Comments on: FBI Investigating Theft of $500,000 from NY School District

By: ChuckD

ChuckD — Sun, 31 Jan 2010 21:54:59 +0000

Just posting to subscribe to this. I live within ten miles of this school district and have been in IT since before the internet, have not seen any follow-up on it. Looking forward to it.

And sorry, I have no contacts there, nor any inside info to offer.

Like or Dislike: 0 0

By: Most just don’t know

Most just don’t know — Thu, 28 Jan 2010 18:35:43 +0000

[...] hackers are using malware to steal banking information netting millions of dollars from business, schools and [...]

Like or Dislike: 0 0

By: Cyber Crooks Cooked the Books at Fla. Library — Krebs on Security

Cyber Crooks Cooked the Books at Fla. Library — Krebs on Security — Fri, 22 Jan 2010 17:06:23 +0000

[...] strongly suggests that the group that hit Delray Beach Public Library also was responsible for the $3,000,000 fraud perpetrated against Duanesburg Central School District in upstate New York late last year. var [...]

Like or Dislike: 0 0

By: Gary

Gary — Sun, 10 Jan 2010 19:35:50 +0000

Great Article.

Like or Dislike: 0 1

By: Rob Lewis

Rob Lewis — Fri, 08 Jan 2010 19:47:17 +0000

Awareness is a good thing, but unfortunately the current security model is so full of holes that there are few pragmatic ways to stop the bleeding, short of abandoning on-line banking. Even with that scenerio, there would be no full-proof guarantee that customer finances would be fully safe in the banks hands, since they are also dependent on vulnerability-centric defenses.

Like or Dislike: 1 0

By: MichaelFigueroa

MichaelFigueroa — Thu, 07 Jan 2010 20:22:33 +0000

Brian – I’ve been following you for years as a security consultant and as a CISO and am glad to see the new site up and active.

My partners and I have been debating who should be responsible for these attacks. On one hand, you can blame the banks for having poor business processes that do not account for the potential for misuse. On the other hand, you have the organizations themselves who have ignorant users who provide access to banking credentials.

Since I think that the argument can go either way (or both ways, which would be the reality), I think that it would be really interesting if you were to put up a “Wall of Education” page that lists the affected banks and organizations, sorted by dollar value of the attack. It would be interesting to see how many times individual banks start popping up.

Like or Dislike: 2 1

By: infosec_pro

infosec_pro — Thu, 07 Jan 2010 00:04:03 +0000

@BrianKrebs – thanks for sharing that email, and thanks to the author for being willing to have it shared. I think it should give a good argument against those who continue to blame the victims, that organization probably knows more about securing systems than most of your readers and still took big losses despite strong motivation to protect themselves with best in class measures. If they couldn’t stop the bleeding how is a local school district going to do so?

btw I served on a local (regional) school board for a few years, comparable in size to Duanesburg. Our entire IT budget would not have covered my present salary, and that’s probably true for most of the knowledgeable readers on here. It takes time and effort and diligent competence to properly manage and secure systems, that’s why it is so seldom done right. If local governments and schools spend money to get the resources they need to do the job right they get slammed by taxpayers and/or cut back in mission critical areas.

@ TheGeezer, “Parkinson Construction is not in the computer business.” Exactly the problem. It takes so much competence and diligence to properly secure desktop PCs that almost anyone not in the IT business cannot justify the expense to do it right, especially with the need for expertise so outstripping the available supply.

Like or Dislike: 3 0

By: TheGeezer

TheGeezer — Wed, 06 Jan 2010 18:12:14 +0000

You are right Rick that the registration is after the fact of installing the malware.
However, the malware is often accessed via a registered domain name.

The registrar’s role is therefore VERY important!
And yes, we can claim to not know how this happened. Was it again a fraudulently registered domain that should have been detected by the registrar? Or was it an employee downloading ‘free’ software? We don’t know how this happened. “not having a clue about operating systems and system security” is not the answer.

Let’s look at the example of the small business in D.C., Parkinson Construction, which fell victim to the Social Security Administration exploit which Brian reported on early december.
http://voices.washingtonpost.com/securityfix/2009/12/who_says_pay-per-click_revenue.html

The Zeus botnet SSA exploit was running in late November using the ccTLD of ‘.be’.
It should have been clear to any registrar that the US Social Security Administration does not register with DNS.be and does not use a fast-flux server. The registrar is in the computer business.
They should be able to see this and respond. Parkinson Construction is not in the computer business.
If this registrar had shown the same responsibility demonstrated by some others, Parkinson Construction would have received a ‘Host Not Found’ error message rather than a trojan.

The personal computer has become a necessary but dangerous appliance for most people and certainly for business.
No one is required to know electronics to be guaranteed safety from electrical shock from their dvd player.
You should not have to be a computer guru to avoid ‘software shock’ from your computer either.

The registrars need to have their focus redirected from bragging about how many domains they’ve registered to how few malevolent domains they’ve registered. They are the ones who should be the computer gurus, not victims like Mr. Parkinson and Duanesburg Central School District.
It doesn’t take much of a computer guru to know that the IRS and SSA are not located in Chili or Argentina.
Let the Registrar be responsible for the research. That would prevent the majority of these incidents.

Like or Dislike: 1 1

By: Flange

Flange — Wed, 06 Jan 2010 17:17:49 +0000

@Rick – Not sure if you are being sarcy with your last comment but dont blame the same old same old for if the same old was something else then given the driving factors / the cause of the effect there would still be theft and you would be playing the same track.

However if this is not the case then I agree with you that the USER is the problem and as someone stated before maybe a mandatory web usage IQ test is required to sift out those unfit for internet Banking. Although the Banks would have to agree on this and we all know what their stance is on profit margin related things.

Signed
Anonymous Coward

Like or Dislike: 0 0

By: BrianKrebs

BrianKrebs — Wed, 06 Jan 2010 06:18:53 +0000

A reader sent this to me via e-mail and I thought it was interesting enough that I got permission to excerpt part of it here.

—

I have read your column for many years and have always found you to be factual and on the cutting edge of cyber crime trends. I worked for an online financial services company for more than a decade. I was in their corporate security investigations group. I was the senior manager of investigations from late 2005 until I left and worked directly with law enforcement on the types of cases you have written about so well.

My group investigated all fraud activity perpetrated against it and I can tell you we dealt with the Russian or as we told everyone “Eastern European” groups since 2003. They started small by opening accounts with stolen identities and funding via ACH and experimented with stock pump and dump as early as December 2003. Our firm lost less then a million dollars in 2004 to ACH, wire fraud and pump and dump and a couple of million in 2005, but we fully reimbursed customers because of what it could do to our business if it became public. We had compromised customers sign a general release/non-disclosure form to protect our reputation. We also had these customers send us their hard drives or we performed remote diagnostics and as a result were highly familiar with the viruses and how credentials were being stolen. We referred all of these cases to law enforcement and I worked directly with different FBI and Secret Service agents on many of these cases. We also participated in Secret Service Electronic Crime Task force groups around the country during this time frame of 04/05.

2006 changed the course of history, as my firm lost more money between July and September then we had between 2001-June 2006, when we lost over $10 million. It was a result of pump and dump, as well as wire and ACH fraud. Of course this impacted everyone in the online brokerage business, but we were on the bleeding edge. As you well know, RBN and others learn quickly and they used all of the knowledge and skills they had accumulated over the past several years and they came at us hard and fast. We had founded a working group with NCFTA in Pittsburgh and had quarterly meetings to share all of this information and we also began sharing information directly via email within our working group real time to help combat this activity. It helped to slow it down, but we were never able to stop it.

The “bad guys” continue to evolve and your articles have well documented how this evolution is continuing. They still hit individual accounts at banks and brokerages, but the bigger targets are now small business and local governments.

Keep up the good work and hopefully you can bring more attention to this growing problem.

Well-loved. Like or Dislike: 4 0