May 27, 2010

Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned.

Treasury Credit Union -- Image courtesy Google Streetview

In most of the e-banking robberies I’ve written about to date, the victims have been small to mid-sized businesses that had their online bank accounts cleaned out after cyber thieves compromised the organization’s computers. This incident is notable because the entity that was both compromised and robbed was a bank.

The attack began Thursday, May 20, when the unidentified perpetrators started transferring funds out of an internal account at Treasury Credit Union, a financial institution that primarily serves employees of the U.S. Treasury Department in the state of Utah and their families. Treasury Credit Union President Steve Melgar said the thieves made at least 70 transfers before the fraud was stopped.

Melgar declined to say how much money was stolen, stating only that the total amount was likely to be in the “low six-figures.”

“We’re still trying to find out what net [loss] is, because some of the money came back or for whatever reason the transfers were rejected by the recipient bank,” Melgar said, adding that the FBI also is currently investigating the case. A spokeswoman for the Salt Lake City field office of the FBI declined to comment, saying the agency does not confirm or deny investigations.

Many of the transfers were in the sub-$5,000 range and went to so-called  “money mules,” willing or unwitting individuals recruited over the Internet through work-at-home job schemes. Melgar said other, larger, transfers appear to have been sent to commercial bank accounts tied to various small businesses.

Melgar said some of the money mules apparently had a change of heart, but only after they’d withdrawn the stolen cash from their bank accounts and wired the money overseas to Ukraine as instructed.

“Some of the money mules went back to their banks after they’d Western Unioned the money, went back and talk to their branch manager or whoever and say they felt they may have committed fraud,” he said. “I guess something must have clicked in their head at that point.”

Melgar said it wasn’t clear whether any of the mules who reported the fraud to their banks had returned the “commissions” they make for helping thieves launder the money. In previous attacks I have written about, the mules were permitted to keep roughly 8 percent of the transfer amount, with any wire fees to be taken out of the commission. Earlier this month, the FBI said it is planning a law enforcement action against money mules in a bid to raise public awareness about the damage from these types of work-at-home employment schemes.

According to Melgar, the perpetrators who set up the bogus transactions had previously stolen a bank employee’s online login credentials after infecting the employee’s Microsoft Windows computer with a Trojan horse program. Melgar said investigators have not yet determined which particular strain of malware had infected the PC, adding that the bank’s installation of Symantec‘s Norton Antivirus failed to detect the infection prior to the unauthorized transfers.

“That’s all part of our investigation, and we’re going to try to see  how it was that this PC got infected,” Melgar said. “The truth is if you invite malicious software in, there’s probably not a lot at that point that’s going to stop it.”

Last July, organized thieves used money mules to steal tens of thousands of dollars from Huntington, W.V. based First Sentry Bank.


32 thoughts on “Cyber Thieves Rob Treasury Credit Union

  1. Carl

    I am wondering why the credit union would allow internet transfers from an internal account. That does not make sense. Is it possible that the hackers actually got access to the credit union’s processing system? Either way, it’s not the hackers that are brazen; it appears that the bank’s security is brazenly incompetent.

  2. Silly Wabbit

    While I understand that not all users of online banking are technically savvy. Banks in general rely too much on secret questions as a poor’s man version of 2-factor authentication.

    This is no match for malware that sniff and/or keylog.

    If the banks offered RSA tokens, I’d pay for it. However, on the flipside, I can see that the bank would probably try to screw me over if there was ever a breach to my account if I was using a token…

    “You must have committed the fraud since it’s so unlikely to be hacked!”

  3. bgc

    One slight positive thing to come out of this story is that it makes it harder for banks to refuse to reimburse defrauded customers by holding them to higher levels of security than the banks have themselves. With any luck that might add some impetus to getting the whole system improved.

  4. Gan Shudi

    Well, Zeus and Spyeye can beat any 2 factor authentication including RSA tokens. BLADE will solve this issue I guess. Lets wait for it

    1. Matt

      That statement isnt actually true Gan.
      Trojans are defeating the standard two factor electronic OTP tokens out there however there are a few solutions including my own http://www.passwindow.com which they cannot beat as it can do transaction authentication, so the actual transaction information the user is authenticating is encoded into the visual challenge and easily recognizable to the user(such as the last three digits of the destination account number demonstrated here http://www.passwindow.com/security.html#man_in_the_middle ) It is not possible for the trojans to construct a correct valid encoded visual challenge or to switch it from another transaction. In short we need to move towards transaction authentication not just OTP.

      PassWindow isnt the only two factor authentication system to be able to do this although it is certainly the cheapest, many electronic tokens with keypads are also able to do a convoluted version the same thing (transaction authentication) however most banks in the first world dont enable this feature as it is seen as too time consuming for the user who needs to manually enter transaction information into the device during a challenge response method with the server.

      Another more usable two factor system which is immune to trojan attacks would be the IBM ZTIC usb device where the transaction details are displayed separately on a device screen from an encrypted channel directly with the banks server. The foundation of its security seems solid to me.

      1. Michael

        Questions for Matt:
        1. Does “1” and “7” present a problem because they have the fewest digit-segments and hence more breakable?
        2. Any progress on a powered PW card with single-use patterns?

        1. Matt

          Hi Michael, thanks for the questions, most people miss the subtleties of the character-set bias.

          Answer 1) Yes you are correct when the challenges are generated the algorithm takes into account a specific character’s bias and statistically removes it by adjusting the proportion of noise segments in relation to it and the overall challenge frames. Actually its more complicated than that because the character set isn’t as straight forward as you might think, there are multiples of many digits a simple example would be 9’s with or without the bar at the top which helps to add entropy. To remove any threat of long term statistical analysis against a user’s key pattern we pre analyse / attack each key pattern and since the information loss is predictable we can ensure very large necessary interception rates, numbers like 10000+. So a trojan would need to intercept 10000+ real life human authentications which would difficult to impossible to capture even over years of usage. Even if a Trojan did attempt a multi year analysis on a particular user the server keeps track of a users authentications and reissues a card if they go anywhere near their known interception breaking point. Actually theres so much entropy available we can deliberately make life easier for Pete below which I will explain in his reply.

          Answer 2) It seems the technology is finally matched the idea with regards to a powered card and factories are able to produce a relatively cheap powered version at about US$20 a card however from a commercial point of view it’s a tough sell when the simple printed passwindow card costs less than a few cents to produce and would appear to have a lower administration cost ie cant be broken, malfunction etc. My main market is large countries with massive populations and rough lifestyles where they cant even think about rolling out an electronic solution so im just focusing on that at the moment but eventually will develop my electronic single use version for the extra security.

      2. Pete

        Matt, your system looks pretty damn annoying. I dread to think how a partially sighted person would use it. Congratulations on your PR though.

        1. Matt

          Hi Pete, well its definitely less annoying than having your accounts emptied.

          Regarding the readability comment actually there is a great answer to that. For a start you have to keep in mind that the difficulty of reading passwindow characters even at their most obfuscated in no way compares to the level difficulty of reading the CAPTCHAs presented by the worlds most popular websites. I personally fail to read the average captcha presented at least half the time so I shudder to think how partially sighted people are handling those and yet someone has decided that its acceptable. The unique thing is that the size and difficulty of the key / challenge is entirely controllable by the server and also monitored and adjusted on-the-fly. So for a real user the first few challenges have very little obfuscational noise and are very easy to read, This initial lack of entropy is factored into the security analysis. From then on the server manages a user to make it as easy as possible specifically for them which is relatively unique I believe as far as 2FA authentication goes. It can do this because so much is flexible about the method, amount of obfuscation, how many digits to request, speed of animation. Its not a fire and forget method like many 2FA. In short if you were using it and having trouble the server would adjust the challenges for you to make them easier for you to read and easier to use and you probably wouldnt notice the added security entropy being added elsewhere in the challenge to offset this.

          1. Pete

            You are clearly a sales guy with little experience of people with disabilities.
            I have a friend overseas who’s dad can use 2FA and he’s blind but loves to travel, because the bank designed a methodology *all* it’s customers could use. Anyway, I’d swear that this whole thing comes down to too much automation, system openness and poor transaction risk modeling and not what silly 2FA solution people can sell to the bank.

          2. Matt

            Pete, please dont attack me on a personal basis, you mentioned “partially sighted” users not blind users and I did my best to answer as honestly and factually as possible while ignoring your sarcastic PR comment. I am the inventor of PassWindow, not a sales guy and I try to keep my opinions as impartial and factual as possible by always trying to mention other types of solutions which solve similar issues. If you believe I am wrong about a specific authentication fact please raise it, articulate your reasons and I will do you the courtesy of addressing it as honestly as I can. I think we are all here to try to solve a serious IT security problem Brian is trying to highlight and I don’t think I am wrong to raise possible solutions where relevant including my own.

            You mentioned “too much automation” and I agree which is why I deliberately set out to put a simple human physical action into the authentication process to limit the automation of an electronic attack and ensure a user is present and aware by the inherent nature of the process exactly what is requesting authentication. Better risk modelling will help but like spammers the attackers do their own risk modelling and adjust their attack behaviour appropriately to evade the filters, it appears they were enacting this risk monitoring evasion technique in the article above with many smaller transfers to multiple local mules before bouncing the money overseas. Tightly controlled automated transaction monitoring also poses a new risk to the business if false positive transaction locking ends up costing the business. There is no one solution but a more comprehensive suite of solutions would go a long way to reducing the problem.

    1. Matt

      It looks good Gan, I hope it proves to be effective and usable for mass market acceptance. I don’t think there is any one solution to the multitude of security problems online. My only reservation would be lets assume it is 100% effective and the “other side” doesnt figure out a way past or around it as they have done with many of the anti virus software products. We are not 100% sure the attack above was from a trojan. It is possibly an old school phishing attack to a page with a built in jabber instant messenger to relay the OTP token numbers to the bad guys with no trojan required. The recent tabnapping is a nice simple phishing attack with no obvious software solutions and now with ICANN allowing anything goes in the address bar it is going to be very hard to distinguish domains registered with non-Latin character sets. It would be interesting to know the amount of bank fraud carried out by trojans vs phishing attacks, Brian might have those stats but the data could be very difficult to compile I imagine.

      1. Matt

        My bad, on rereading it appears they have evidence it was a trojan but they havnt figured out what type. Perhaps blade could have helped 🙂

    2. Pete

      I hate to say it but running rapport internally in small CU’s would have been very useful too.

  5. dward

    I hope we see some better standards with this stuff. I don’t know who’d set them; maybe the FDIC. But with spearphishing via PDFs and FLASH.. We can’t have a a bank not totally locked down. And it might take a while to do but you’d only have to do it once.

    Its scares the me to death… to think… in some bank somewhere, FDIC insured, there’s a computer that can willy nilly surf the internet or open PDFs in Outlook.

    -As an example of crazy-

    My bank doesn’t even use the EV Cert on there main login page… They just have the POST fields go to an HTTPS. Its crazy… Nobody over there even understands the point of an EV cert.

    check it out http://www.bbt.com

    I’ve wrote the phishing division several times but they just don’t get it.

    1. Michael

      Went to your http link, clicked on “Our secure logon” link and it says “The instant you sign in to BB&T OnLine banking, before your User ID and password leave your computer, we encrypt both using Secure Sockets Layer (SSL) technology.” Went next to https://www.bbt.com/ and it came up with a green EV cert. Beats me why any bank wouldn’t use https exclusively.

      1. Mike

        The problem with only encrypting the username/pw on transmisison is that a bad guy can replace the unencrypted front page with one that captures the username/pw rather than encrypting them and sending them to the bank. (A hacker could have put up the same page, complete with “Our Secure Login” link, and you’d have no way to know that you weren’t talking to the bank’s server because the username and password fields aren’t on a secure page.) This is why you should never, ever enter a username and password unless the bar at the top of the screen is already green with an https:// at the front. (And if your bank doesn’t understand that, it’s a good sign that you shouldn’t be using them for online banking.)

  6. Louis

    As stated above, I love the idea of a bank getting hooked up.

    But in most cases I’ve seen, application while-listing and network (e-gress) filtering would prevent most of it, and it does not cost much. Oh yeah, it involves properly managing your IT…

    I’ve done contractual work in a canadian bank and all workstations are employee-based, not function-based. I have seen shared accounts for Bloomberg stations with Internet access enable (Websense active) and R/W access to critical network shares. This is not about to change.

    As for a transaction-based authentication approach, knowing how businesses are, I would make it mandatory only for specific types of transactions. E.g. Unregistered payees

  7. mike

    The credit unions need to be constantly reminding it’s customers, employees, etc. about trojan viruses. This same credit union has a listing on repofinder.com that has no mention of this.

    1. Pete

      Incorrect, they need to realise or assume all machines are infected and start from there.

      1. xAdmin

        That goes against the first two Immutable Laws of Security:

        “Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore“

        We tend to take the programs and utilities we run for granted. We trust them to work as advertised and not harm our systems or corrupt our data. What we often don’t consider is that our computer is being controlled by the programs it’s running and those in control of it are the programmers who wrote the software. This isn’t a problem with normal software since we tell it when to run, what data to manipulate, and when to quit; we are able to exercise a measure of control. We still “own” our computer. With malware, “To run or not to run, that is the question” and those are our only two options.

        Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

        As in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.

        Game over man! Game over! ;P

  8. Mister Reiner

    This is what happens when you put a computer that has access to a financial system on the same network that has Internet access.

    Financial institutions should realize by now, that it’s impossible to guarantee the security of any user’s computer that has Internet access. Financial systems, including desktops used to access those systems, need to be put on completely isolated networks, either physically or virtually. There should be no way that a Trojanized desktop can directly access a financial system. Period.

    I hope Mr. Melgar realizes that the security of the network needs to be completely reassessed.

  9. The Real Pavel

    Hello Brian

    You done nice job for identify Pavel Vrublevsky but still no enough.

    RedEye user Profile

    http://s51.radikal.ru/i132/1005/cd/e07c8db74a92.png

    RedEye contact

    http://s47.radikal.ru/i115/1005/86/2d57a03490e9.png

    ICQ – 43432801

    He use the Crutop ICQ for Chronopay in 2004 and now there is NO ESCAPE for him.

    For proof, check the link down- He use “TheScar” his id.

    http://www.webhostingtalk.com/archive/index.php/t-261463.html

    RedEye – admin of crutop is no person other than Pavel Vrublevsky of Chronopay.

    He is the owner of Crutop, ETU Cash, RX Promotion, Standard Pay, Fethard Finance and Chronopay.

    Google his ICQ and mail-eye.com for more info.

    Regards,
    Indiana Jones

  10. MrMe

    Idiots using Norton was their first mistake, Norton is a POS. They need a real network administration not a bunch of welfare workers monkeying around on late 90s computers.

    You wouldn’t catch a library commission with this type of shitty security.

  11. Henry Hertz Hobbit

    I have looked at Blade in the past and as somebody who produces filter lists and a PAC filter it strikes me as long on promise that may be short on delivery. There just isn’t enough open information to say anything meaningful. All I know is I see one scheme after another like this touted as the next great thing that will cure all the world’s ills. Where is the one from Pennsylvania in seeing suspicious network traffic? How about the other one from North Carolina (Wake Forest) on ants/pheremones? Most of these schemes are either bogged down or gone. To me Blade looks like yet one more add-on that may end up going the same way. Real security doesn’t come from one more add-on but from a ground up design with security first where other measures of security are also onion layered on. But the base OS needs to be hardened to begin with. I have a multi-part question to ask though. What would have happened if that bank employee had been using:

    1. A Macintosh or a Linux machine?
    2. Firefox with the NoScript add-on?
    3. If desired my filters but these other things come first? I must say I get a chuckle out of ClamAV pre-selecting Unix for my submissions. Other than the rootkits with their substitute ps, ls, and other system commands I just don’t see any Unix / Mac malware. It is supposedly there but every attempt I have made to get it has failed miserably except for two. There was that humorous one from when Apache was in /usr/local written in PERL. There are also those toolbars that don’t uninstall completely and leave a resident JavaScript running in Firefox. Now you know one of the things my filters prevents. I suspect Blade would say nothing about them. You have to blow away the Firefox config and start over.

    I strongly suspect if the bank employee had been using either a Macintosh or Linux the way I specified we would not be reading this and there would be no need for any comments. This isn’t a chortling by me. I am sitting on Windows malware samples that NAV, Microsoft’s AV, and other AV programs can not detect. The files have an extension of “.BAD” tacked onto the end of them. Yes, I DO give them to the AV companies. But the AV companies are now too busy just taking care of the worms first. At one time they had enough time for the trojans but now they just don’t get around to most of them any more. I challenge the Blade designers with the encrypted scripts that have at most a 3/40 AV engine detection at VirusTotal (actually, it is normally ZERO) to see just how well BLADE stacks up against those encrypted scripts. Now you know why I say Firefox PLUS NoScript. The malware behind these nasty scripts is not “day zero”. It is now either “week two” or “month zero”. There is so much headed towards the AV companies that is the best they can do now. If Blade works it has to be doing something else to detect it but I think the real world use of Blade may turn up glaring security holes. Look at all of the other things that came before it that were going to save the world that have never saw the light of day.

    Finally, I don’t think this bank can wait for Blade. They need something and they need it NOW! They also need it on their employee’s computers that are used from home. Note it was not the end users that caused the problem here – it was the Credit Union itself. It was an infected employee’s computer that caused the problem, not some customer.

  12. Henry Hertz Hobbit

    To xAdmin – thanks for the URL!

    I think I need to reveal a little more about that month zero malware. In constructing my filters I go through several dozen malware samples per week. What I have noticed for the really bad stuff is they change their binaries by twiddling variable names, etcetera, every 4-8 hours up to every 2-3 days. The older sample has risen slowly to 10/40 or if you are lucky to 20/40 at the end of week one. The problem is the new sample drops it right back down to about 6/40 again. Every few weeks they don’t just twiddle variable names or change the loops or what ever. They replace the old code with entirely new code that generally drops the detection rate right back down to the cellar (0/40) again. I hope that Blade can handle it. But I have learned to be very cautious when something is posed as something that will save the world. My PAC filter will not save the world; it is just one more onion layer of securiity that is easily disabled.
    The only thing that surprises me is that nobody has done it yet.

    Also, any authentication that could depend on something EXTERNAL to the PC that the hacker cannot alter (time based perhaps) would also be helpful. But if it is on the PC it is like Phil Zimmerman’s Bassomatic algorithm – something that can eventually be cracked. I don’t use Bassomatic. I use TwoFish. The problem is I have almost nobody to use the OpenPGP encryption with. Instead we have Sarah Palin using a sloppily set up web-mail account with no encryption. We have President Obama with a Twitter account that some unemployed frenchman accessed. I should add one more thing – my login hint for Windows which I almost never use is “locked out”. It has nothing to do with the password.

  13. Amy

    That goes against the first two Immutable Laws of Security:“Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore“We tend to take the programs and utilities we run for granted. We trust them to work as advertised and not harm our systems or corrupt our data. What we often don’t consider is that our computer is being controlled by the programs it’s running and those in control of it are the programmers who wrote the software. This isn’t a problem with normal software since we tell it when to run, what data to manipulate, and when to quit; we are able to exercise a measure of control. We still “own” our computer. With malware, “To run or not to run, that is the question” and those are our only two options.Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymoreAs in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.Game over man! Game over! ;P

Comments are closed.