It's like a bad movie plot, only IRL.
February 14, 2015 3:03 PM   Subscribe

"Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that." The New York Times reports that hackers have pulled off the first successful bank heist from banks in Russia, Japan, the U.S., and Europe.

"The American Bankers Association declined to comment, and an executive there, Douglas Johnson, said the group would let the financial services center’s statement serve as the only comment. Investigators at Interpol said their digital crimes specialists in Singapore were coordinating an investigation with law enforcement in affected countries. In the Netherlands, the Dutch High Tech Crime Unit, a division of the Dutch National Police that investigates some of the world’s most advanced financial cybercrime, has also been briefed."

Ars Technica is also following the story, and will likely have a technical detail updated once more information from Kaspersky Labs is released on Monday.
posted by daq (71 comments total) 26 users marked this as a favorite
 
Does this mean we get to live in a post-money society?
posted by oceanjesse at 3:07 PM on February 14, 2015 [3 favorites]


It's like a bad movie plot, only IRL.

This becomes more supporting evidence for my theory that reality actually DID end on 12/21/2012 and it was immediately replaced by Hollywood Screenwriter Reality.

It's really the only way to explain what's gone on in the world over the past few years.
posted by hippybear at 3:14 PM on February 14, 2015 [53 favorites]


I'm just stoked someone managed to pull this off. This took patience, planning, and discipline. I mean, seriously, whoever planned this operation is really smart, knew how to keep their cool, avoid detection, impersonate bank officers in several different cultures (I mean, that takes some crazy skills and a massive dose of confidence), rig ATM's to start spewing out cash at a set time when an accomplice would be waiting to scoop up the cash.

It's life imitating art.

Oh, and apparently it is still going on...
posted by daq at 3:14 PM on February 14, 2015 [5 favorites]


Am I the only one upon reading this post immediately went and checked their balance online?
posted by valkane at 3:21 PM on February 14, 2015 [5 favorites]


immediately went and checked their balance online?

Maybe you should check it agian now that you've given the bad guys a chance to sniff your login credentials.
posted by localroger at 3:24 PM on February 14, 2015 [23 favorites]


Hey, how do you wealthy types feel about consensually reasonable taxation now?
posted by clockzero at 3:24 PM on February 14, 2015 [3 favorites]


The first we know about.
posted by fullerine at 3:28 PM on February 14, 2015 [2 favorites]


"I need to borrow 5 thousand dollars"

"What? Why?"

"There was a vast shadowy Internet bank robbery!"

"Is that a new suit?"

"VAST SHADOWY INTERNET BANK ROBBERY!"
posted by The Whelk at 3:30 PM on February 14, 2015 [6 favorites]


The only thing I want to steal is that dude's Weyland-Yutani shirt.
posted by Pope Guilty at 3:36 PM on February 14, 2015 [18 favorites]


This becomes more supporting evidence for my theory that reality actually DID end on 12/21/2012 and it was immediately replaced by Hollywood Screenwriter Reality.

I like this, but I wonder if it might have been the y2k bug that did us in. Airplanes into the twin towers? Really?
posted by nobody at 3:39 PM on February 14, 2015 [6 favorites]


Secure your bitcoins under my bespoke digital mattresses, Kickstarter launching soon.
posted by Behemoth at 3:39 PM on February 14, 2015 [3 favorites]


I read that the first thing the hackers do, once they've taken control of your system, is test things out by inserting typos. It's subtle at first, but they do it again and agian until you're fully compromised.
posted by Elmore at 3:40 PM on February 14, 2015 [29 favorites]


Well...fuck this shit.

I'm outta here...
posted by Thorzdad at 3:40 PM on February 14, 2015


Ablazing that it took cash vomiting ATMs to do a security audi. But then again, highly targeted fishing attacks are very difficult to protect against. Malware is fairly easy to hide from antivirus and even easier to trick people to install.
posted by Foci for Analysis at 3:41 PM on February 14, 2015


Maybe you should check it agian now that you've given the bad guys a chance to sniff your login credentials.

Oh, someone guessed your maximum-of-eight-characters password? Hey, no biggie, we'll just use 2 factor authentication to verify your identity over the unauthenticated, plain text SMS system.

I swear, the financial services industry is completely staffed with mouth breathing booger eaters. Probably as a consequence of seeing IT and security as a cost center rather than THE ENTIRE REASON THAT THEY EXIST.
posted by indubitable at 3:42 PM on February 14, 2015 [73 favorites]


Oh, someone guessed your maximum-of-eight-characters password? Hey, no biggie, we'll just use 2 factor authentication to verify your identity over the unauthenticated, plain text SMS system.

Though could a non-state actor scalably intercept SMSes well enough to use this against random bank customers' accounts?
posted by acb at 3:50 PM on February 14, 2015 [1 favorite]


Nyes?
posted by Elmore at 3:52 PM on February 14, 2015


This was (is) a bold and fascinating heist -- I wonder if they tripped anything up badly enough that they're going to get caught. The scale of this means there's a lot of co-conspirators to keep happy lest they develop a severe case of confessionitis.
posted by chimaera at 3:52 PM on February 14, 2015


Literally nothing surprises me after I was fired from Hudson Valley Community College BY THE INFORMATION SECURITY OFFICER for apparent reason other than I wouldn't conceal her criminal misconduct sabotaging the risk-management controls mandated by the policy she's duty bound to implement.

Good faith?

Enlightened self-interest?

hahahahaha!

The surprise is that it's taken so long, and it's not happening every damned hour.
posted by mikelieman at 3:53 PM on February 14, 2015 [1 favorite]


Though could a non-state actor scalably intercept SMSes well enough to use this against random bank customers' accounts?

Absolutely. It has already been done to steal "valuable" (read: single-character name) Instagram accounts. All it takes is to convince a support flunky at your mobile provider to redirect all calls and SMS to [ATTACKER NUMBER]

There are also attacks possible through manipulating SS7 signalling that were presented recently at 31c3, which is a whole other can of worms.
posted by indubitable at 3:54 PM on February 14, 2015 [7 favorites]


This becomes more supporting evidence for my theory that reality actually DID end on 12/21/2012 and it was immediately replaced by Hollywood Screenwriter Reality.

I've long had a theory that the Large Hadron Collider really did flip us into an alternate universe when it was first activated on September 10, 2008 - just as some predictions had warned it would. Unfortunately, it turned out to be a universe where the world's financial system didn't function, as we all realised six days later when the news about Lehman Brothers broke. We've all been living in that new universe ever since, and may never escape it now.
posted by Paul Slade at 4:01 PM on February 14, 2015 [31 favorites]


Does this mean we get to live in a post-money society?

Yeah. Just give the criminals ALL the money. Then it will be worthless.

Then we can all become immensely rich if we just adopt leaves as legal tender. We just have to solve the inflation problem, on account of the high level of leaf availability.
posted by charlie don't surf at 4:18 PM on February 14, 2015 [2 favorites]


immediately went and checked their balance online?

Clever thing attackers did was they would pick an account, raise the balance on that account, then transfer off the money they added so that, to the customer, the account had the same balance. So, checking your balance wouldn't reveal it. I'm sure after the transfer they erased both the "deposit" and "transfer" so that your account transaction list wouldn't show it either.

Maybe you should check it agian now that you've given the bad guys a chance to sniff your login credentials.

They had enough access to change the balances in your account already. Why would they bother with credentials that let them manipulate one account when they can already manipulate all of them?

Seriously, they're not interested in your credentials, they're already root.
posted by eriko at 4:20 PM on February 14, 2015 [16 favorites]


Can't believe we've gotten this far and nobody's mentioned Richard Pryor in Superman III yet. OVERIDE ALL SECURITY
posted by ArmandoAkimbo at 4:22 PM on February 14, 2015 [6 favorites]


Don't worry, a little known aspect of quantitative easing will allow the relevant central banks to simply give the banks the money they've lost, because what's the difference, really, between losing money when fraudulent mortgage schemes you've concocted finally implode and losing it to theft because your security protocols are so lax?

And the whole thing will go so swimmingly that soon banks will require passwords to be seven characters or less, then six, etc -- and as with mortgages, they won't have to put the money they're given back into your account, of course.
posted by jamjam at 4:23 PM on February 14, 2015 [1 favorite]


I kinda would like to know why a banking officer needs to be able to arbitrarily change the balances on an account without an audit being triggered.
posted by RobotVoodooPower at 4:55 PM on February 14, 2015 [17 favorites]


charlie don't surf gets bonus points for his H2G2 reference.
posted by hippybear at 4:57 PM on February 14, 2015 [4 favorites]


The surprise is that it's taken so long, and it's not happening every damned hour.

What makes you think it ISN'T happening every damned hour?

This isn't a malware problem. This is an APT, an Advanced Persistent Threat. The first reports indicate the APT mimicked the traffic and behavior of bank transactions so accurately, nobody could distinguish them from real transactions. This takes persistent, long term effort.

So for me, that raises a bigger question. I don't really see much difference between financial fraud committed by People's Liberation Army Unit 61398 or Lehman Brothers.
posted by charlie don't surf at 5:02 PM on February 14, 2015 [4 favorites]


. . . first successful bank heist from banks in Russia, Japan, the U.S., and Europe.

Wait, just the first successful heist from banks in each of these countries simultaneously? Because it's definitely not the first successful, high dollar direct attack on bank systems - e.g.:

Eight charged in connection with high-tech US$45m bank heist [May 2013]
posted by ryanshepard at 5:02 PM on February 14, 2015 [1 favorite]


My debt heavy portfolio is looking pretty good now.
posted by jeffamaphone at 5:18 PM on February 14, 2015 [20 favorites]


Wait, just the first successful heist from banks in each of these countries simultaneously?

Well, the ATM hacks are likely to get caught (there are a lot of security camera's around almost every ATM in the world, at least the ones owned and controlled by most banks), and I wouldn't be surprised if that was not part of the same operation.

Until Monday when the report is released, we won't have much details, but given that the article claims 100's of banks across the world all being compromised, and no named suspects other than the "Carbanak cybergang", I would say, yes, successful in that they haven't been caught yet.

All those others from 2013 were quickly apprehended by law enforcement. That means "unsuccessful" to me, but where you draw that line is up to you.
posted by daq at 5:26 PM on February 14, 2015


Pardon my ignorance here, but would this have anything to do with Bank of America sending out letters last week, announcing our ATM cards MAY have been compromised at a merchant and are being replaced, when in fact what they did was send out new ATM cards with the chip? That there was no hack like the ones that occurred with Home Depot or Target?
posted by etaoin at 5:51 PM on February 14, 2015


Theft on this scale has to involve people working for national security agencies, or at least paying off people who work there.

Clever thing attackers did was they would pick an account, raise the balance on that account, then transfer off the money they added so that, to the customer, the account had the same balance. So, checking your balance wouldn't reveal it. I'm sure after the transfer they erased both the "deposit" and "transfer" so that your account transaction list wouldn't show it either.

I would hope that if they transferred a billion dollars through my account I would at least get to keep the interest -- even if it only sat there for a day, it should be a nice little bonus.
posted by Dip Flash at 6:31 PM on February 14, 2015


Which Superman movie is this one like?
posted by dirigibleman at 6:36 PM on February 14, 2015 [1 favorite]


The money would rest in the legitimate account only briefly, between balances being checked every the ten hour window.
posted by saucysault at 6:41 PM on February 14, 2015


Which Superman movie is this one like?
Superman III, see my previous post for the documentary-like movie clip.
posted by ArmandoAkimbo at 6:50 PM on February 14, 2015


It's life imitating art

The thing with complex crime done well is that they don't get caught. No evidence, no talk(bragging) about the crime, and they don't go out buying yellow Lambos the next day. It's not sexy, and they just don't get caught.

And with banks, they have an incentive to cover up theft because nobody wants to be a customer at a bank seen as vulnerable.

So yeah, maybe this is one of the first times we are hearing about a Billy getting jacked this way, but it is definitely not unique.

A bigger theft might be happening right now at YOUR bank, and it's more than likely that anybody who knows about it has incentive to keep their mouth shut.
posted by hal_c_on at 7:12 PM on February 14, 2015


popeguilty - Weyland-Yutani t-shirts
posted by cromagnon at 7:13 PM on February 14, 2015 [4 favorites]


We've all been saying this was going to happen eventually. Well here it is, or at least probably so, Kaspersky is a reliable source.

We fundamentally do not know how to build secure networked systems. The moment you make a computer usefully networked (say, by receiving email or looking at web pages) you open a hole in one of the veins and start pumping random chemicals from the outside into your network. No measures to make that open wound safe ever work completely.

It's going to get worse. It may never get better.
posted by Nelson at 7:14 PM on February 14, 2015 [1 favorite]


Is this war-laundering?
posted by Oyéah at 7:27 PM on February 14, 2015


All those others from 2013 were quickly apprehended by law enforcement. That means "unsuccessful" to me, but where you draw that line is up to you.

If my memory serves me correctly, authorities caught the NY ring, but not any of the culprits in any of the other countries that were hit.
posted by billyfleetwood at 7:27 PM on February 14, 2015


Three hundred million is not that much here, but it is in Russia. Interesting where the money went, at least temporarily, maybe it is an occult payroll.
posted by Oyéah at 7:31 PM on February 14, 2015


I follow @AuthenticWmGibs for this sort of thing with the EXPLICIT understanding that life take at least another decade to imitate art. But at least they didn't launder it through a fetal stem-cell market in the D.F.
They didn't, did they?
*sigh*
I guess i should read the whole article.
posted by The Legit Republic of Blanketsburg at 7:36 PM on February 14, 2015 [2 favorites]


Abt natural, I have a gub.
posted by charlie don't surf at 7:43 PM on February 14, 2015 [3 favorites]


I read the whole article, ate the whole artichoke, so one theory is it has to be an activity of state. So the money left one state, appearing as a theft, with an intermediate stopover, then went on to do what it was deigned to do, which is to originate and pay out in an occult fashion. That they think it is much more than three hundred million means probably it is one way things routinely get done. Good luck Kaspersky.
posted by Oyéah at 7:49 PM on February 14, 2015 [1 favorite]


Pardon my ignorance here, but would this have anything to do with Bank of America sending out letters last week, announcing our ATM cards MAY have been compromised at a merchant and are being replaced, when in fact what they did was send out new ATM cards with the chip? That there was no hack like the ones that occurred with Home Depot or Target?

There have been other breaches involving large scale credit card theft since Home Depot / Target - e.g. Staples [discovered Dec. '14], multiple airport parking vendors [ditto], and Marriott [this month]. Point-of-sale system malware is becoming endemic, too. And there's also good old fashioned employee theft, which seems to be netting ever-larger numbers of cards.
posted by ryanshepard at 8:03 PM on February 14, 2015 [3 favorites]


one theory is it has to be an activity of state.

I think you're underestimating the persistence of organized crime. Why the hell would a government want a few measly hundred mil? They want more.
posted by charlie don't surf at 8:03 PM on February 14, 2015 [1 favorite]


We had a point-of-sale malware attack at my little college campus, of all things. It's everywhere. (The bank simply canceled every single card that had ever been used there, without notifying anyone in advance. "Oh, you must work at the college," said the cashier at the local Wegmans, cheerily, as I stared in puzzlement at my suddenly non-functional card. "Lots of you with the same problem today.")
posted by thomas j wise at 8:10 PM on February 14, 2015


Maybe I'm a little too cynical, maybe I've been watching too many spy movies, maybe I just want this to be more exciting than it is, but my hunch is that Kaspersky (as a front for the KGB, obvz) themselves stole the money, and are reporting their "discovery" to come off all heroic (thereby putting themselves out there as the guys you want poking around in your banking software, potentially opening up more heisty avenues) while foiling detection by beating the sleuths to the punch and having a "legitimate" reason for their prints to be all over the murder weapon.

Now if you'll excuse me, there's a stern-looking gentleman with a ricin-tipped umbrella ringing my doorbell...
posted by Sys Rq at 8:25 PM on February 14, 2015 [3 favorites]


We just have to solve the inflation problem, on account of the high level of leaf availability.

*sigh* What do you think global warming is for?
posted by sexyrobot at 8:36 PM on February 14, 2015 [2 favorites]


Has anyone checked into Setec Astronomy recently?
posted by Halloween Jack at 8:38 PM on February 14, 2015 [1 favorite]


We had a point-of-sale malware attack at my little college campus, of all things. It's everywhere.

What school is this? Pepperdine? London School of Economics? I am mostly kidding, crooks generally don't have a reason to target starving students, other than that they *can*. Students are small potatoes. Only petty criminals go after the small change.

The surest way to prevent crime is to have nothing worth stealing. But if you do have something worth stealing, your best bet is to park it next to a more attractive target.

Now if you'll excuse me, there's a stern-looking gentleman with a ricin-tipped umbrella ringing my doorbell...

Nah, you're small potatoes. If you were really someone, he'd have a Polonium-tipped umbrella.
posted by charlie don't surf at 8:50 PM on February 14, 2015


The only thing I want to steal is that dude's Weyland-Yutani shirt.

The first thing I googled after seeing the article.
posted by Samizdata at 12:05 AM on February 15, 2015


Has anyone checked into Setec Astronomy recently?

Look, man, no more secrets, okay?

Seriously though, this is bad, but I was arguing with someone recently who claimed all of this was US IT incompetence. I said it wasn't and compared to being put in a smallish room with 50+ overly violent types armed with knives and being told "No blood. Not even a spot on you. We'll be back in a few days."

This was the best way I could see to try and give a non-technical person an idea of the magnitude of the problem. The fact that there are hundreds of thousands (plus) attacks off all kinds 24/7/365. These actors are coming from many places, using many types of attacks, and, relatively speaking, they never sleep.
posted by Samizdata at 12:18 AM on February 15, 2015 [1 favorite]


I dunno, man. I'm not sure you could convince me the guys that invented credit card security protocols in the US are competent. A number + your zip code? Do they even know what security is?
posted by ryanrs at 1:34 AM on February 15, 2015


Question: If a bank which was publicly traded in the US was among those hit, would it be required to disclose the loss in SEC filings at some point? (I suspect the answer may be that the amounts we're talking about — the article cites $7.3M from one bank and $10M from another — are so small compared to the operating budgets of large banks that they're easily hidden within some more general losses budget line — but perhaps someone more knowledgeable than I could comment.)
posted by DevilsAdvocate at 2:27 AM on February 15, 2015


Using the access gained by impersonating the banking officers, the criminals first would inflate a balance — for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened.

So wait, is this theft or counterfeiting and laundering? Seems more like the later to me.
posted by butterstick at 4:17 AM on February 15, 2015 [1 favorite]


I just want to know which bank the thieves are using to hold all their money.
posted by amicus at 6:03 AM on February 15, 2015


> Now if you'll excuse me, there's a stern-looking gentleman with a ricin-tipped umbrella ringing my doorbell...

He'll have to wait, I've got to bathe and shave for my date with Rosa Klebb.
posted by jfuller at 6:15 AM on February 15, 2015


How much do you want to bet that this money will end up in the super-prime sector of the London property market, and a few new Russian biznesmeni will ascend to the pantheon of Belgravia oligarchs, this time with backstories of being “technology entrepreneurs” rather than oil/iron/natural-resources magnates, and the obliging establishment not asking too hard about the provenance of their fortunes.

In the 1990s, the key to being a newly-minted London gentleman was to use your KGB connections to loot the treasuries of various Soviet republics and/or buy state-run enterprises at mates' rates. Now massively scalable cybercrime (possibly involving intelligence connections; can anyone rule out the FSB's resources being used in preparing such sophisticated malware?) could fill that role.
posted by acb at 7:19 AM on February 15, 2015 [1 favorite]


> can anyone rule out the FSB's resources being used in preparing such sophisticated malware?

Hey hey hey, absence of evidence is not evidence of absence!
posted by I-Write-Essays at 7:29 AM on February 15, 2015


It could well be that the Russian mafiya has the resources to build STUXNET-level malware by itself (after all, the former USSR was awash with unemployed PhDs who learned everything they knew about the ethics of operating under a market economy from Soviet propaganda). Though, if reportage such as Luke Harding's Mafia State is anything to go by, nothing happens in the Russian underworld without the power hierarchy in the Kremlin knowing about it and taking its share, and Putin is, in effect, the capo del capi. That could extend to the FSB requiring the services of private-sector malware creators, or informally lending its capabilities to the gangsters who follow the code (no attacks at home, but rip off the “amers” and decadent gay-loving Europeans as much as you want). After all, creating a debt obligation is another means of control.
posted by acb at 7:44 AM on February 15, 2015


How to buy a condo at Time Warner.
posted by Oyéah at 8:35 AM on February 15, 2015


Surely there has to be a way to disable all links in email.
posted by persona au gratin at 2:11 PM on February 15, 2015


Clever thing attackers did was they would pick an account, raise the balance on that account, then transfer off the money they added so that, to the customer, the account had the same balance. So, checking your balance wouldn't reveal it. I'm sure after the transfer they erased both the "deposit" and "transfer" so that your account transaction list wouldn't show it either.

With that level of access, is there a reason they didn't raise the balance of their own accounts directly instead?
posted by ymgve at 4:40 PM on February 15, 2015


With that level of access, is there a reason they didn't raise the balance of their own accounts directly instead?

Because I suspect that might have triggered more flags than they wanted to deal with.
posted by Samizdata at 5:16 PM on February 15, 2015 [2 favorites]


Brian Krebs gives some technical details, it looks like this APT was already known and published months ago:

The Great Bank Heist, or Death by 1,000 Cuts?

The Times’ story, “Bank Hackers Steal Millions Via Malware,” looks at the activities of an Eastern European cybercrime group that Russian security firm Kaspersky Lab calls the “Carbanak” gang. According to Kaspersky, this group deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million — possibly as high as USD $1 billion.

Such jaw-dropping numbers were missing from a story I wrote in December 2014 about this same outfit, Gang Hacked ATMs From Inside Banks. That piece was based on similar research published jointly by Dutch security firm Fox-IT and by Group-IB, a Russian computer forensics company. Fox-IT and Group-IB called the crime group “Anunak,” and described how the crooks sent malware laced Microsoft Office attachments in spear phishing attacks to compromise specific users inside targeted banks.

posted by charlie don't surf at 9:09 AM on February 16, 2015


charlie don't surf: "I am mostly kidding, crooks generally don't have a reason to target starving students, other than that they *can*. Students are small potatoes. Only petty criminals go after the small change. "

The thing about universities is that there's a lot of them, and they tend to have easily findable email rosters. So what you do is look where university names intersect bank names. For example, Oregon State University Federal Credit Union. Then you write up a fake 'reset your password' notice for the bank and send it to everyone you find in the inevitably wide open campus LDAP server.

It's small potatoes in comparison to rooting an investment bank, but professors aren't poor, and there's a lot of them.
posted by pwnguin at 9:59 PM on February 17, 2015 [1 favorite]


It's small potatoes in comparison to rooting an investment bank, but professors aren't poor, and there's a lot of them.

Consider also that these days, student loans are disbursed electronically and that the balances are often given on ATM cards. So, if you want to take, say $100 from 10,000 people under the radar ( memo: Student Fees Adjustment) , all of a sudden, you're talking a million bucks.

Hmmm... That community college I mentioned where the Information Security Officer fired me for not concealing her sabotage of the required risk-management controls? They payout loans like that....
posted by mikelieman at 3:23 AM on February 18, 2015


Well, there's small potatoes, and then there's "salami." That's an antiquted hacker's term for skimming unnoticeable amounts off many accounts. The idea is, if a butcher just took one thin slice off every salami sausage he sold, pretty soon he'd have a mountain of meat. But slicing salami is hard work, it's almost not worth the effort.
posted by charlie don't surf at 9:17 AM on February 18, 2015


But slicing salami is hard work, it's almost not worth the effort.

Yeah, but that's a rational analysis. Factor in the basic fact that people -- for various motivations -- act irrationally all the time, and even though it's hard work and *almost* not worth the effort, it's still a risk that needs to be mitigated through the traditionally known controls.
posted by mikelieman at 1:06 PM on February 18, 2015


« Older "...safe, somewhat organic, and guaranteed to...   |   The Gaeneviad Newer »


This thread has been archived and is closed to new comments