often created a diversion, such as a "denial of service" attack that would bombard the website with traffic in an attempt to shut it down, the law enforcement official said.
Corporate banking applications have multitudes of layers of approval, authorised signatories, transaction limits, multiple approvers, etc, and increasingly mobile alerts. By creating chaos in an organisation, it does not mean these break down, but everyone is panicking about something they feel is important, and give scant regard to what seems credible and routine. Exploiting a human fallibility.
Disclaimer: I used to do compliance and security training at a very large financial institution. A huge amount focused on social manipulation via stress and pressure being placed in someone at a critical node of the transaction process.
With access to thousands of bank accounts, you can issue small transfers to and from those accounts, over and over and over again, to the point that the transfers are so many, that tracing them becomes significantly difficult.
It's not untraceable, but the cost associated with unraveling a single theft becomes prohibitively expensive.
Are the banks liable for these kinds of losses? I'm guessing no; if they were, I doubt they'd consider it "prohibitively expensive" to track down losses of hundreds of thousands to millions of dollars.
Based on some events of this sort in my area, as I understand it organizations that get that sort of direct access and control over their bank accounts do so under a strict set of conditions the bank lays down. I.e. an isolated computer that no one's reading email on, which prevents the sort of spear plishing detailed in Haysite Reinforced Plastics experience with PNC Bank.
After such an event the bank will investigate, and if the org violated their conditions and that led to the loss, it's on the org. And I suspect org insurance policies have "we don't make you whole if you're an idiot" provisions.
Or at least that's how it went down here when e.g. a school district was sloppy and lost 6 figures of their bank balance.
"hundreds of thousands to millions of dollars." is quite a large range when talking about money.
My comment was specific to the example given in the article, where to amount was about $195,000. While not a tiny sum of money, the amount of man hours spent to unravel those transactions, to ultimately get to recoverable sum, would be close to if not more than the original amount. And getting to the amount, may not guarantee that you can recover the funds anyway.
Putting aside the cost/hours of recovering the money, is this the only reason its 'untraceable'?
I understand it becomes tedious to unravel the transactions, but is it still a tractable problem? Or do these people eventually shift the money into offshore banks that refuse to co-operate with authorities? It seems such a bank would be quickly cut off from the rest of the world if it existed.
I dunno. I don't understand how thieves can transfer moneys from my accounts in a matter of minutes, and it's untraceable, but when I try to send money to someone else, it takes 5-7 business days. Initiated deposit to my HSA, 7 business days. I got some BS about "well, sir, it has to clear multiple services". ACH clearinghouses, etc. But if I buy something on my HSA card, the money's gone in 2 seconds.
If I transfer money to someone else's account it's in there within about 10-20 seconds. I guess different banks and accounts make use of different transfer types, and when the thieves are in the system they can just choose to use the faster ones?
I'd just like to say, as someone who was in charge of a network that got hit with crypto-locker (we had backups, no payout needed), I'm very glad that it's stopped working.
Now we just need to wait for the next bunch of greedy, malevolent sociopaths to create the next round of ransomware... Although I'm sure this has already been done.
I think that depends on how many people are required to get the private keys, whether or not the various accounts and bitcoin wallets can be seized, and a whole bunch of other factors. I'm hoping that the whole C&C network hasn't gone kamikaze after the shutdown, although it's a possibility.
If they have a tech-savvy friend, they should be okay. I recall reading an article describing how a flaw in the CryptoLocker encryption process and that the keys were actually stored on the PC itself -- meaning it's possible to "unlock" it on your own.
Please. We do not need to use the word "dazzling" in this context. This encourages people to spend their considerable mental resources "orchestrating" simple fraud.
"Had to be paid in untraceable money cards or bitcoin"
Visa, Mastercard, and American Express shoud be required
to pay for any fraudulent/suspected activity on their prepaid cards? I know they charge us more than enough interest to cover these types of frauds? As to Russian
Hackers, I heard in many small Russian towns these guys' are considered heroes? I really wish Russia could get rid of
corrupt politicians/Officials, so the Russian people could
have a fighting chance at a system like ours(America). That
sentiment goes for Mexico too. A system without trust must
be like hell?
Criminal underworld personalities are heroes. Some are known nationwide.
There would be news of such and such crime, and while most would be terrified and disgusted, a segment of population (younger delinquents for example) would be very impressed. They also have funny nicknames to add to their "brand". Things like "black bone" or "the green one" etc.
With all the problems and corruption in the American system I honestly hope that there is something better to aspire to. Russia is incredibly corrupt, and so is Mexico, but America is not without it's faults either.
> Humans are the weakest link in any crime machine...
And humans are the weakest link in any corporate machine, by having allowed the crime in the first place.
According to the article, "The heist begins with a phishing e-mail designed to entice a computer user to click on a link. The link launches the virus."
So if we accept the article, the hackers weren't finding deep bugs in network software or doing anything highly sophisticated, but relying on stupid employees at companies.
I made God's temple, like Solomon. I will very likely be crowned king. Get yer head out of your ass and verify the National Institute of Standards random number beacon. Go to that computer. Make it as secure as possible and I will do a miracle. And you will crown me king.
Sorry for the tangent, but does this guy look to be 30 years of age to anyone? I'm having a hard time believing that based on the photos. I'm not implying that someone who is 30 isn't capable of these acts, but perhaps they have his age, photo or identity wrong?
I'm still not sure why ISPs cannot detect when customer machines have been turned into botnet nodes and, effectively, disable them until cleaned. Seems that the machine's Net activity would leave tell-tale signatures that wouldn't be too hard to detect.
Yet, about the most I have seen an ISP do is block port 25.
In general, it seems that ISPs have a lot of unweilded power in this fight.
What motivation do they have to do that? For a clueless user all they will understand is that their ISP has cut them off, and if they give money to a different company instead then their internet will work (from their perspective their computer works fine in most cases - well, perhaps a little slowly).
Security. Notifying a user that he's been pwned can protect that user's confidential info/identity. It's really a service to the user as much as anything.
The ISP would just need to message it as such. They wouldn't just cut off "clueless users" without explanation. Instead, they'd explain that the user's machine has been compromised and disconnecting them until they can get it cleaned up is for their own good.
God this sounds like a nightmare. What looks like botnet traffic to an ISP (irc, ssh, just about anything other than 80, 443, and 53) is stuff that I use all day, every day, as part of my work.
Even filtering out SMTP traffic has been really frustrating for me at points in the past.
I really hope ISPs don't start doing this. I want them to be as dumb of a pipe as possible.
I hear you. I was frustrated by the SMTP thing once myself. Thereafter, I knew what was going on.
Anyway, as devs who need access to this stuff we are in the minority, and I am sure they can find a way to make exceptions for people like us who are "power users".
But, to leave the other 98% of grandmothers, etc. completely vulnerable to botnets by default seems an unreasonable approach.
What seems clear is that they will eventually have to do something.
Sure he must be skilled, but other than cryptolocker's novel approach which gave the victims no other possibility than to comply, on a purely technical level I see (once again) no genius, just a guy who has a lot of free time to spend on illegal activities...
The sheer scope of it is impressive. To infect that many machines, have them network with each other, engineer massive wire transfers that are somehow silent and untraceable, not get caught to me is genius. Seems harder than finding a couple of 0-days (even though that's ridiculously hard as well), even on a technical level.
That's true the numbers are impressive. He did get caught though, not him personally but his network was brought down by the FBI. The thing with the FBI is that of course, in the long you can't win, once you get in their radar it's time to abandon ship IMHO.
I wish someone would persuade the Russian authorities to crack down on their cyber criminals. It mostly seems that when they do get tracked down the Russians basically ignore it and allow them to continue business as usual.
42 comments
[ 21.9 ms ] story [ 1295 ms ] thread>To draw attention away from the massive transfers, the hackers often created a diversion, such as a "denial of service" attack that would bombard the website with traffic in an attempt to shut it down, the law enforcement official said.
Corporate banking applications have multitudes of layers of approval, authorised signatories, transaction limits, multiple approvers, etc, and increasingly mobile alerts. By creating chaos in an organisation, it does not mean these break down, but everyone is panicking about something they feel is important, and give scant regard to what seems credible and routine. Exploiting a human fallibility.
Disclaimer: I used to do compliance and security training at a very large financial institution. A huge amount focused on social manipulation via stress and pressure being placed in someone at a critical node of the transaction process.
http://www.theaustralian.com.au/business/economics/australia...
How is that even possible?
It's not untraceable, but the cost associated with unraveling a single theft becomes prohibitively expensive.
After such an event the bank will investigate, and if the org violated their conditions and that led to the loss, it's on the org. And I suspect org insurance policies have "we don't make you whole if you're an idiot" provisions.
Or at least that's how it went down here when e.g. a school district was sloppy and lost 6 figures of their bank balance.
My comment was specific to the example given in the article, where to amount was about $195,000. While not a tiny sum of money, the amount of man hours spent to unravel those transactions, to ultimately get to recoverable sum, would be close to if not more than the original amount. And getting to the amount, may not guarantee that you can recover the funds anyway.
I understand it becomes tedious to unravel the transactions, but is it still a tractable problem? Or do these people eventually shift the money into offshore banks that refuse to co-operate with authorities? It seems such a bank would be quickly cut off from the rest of the world if it existed.
How can you possibly trace that? Sift through the casino's financials for deposits and withdrawals of a similar size?
Sometimes the trail goes completely cold.
Now we just need to wait for the next bunch of greedy, malevolent sociopaths to create the next round of ransomware... Although I'm sure this has already been done.
There would be news of such and such crime, and while most would be terrified and disgusted, a segment of population (younger delinquents for example) would be very impressed. They also have funny nicknames to add to their "brand". Things like "black bone" or "the green one" etc.
And humans are the weakest link in any corporate machine, by having allowed the crime in the first place.
According to the article, "The heist begins with a phishing e-mail designed to entice a computer user to click on a link. The link launches the virus."
So if we accept the article, the hackers weren't finding deep bugs in network software or doing anything highly sophisticated, but relying on stupid employees at companies.
offtopic: The most funny age-related thing are African soccer players. You see the turning from 19 to 33 overnight all the time :-P
Yet, about the most I have seen an ISP do is block port 25.
In general, it seems that ISPs have a lot of unweilded power in this fight.
Security. Notifying a user that he's been pwned can protect that user's confidential info/identity. It's really a service to the user as much as anything.
The ISP would just need to message it as such. They wouldn't just cut off "clueless users" without explanation. Instead, they'd explain that the user's machine has been compromised and disconnecting them until they can get it cleaned up is for their own good.
Even filtering out SMTP traffic has been really frustrating for me at points in the past.
I really hope ISPs don't start doing this. I want them to be as dumb of a pipe as possible.
Anyway, as devs who need access to this stuff we are in the minority, and I am sure they can find a way to make exceptions for people like us who are "power users".
But, to leave the other 98% of grandmothers, etc. completely vulnerable to botnets by default seems an unreasonable approach.
What seems clear is that they will eventually have to do something.