This Week in Cybercrime: FBI Sting, RBS Phish

FBI stings 24 hackers, Wyndham's security failure lawsuit, RBS phishing

4 min read
This Week in Cybercrime: FBI Sting, RBS Phish

There was good news and bad news on the cyber security/crime front this week. Yesterday, the U. S. Federal Bureau of Investigation (FBI) announced the arrest of 24 hackers allegedly involved in credit card, bank account and ID theft in a sting operation that spanned 13 countries.  Eleven of the individuals were arrested in the U.S. (two are minors), while the remainder were arrested in Bosnia (2), Bulgaria (1), Germany (1), Italy (1), Japan (1), Norway (1), and the United Kingdom (6).

The FBI stated that in June 2010 it set up a phony website for “users to discuss various topics related to carding and to communicate offers to buy, sell, and exchange goods and services related to carding, among other things.” The FBI used the site to gather detailed information on the users which eventually led to the arrests.  The press release describes in more detail how the honeypot website worked.

The FBI claims that as part of its operation it “has prevented estimated potential economic losses of more than $205 million, notified credit card providers of over 411,000 compromised credit and debit cards, and notified 47 companies, government entities, and educational institutions of the breach of their networks.”

It may have been coincidence, but yesterday the U.S. Federal Trade Commission (FTC) announced  that it had filed a lawsuit “against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.”

The FTC states that "these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”

The FTC alleges that Wyndham, even after a significant security breach in 2008, which was the result of poor security practices (and which the hotel chain kept secret for months), “failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures” which allowed two more data breaches in 2009. It would be interesting to know whether some of the compromised credit card information stolen from Wyndham turned up on the FBI sting website.

One reason that the FTC is suing Wyndham is that it, like a lot of other companies, prominently proclaims in its marketing information to take the care and security of customer data seriously, but apparently really doesn’t.  I suspect the FTC is sending out a warning to other companies that their actions better match their public statements about IT security.

Which makes one wonder how the FTC will view the cruise ship company Cunard Line’s admission of a recent data breach involving the personal details of 1,200 of its passengers? According to this story concerning the breach, Cunard’s website states that, “Cunard Line cannot guarantee the security of any information you transmit to us or from our site, and therefore you use our site at your own risk." Does that legally absolve them in any way in case of a data breach?

Maybe some of the lawyers interviewed in this Wall Street Journal article from Monday about lawyers and law offices being hacked can give an opinion.

In one more bit of news on the justice side of the ledger, two members of the group LulzSec pleaded guilty in a UK court on Monday to charges of launching denial of service attacks against and hacking into websites in the US and the UK. Two other LulzSec members who were also arrested have pleaded innocent to similar charges and are awaiting trial.

On the unlawful side of the ledger, the head of the UK Security Service MI5, Jonathan Evans, stated in a speech on UK national security this week that hacking by an unnamed foreign state resulted in a British company losing £800m in revenue, the Independent reported. Evans was quoted as saying the loss “was not just through intellectual property loss but also from commercial disadvantage in contractual negotiations.” Whether this should be considered just a criminal act or something more like a cyber-attack, I’ll leave up to you to decide.

Additionally, EU security researchers have announced in a research report (pdf) that they “found a way to exploit the RSA SecurID 800 token, as well as at least seven other tokens, by leveraging cryptographic flaws in the devices,” this article in Information Week states. Supposedly, the researchers took as little as 13 minutes to crack the token's security.  However, RSA responded to the news with a big yawn, stating that while the results are “scientifically interesting, it does not demonstrate a new or useful attack against RSA SecurID 800.” I expect there will be more on this result in the coming weeks.

Further, an article in Computer World today reports that cyber criminals are targeting “high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication.” The new attack approach, which netted criminals at least £48 million in attacks against 60 institutions is outlined in a report (pdf) put out by the security companies McAfee and Guardian Analytics.

Finally, Royal Bank of Scotland (RBS) Group customers are already seeing phishing emails trying to get their personal banking details in wake of the computer system meltdown at RBS Group owned banks the past week.  According to a story at SkyNews, “One of the emails pretends to be from Stephen Hester, the head of RBS, apologsing for the problems at RBS and says a ‘security upgrade’ requires them to update their information.” The email sends the person to what is described as a realistic site where the person's bank account details are requested, and thereby stolen.

Unfortunately, it is likely that more than one RBS Group customer will fall for the phish, just as an employee of the U.S. Commodity Futures Trading Commission fell for a phishing email last month which led to the possible compromise of personal information on all 700 employees working there. The incident was announced late last week. Maybe the CFTC should start using the phish email training software to try to educate its employees on how to recognize phishing emails.

As I said, a IT security mixed bag this week, and it’s only Wednesday.

The Conversation (0)

The Cellular Industry’s Clash Over the Movement to Remake Networks

The wireless industry is divided on Open RAN’s goal to make network components interoperable

13 min read
Photo: George Frey/AFP/Getty Images
DarkBlue2

We've all been told that 5G wireless is going to deliver amazing capabilities and services. But it won't come cheap. When all is said and done, 5G will cost almost US $1 trillion to deploy over the next half decade. That enormous expense will be borne mostly by network operators, companies like AT&T, China Mobile, Deutsche Telekom, Vodafone, and dozens more around the world that provide cellular service to their customers. Facing such an immense cost, these operators asked a very reasonable question: How can we make this cheaper and more flexible?

Their answer: Make it possible to mix and match network components from different companies, with the goal of fostering more competition and driving down prices. At the same time, they sparked a schism within the industry over how wireless networks should be built. Their opponents—and sometimes begrudging partners—are the handful of telecom-equipment vendors capable of providing the hardware the network operators have been buying and deploying for years.

Keep Reading ↓ Show less