Cyber Bank Heist | TechSNAP 41

Cyber Bank Heist | TechSNAP 41

Find out how hackers robbed a bank for nearly $6 million dollars over the Internet, the Zappos security breach, the fall of the koobface botnet, and what happened to Megaupload.

Plus we look back at the web’s SOPA protest this week, and see where things stand.

All that, and much more, on this week’s episode of TechSNAP!

Thanks to: Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
DOTCO9: .co domain for $17.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans


Direct Download Links:


HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube


Subscribe via RSS and iTunes:

Show Notes:

Cyber Bank Heist Nets 5.3 Million Dollars

  • During the first three days of the new year, while the bank was closed for the holiday, thieves accessed a compromised computer at the South African Postbank and used it to transfer large sums of money in to accounts they had opened over the past few months
  • They then used the compromised computer, and the credentials of a teller and a call center employee, to raise the withdrawal limits on their accounts
  • By 9am January first, numerous money mules started making trips to ATMs in Gauteng, KwaZulu-Natal and the Free State, unhindered by withdrawal limits
  • Withdrawals stopped around 6am January 3rd before the bank reopened and the compromise was detected
  • In total, approximately 42 Million South African Rand were stolen (approximately 5.3 million USD, although some news stories reported the figure as 6.7 million USD). This appears to be around 1% of the entire holdings of the government operated bank
  • The National Intelligence Agency (NIA) is investigating as Postbank is a government institution
  • Sources report that the bank’s fraud detection system failed to detect the extremely large withdrawals, and the fraud was not discovered until employees returned to the bank from the new years holiday
  • Observers question way such low level employees (Teller, Call Center Agent) had the required access to raise the withdrawal limits
  • Investigators have not yet determined if the computers and passwords were compromised by the employees unwittingly, or if they were involved in the heist
  • Local Coverage

Koobface operators go underground as researchers disclose their identities

  • The koobface malware mostly targetted facebook users, prompting users to download a newer version of flash in order to watch a non-existent video. Rather than the expected flash update, the users would be infected with malware
  • The malware operators made large sums of money by using the botnet of infected computers to perpetrate click fraud against pay-per-click advertising networks. “Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud”
  • Facebook and some researchers they had been working with released their findings, including the identities, social media accounts and other information that had gathered on those behind the malware
  • Within days of that disclosure, the attackers had shut down their C&C servers and rapidly began destroying the evidence against them. They also appear to have gone in to hiding (likely to avoid prosecution or extradition)
  • With the shutdown of the C&C servers, and the disappearance of the operators, new infections of Koobface have dropped to near zero
  • Researchers question if exposing the operators was the right thing to do
  • Canadian Researchers released paper on Koobface in 2010 . Rather than releasing the identities of the attackers, Infowar Monitor handed the information over to Canadian Law Enforcement
  • Additional Coverage

Shoe Retailer Zappos Hacked, 24 million customers compromised

  • Zappos, and online shoe retailer owned by Amazon, was compromised last week
  • Attackers gained access to the customer database after compromising a Zappos server in Kentucky, and using it to Island Hop into the internal network
  • The Zappos customer database contained the names, email addresses, scrambled passwords, billing and shipping addresses, phone numbers and the last four digits of credit cards numbers
  • It is unclear what is meant by ‘scrambled’ password, hopefully secure hashing
  • Zappos states rather clearly, and repeatedly, that their secure payment processing servers were not compromised, and that credit card and transaction data remains secure
  • Hopefully this means that Zappos takes their PCI-DSS compliance seriously, and the payment servers are isolated from the internet network that was invaded via the compromised server
  • Even without the full credit card data the information from this compromised could be used quite successfully in spear phishing attacks
  • Zappos has reset and expired all customers passwords, forcing customers to choose new passwords
  • Zappos has disabled its phone systems in anticipation of an extremely high volume of support inquiries
  • Zappos Announcement

Researcher reveals that stuxnet did not use a vulnerability in SCADA

  • Researcher Ralph Langner presented his findings at the S4 Conference on SCADA Systems
  • In his presentation, he revealed that the stuxnet worm, while possessing many 0-day exploits to gain access to the protected computer systems, used a design flaw in the SCADA system, rather than an exploit to perform the attack
  • Langner postulates that the design of the Stuxnet worm was not to destroy the centrifuges, but to undetectably disrupt the process, making production impossible
  • The Stuxnet worm takes advantage of the fact that the input process image of the PLC is read/write rather than read only, so the Stuxnet work simply plays back the results of a known good test to the controller, while actually feeding the centrifuge bad instructions, resulting in unexplained undesired results
  • Langner used his analysis to criticize both Siemens and the U.S. Department of Homeland Security for failing to take the security issues more seriously

Round Up:

Question? Comments? Contact us here!