This Week in Cybercrime: Online Bank Heists Just the Latest in a Long String

Late last month, I began an edition of This Week in Cybercrime by noting that, “The idea that cybercrimes are the work of miscreants or gangs of hackers picking targets at random is outmoded. Analysts now see a mature industry with an underground economy based on the development and distribution of ever more sophisticated tools for theft or wreaking havoc.” That updated thinking was backed up by a report released a few days earlier by researchers at 41st Parameter, a fraud detection and prevention firm.

Further reinforcement came this week when U.S. federal prosecutors filed charges against five people for orchestrating what is said to be the largest hacking/data breach/bank robbery case ever reported. “The defendants and their co-conspirators penetrated the secure computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, and stole the personal identifying information of others, such as user names and passwords,” prosecutors said. The crew of cybercrooks netted at least 160 million credit and debit card numbers. Let that number sink in for a second.

The estimated financial losses stemming from the thefts reach into the hundreds of millions of dollars.

Of the five defendants—Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, and Dmitriy Smilianets of Russia, and Mikhail Rytikov of Ukraine—only two, Drinkman and Smilianets, are in custody. The other three are on the run, which is unfortunate, because Kalinin has been prolific in his efforts to pick financial institutions clean. According to the prosecutors, from December 2005 through November 2008, Kalinin and a separate co-conspirator hacked into Citibank and PNC Bank computer systems and stole account information they subsequently used to withdraw millions of dollars from victims’ bank accounts.

For example, in January 2006, they launched a cyberattack on PNC Bank’s online banking site and walked away with hundreds of the personal identification numbers associated customers’ ATM cards. Kalinin’s partner in crime turned the data over to associates who used it to encode blank ATM cards and withdraw $1.3 million from victims’ accounts. In 2007, Kalinin repeated the feat, that time going after the network of a firm that processed ATM transactions for Citibank and other banks. He stole PINs for half a million bank accounts, including those of 100 000 Citibank customers. He and his co-conspirators used the spoofed ATM cards they created to rob Citibank—in broad daylight, without guns or masks—to the tune of $2.9 million. A year later, Citbank was again in the online bank robbers’ crosshairs. Amid a cyberattack against the bank’s website, they stole 300 000 account holders’ information. This time the haul from faked ATM cards was $3.6 million.

In a separate case, for which Kalinin was also charged on Thursday, prosecutors allege that between 2007 and the fall of 2010, malware he placed on servers used by the Nasdaq financial exchange allowed him to incrementally elevate his level of administrative access until the point, in January 2008, that he had unfettered control. He marked the occasion with a jubilant instant message: "NASDAQ is owned." The government alleges that the 26-year-old native of St. Petersburg, Russia, got his foot into the door of Nasdaq's systems when he noticed a small vulnerability on its website.

Prosecutors named 16 separate corporate victims of the Russian and Ukrainian cyberthieves’ reign of terror. Most of the damage was done in breaches of systems at: Heartland Payment Systems Inc., a credit and debit card payment processor that had 130 million card numbers stolen from its databases; Commidea Ltd., a European electronic payment processor for retailers, that had 30 million card numbers stolen; and Euronet, a Leawood, Kansas–based electronic payment processor that lost roughly 2 million card numbers to malware. Other notable names that were targeted include Visa, Discover, Dow Jones, and J.C. Penney.

The alarm with which the gang of five’s activities was reported is itself startling. It’s not as if a certain blog doesn’t update readers on what happens each week in the world of cybercrime. And it’s not as if, in 2013 alone, This Week in Cybercrime hasn’t highlighted several other techno bank robberies, in the process making it clear that financial institutions are increasingly vulnerable.

In May, for example, we reported that seven people were arrested for coordinating 40 000 fraudulent cash machine withdrawals in 27 countries (with a total haul of $45 million) within hours after they hacked into the servers of credit card processors in the United Arab Emirates and Oman. And in June, we noted that U.S. prosecutors charged a gang of Ukranian cyberthieves with stealing account information from 15 different payment processors, banks, and online brokers and using it to transfer funds to prepaid debit cards. After the transfers, they would subsequently have roving teams of “cashers” hit ATMs to withdraw cash or make purchases with the ill-gotten loot.

The banks should do a better job at securing their networks, you say? That may not be possible, says a report from the FireEye Malware Intelligence Lab, that we discussed back in April. The report, on advanced persistent threats [pdf], found that some companies (banks fit the description) have to fend off attacks as often as once every three minutes. It’s not realistic to expect them to stand up to the growing volume and increasing sophistication of digital assaults. "This nearly continuous rate of attacks and activities is indicative of a fundamental reality: these attacks are working, yielding dividends," said the report. An Ars Technica article describing the Nasdaq hack notes that,

"The indictments give a birds' eye view of the patience and meticulousness hackers employ when penetrating some of the world's most well-fortified networks."

Photo: Tim Robberts/Getty Images