- Email: [email protected]
Banks raids hit Tesco and Russians
NEWS ...Continued from front page techniques. This was the result of cooperation between Europol, Eurojust, the FBI, the UK’s National Crime Agency (NCA) and German police forces and prosecutors, in what’s being claimed as the largest international operation of its kind. Cyber-security firms, including Symantec and Bitdefender, were also involved in the operation, as well as other investigators, bringing the total number of countries involved in the operation to 30. “Cyber-criminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users’ bank details and other personal data,” the NCA said in a statement. The Avalanche network provided a resilient way for criminals to manage botnets. It was rented out to spammers and cybercriminal gangs and possibly accounted for two-thirds of phishing attacks. Since 2011, it has also been heavily used for distributing trojans. As many as 20 malware families were distributed through the system, including the Zeus and Citadel banking trojans: recently, Avalanche was employed to spread ransomware. According to the NCA, Avalanche was employing up to 600 servers and 800,000 domain names targeting victims in 180 countries. As part of the groundwork for the law enforcement operation, the German Federal Office for Information Security (BSI) and the FraunhoferInstitut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analysed over 130TB of captured data and mapped out Avalanche’s server structure. The Shadowserver Foundation assisted in the takedown and has more information here: http://blog.shadowserver. org/2016/12/01/avalanche/.
Banks raids hit Tesco and Russians
I
t has now been confirmed that the cyber-attack on Tesco Bank affected around 9,000 customers and resulted in the loss of £2.5m. At the beginning of November, Tesco Bank had to com-
December 2016
The Avalanche cybercrime network. Source: Europol.
pletely suspend online transactions for a day. It is now working with the National Cyber Security Centre to investigate the attack.
Three anonymous sources have told The Times newspaper that Tesco Bank had ignored warnings made by Visa a year ago that it had a flaw in its systems. The so-called Code 91 glitch allows cybercriminals to ‘ping’ a payment service with random card numbers, expiry dates and three-digit security codes until a match is found with a legitimate card. According to the report in the newspaper, investigators at the National Crime Agency (NCA) and the Financial Conduct Authority (FCA) are examining whether this was the mechanism used in the attack. Until now, it was believed that the Retefe trojan was responsible for the thefts. According to Peter Stancik, security evangelist at security firm Eset: “Our active malware monitoring and Eset Threat Intelligence services show that Tesco Bank has recently been on the target list of Retefe trojan horse. Disturbingly, our analysis shows that there is quite a lengthy
list of other banks located in many other countries in this malware’s crosshairs. It must also be said that this campaign began at least as far back as February 2016.” The Retefe malware is typically spread as an email attachment, often claiming to be an invoice or other innocuous document. The trojan uses Tor to connect to a proxy server that connects to the target bank but is capable of performing a man in the middle attack. It also installs a fake root certificate to avoid the victim receiving warnings. A separate mobile component is capable of defeating two-factor authentication using one-time passcodes. Other former Tesco Bank staff, also anonymous, have claimed that, while Tesco Bank’s systems meet industry standards for security, there are weaknesses whenever there’s a connection with the parent company’s “not-verysecure-at-all” systems. There’s more information here: http://bit.ly/2g6zHEr. Meanwhile, Russian banks have also come under attack. Media sources in the country claimed that five banks had come under sustained distributed denial of service (DDoS) attacks early in November. The biggest attack lasted 12 hours and reached 660,000 requests a second, according to Kaspersky Lab. The attackers employed botnets exploiting hacked Internet of Things (IoT) devices, although Kaspersky added that this doesn’t seem to involve the Mirai malware. This is the biggest attack against Russian banks since eight of them were targeted in October 2015. More mysteriously, Russian security services claim to have disrupted an attack against the country’s financial system by “foreign intelligence services”. Somewhat bizarrely, the Russian Federal Security Service (FSB) announced in advance that the attack would happen on 5 December. It claimed that the attack would involve a disinformation and propaganda campaign alongside the cyber-attack in order to destabilise Russia’s financial services. While the FSB didn’t name the country responsible, it did say that servers in the Netherlands owned by Ukrainian hosting firm BlazingFast would be involved. The FSB claimed that its co-operation with the banks stopped the attack. No evidence was offered.
Computer Fraud & Security
3
Banks raids hit Tesco and Russians
I
t has now been confirmed that the cyber-attack on Tesco Bank affected around 9,000 customers and resulted in the loss of £2.5m. At the beginning of November, Tesco Bank had to com-
December 2016
The Avalanche cybercrime network. Source: Europol.
pletely suspend online transactions for a day. It is now working with the National Cyber Security Centre to investigate the attack.
Three anonymous sources have told The Times newspaper that Tesco Bank had ignored warnings made by Visa a year ago that it had a flaw in its systems. The so-called Code 91 glitch allows cybercriminals to ‘ping’ a payment service with random card numbers, expiry dates and three-digit security codes until a match is found with a legitimate card. According to the report in the newspaper, investigators at the National Crime Agency (NCA) and the Financial Conduct Authority (FCA) are examining whether this was the mechanism used in the attack. Until now, it was believed that the Retefe trojan was responsible for the thefts. According to Peter Stancik, security evangelist at security firm Eset: “Our active malware monitoring and Eset Threat Intelligence services show that Tesco Bank has recently been on the target list of Retefe trojan horse. Disturbingly, our analysis shows that there is quite a lengthy
list of other banks located in many other countries in this malware’s crosshairs. It must also be said that this campaign began at least as far back as February 2016.” The Retefe malware is typically spread as an email attachment, often claiming to be an invoice or other innocuous document. The trojan uses Tor to connect to a proxy server that connects to the target bank but is capable of performing a man in the middle attack. It also installs a fake root certificate to avoid the victim receiving warnings. A separate mobile component is capable of defeating two-factor authentication using one-time passcodes. Other former Tesco Bank staff, also anonymous, have claimed that, while Tesco Bank’s systems meet industry standards for security, there are weaknesses whenever there’s a connection with the parent company’s “not-verysecure-at-all” systems. There’s more information here: http://bit.ly/2g6zHEr. Meanwhile, Russian banks have also come under attack. Media sources in the country claimed that five banks had come under sustained distributed denial of service (DDoS) attacks early in November. The biggest attack lasted 12 hours and reached 660,000 requests a second, according to Kaspersky Lab. The attackers employed botnets exploiting hacked Internet of Things (IoT) devices, although Kaspersky added that this doesn’t seem to involve the Mirai malware. This is the biggest attack against Russian banks since eight of them were targeted in October 2015. More mysteriously, Russian security services claim to have disrupted an attack against the country’s financial system by “foreign intelligence services”. Somewhat bizarrely, the Russian Federal Security Service (FSB) announced in advance that the attack would happen on 5 December. It claimed that the attack would involve a disinformation and propaganda campaign alongside the cyber-attack in order to destabilise Russia’s financial services. While the FSB didn’t name the country responsible, it did say that servers in the Netherlands owned by Ukrainian hosting firm BlazingFast would be involved. The FSB claimed that its co-operation with the banks stopped the attack. No evidence was offered.
Computer Fraud & Security
3