Cyber Bank Heist Nets 5.3 Million Dollars

• During the first three days of the new year, while the bank was closed for the holiday, thieves accessed a compromised computer at the South African Postbank and used it to transfer large sums of money in to accounts they had opened over the past few months
• They then used the compromised computer, and the credentials of a teller and a call center employee, to raise the withdrawal limits on their accounts
• By 9am January first, numerous money mules started making trips to ATMs in Gauteng, KwaZulu-Natal and the Free State, unhindered by withdrawal limits
• Withdrawals stopped around 6am January 3rd before the bank reopened and the compromise was detected
• In total, approximately 42 Million South African Rand were stolen (approximately 5.3 million USD, although some news stories reported the figure as 6.7 million USD). This appears to be around 1% of the entire holdings of the government operated bank
• The National Intelligence Agency (NIA) is investigating as Postbank is a government institution
• Sources report that the bank’s fraud detection system failed to detect the extremely large withdrawals, and the fraud was not discovered until employees returned to the bank from the new years holiday
• Observers question way such low level employees (Teller, Call Center Agent) had the required access to raise the withdrawal limits
• Investigators have not yet determined if the computers and passwords were compromised by the employees unwittingly, or if they were involved in the heist
• Local Coverage

---

Koobface operators go underground as researchers disclose their identities

• The koobface malware mostly targetted facebook users, prompting users to download a newer version of flash in order to watch a non-existent video. Rather than the expected flash update, the users would be infected with malware
• The malware operators made large sums of money by using the botnet of infected computers to perpetrate click fraud against pay-per-click advertising networks. “Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud”
• Facebook and some researchers they had been working with released their findings, including the identities, social media accounts and other information that had gathered on those behind the malware
• Within days of that disclosure, the attackers had shut down their C&C servers and rapidly began destroying the evidence against them. They also appear to have gone in to hiding (likely to avoid prosecution or extradition)
• With the shutdown of the C&C servers, and the disappearance of the operators, new infections of Koobface have dropped to near zero
• Researchers question if exposing the operators was the right thing to do
• Canadian Researchers released paper on Koobface in 2010 . Rather than releasing the identities of the attackers, Infowar Monitor handed the information over to Canadian Law Enforcement
• Additional Coverage

---

Shoe Retailer Zappos Hacked, 24 million customers compromised

• Zappos, and online shoe retailer owned by Amazon, was compromised last week
• Attackers gained access to the customer database after compromising a Zappos server in Kentucky, and using it to Island Hop into the internal network
• The Zappos customer database contained the names, email addresses, scrambled passwords, billing and shipping addresses, phone numbers and the last four digits of credit cards numbers
• It is unclear what is meant by ‘scrambled’ password, hopefully secure hashing
• Zappos states rather clearly, and repeatedly, that their secure payment processing servers were not compromised, and that credit card and transaction data remains secure
• Hopefully this means that Zappos takes their PCI-DSS compliance seriously, and the payment servers are isolated from the internet network that was invaded via the compromised server
• Even without the full credit card data the information from this compromised could be used quite successfully in spear phishing attacks
• Zappos has reset and expired all customers passwords, forcing customers to choose new passwords
• Zappos has disabled its phone systems in anticipation of an extremely high volume of support inquiries
• Zappos Announcement

---

Researcher reveals that stuxnet did not use a vulnerability in SCADA

• Researcher Ralph Langner presented his findings at the S4 Conference on SCADA Systems
• In his presentation, he revealed that the stuxnet worm, while possessing many 0-day exploits to gain access to the protected computer systems, used a design flaw in the SCADA system, rather than an exploit to perform the attack
• Langner postulates that the design of the Stuxnet worm was not to destroy the centrifuges, but to undetectably disrupt the process, making production impossible
• The Stuxnet worm takes advantage of the fact that the input process image of the PLC is read/write rather than read only, so the Stuxnet work simply plays back the results of a known good test to the controller, while actually feeding the centrifuge bad instructions, resulting in unexplained undesired results
• Langner used his analysis to criticize both Siemens and the U.S. Department of Homeland Security for failing to take the security issues more seriously

---

Round Up:

• Vinton Cerf: Internet Access is not a Human Right
• BitShare – Sec. of State Hillary Clinton: Internet Freedom is a human right
• Data stolen from Japanese space agency
• Hackers Disrupt Israel Airline, Stock Market Sites
• Crucial Releasing Firmware for 5200 hour SSD Bug
• Research shows teens share passwords as a form of intimacy
• PIPA support collapses, with 19 new Senators opposed
• Fight brewing over thick .com Whois
• Google says 4.5 million people signed anti-SOPA petition today
• US Senate websites hit with technical difficulties following SOPA blackout
• APNewsBreak: Feds Shut Down File-Sharing Website 
• Followup: Symantec statement on leaked source code

The post Cyber Bank Heist | TechSNAP 41 first appeared on Jupiter Broadcasting.

]]>