I guess someone ran out of Luuuk.
Attackers have pulled off a lucrative lightning raid on a single beleaguered bank stealing half a million euros in a week, Kaspersky researchers say. The crims stole between €17,000 and €39,000 from each of 190 Italian and Turkish bank accounts, with a single continuous attack. Man-in-the-middle attackers used stolen bank …
Thursday 26th June 2014 08:10 GMT Alienrat
Why don't they take the money back? For money to transfer out of a bank account surely it has to go somewhere? Its not like it is bitcoins or something so cant they just go to that account and say transfer back?
Would it not be the same as breaking into a bank with a gun and asking them to transfer all the money to your account?
On the plus side, if these are Italian banks, then people are already used to the government doing the same thing, so it isn't that much of a shock.
Thursday 26th June 2014 09:32 GMT MikeOxlong
It went from Compromised banking details on computer,
nefarious rapscallions take the details and via online banking, transfer large wire payment to mule account. (This is tracked)
Lowlife criminal, with bank card for mule account, goes and takes cash from ATM's over the course of a week.
You are left with a mule account, (setup with fake details maybe?) with no money in, and some blurry non identifiable images of a person who even if you can identify him, doesn't have the money anyway as he's western union, money transferred it, "clean" to his overlords.
Thursday 26th June 2014 08:18 GMT Khaptain
Mule Accounts ???
Those mule accounts were created by someone at some point in time, who.
Also, ATM transactions are usually limited to a certain amount per month, so how on earth did they manage to pull out 1/2 Million so quickyl. That equates to a hell of a lot of ATM transactions and a lot of ATM cards.
ATM machine have cameras in them, or were they switched off.
Don't the banks have automatic alerts when certain machine are put into overuse ?
Questions, questions, questions.... Something doesn't quite add up here, either the bansk are incredibly stupid or they had inside help.
Thursday 26th June 2014 09:22 GMT MikeOxlong
Re: Mule Accounts ???
Buy cheap second hand nondescript push bike.
put in back of car,
park near to town center around 11pm.
Ride bike with cycling gear including helmet and glasses.
Or wear a hoodie and a baseball cap
With your 6 bank cards for 6 accounts, go and visit each banks terminal over the course of 45 minutes.
6 banks Maximum withdrawl of £300 per bank = £1,800.
Go and sit in a bar, drink a soft drink. chill out.
Wait for midnight.
Go round the cash machines again (maybe change clothes?) in 45 minutes.
£3,600 for Monday / Tuesday.
£3,600 Wednesday / Thursday
£3,600 Friday / Sat
£1,800 for Sunday.
£12,600 per week on a small scale in one town, with one person and the minimum amount of time used.
Trustworthy mules get more accounts to control. + a larger cut.
Erm, Do I know entirely too much about this?
Thursday 26th June 2014 09:39 GMT fandom
Thursday 26th June 2014 09:06 GMT Anonymous Coward
Where the hell were the automatic systems to detect fraud?
If I started pulling 10+k out of my account via ATM, I'd sure as hell would like them to suspend the payments, and as pointed out, is there no daily limit on these withdraws?
This just makes no sense, unless these banks are either incompetent or corrupt and in on the act.
Thursday 26th June 2014 09:43 GMT Anonymous Coward
Thursday 26th June 2014 12:51 GMT Peter2
Re: We know from the Reg last year that two-factor isn't enough any more...
You could implement a half decent security system easily and cheaply if you wanted to along the lines of Phonefactor (now Azure Multifactor)
You make an attempt to withdraw money from your account (eg, ATM) your phone then gets a telephone call with a automated message from the bank saying:-
"There has been a request to withdraw <amount> from your account via <method>. To allow this request, please press #. Alternately, if this request was not initiated by you, please dial 999 and we will temporarily lock your account and begin a fraud investigation."
If you do the authentication on your phone, the money comes out. If not, it doesn't. Easily accessible, since virtually everybody has a mobile, and impenetrable short of having your bank card, PIN and mobile stolen similtaniously and used before getting either your mobile or your bank account disabled.
Friday 27th June 2014 07:59 GMT Pascal Monett
Wait a minute
This attack lasted an entire week and it takes a Kaspersky to find out about it ?
What were the analysts doing in the bank, twiddling their thumbs ? Weren't there any red flags raised about suspicious or unusual activity ?
Or is a loss of half a million euros too little to worry about for a bank ?