Network News

X My Profile
View More Activity

PC Invader Costs Ky. County $415,000

Cyber criminals based in Ukraine stole $415,000 from the coffers of Bullitt County, Kentucky this week. The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks.

bullittcar.JPG

Bullitt County Attorney Walt Sholar said the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country (some individuals received multiple payments). On June 29, the county's bank realized something was wrong, and began requesting that the banks receiving those transfers start reversing them, Sholar said.

"Our bank told us they would know by Thursday how many of those transactions would be able to be reversed," Sholar said. "They told us they thought we would get some of the money back, they just weren't sure how much."

Sholar said the unauthorized transfers appear to have been driven by "some kind computer virus." Security Fix has been communicating with a cyber crime investigator who is familiar with the case. What follows is a description of the malicious software used, a blow-by-blow account of how the attackers worked the heist, as well interviews with a couple of women hired to receive the stolen funds and forward the money on to fraudsters in Ukraine. This case also serves as an example of how e-mail scams can be used to dupe unknowing victims in serving as accomplices in their plan.

According to my source, who asked not to be identified because he's still investigating different sides of this case, the criminals stole the money using a custom variant of a keystroke logging Trojan known as "Zeus" (a.k.a. "Zbot") that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware, the investigator said, is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection.

Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives. By connecting through the victim's PC or Internet connection, the bad guys can avoid raising any suspicions.

This might be enough to fool retail banks that serve regular online banking users, but Bullitt County's bank, like many other commercial banks, use even more rigorous authentication schemes. For instance, some technologies adopted by commercial bank Web sites will use special Javascript programming techniques to look at various aspects of the customer's system -- including screen size, browser version, operating system, and a myriad other variables -- to create a unique "fingerprint" of their customers' computers. In such cases, even if criminals have hijacked a victim's Internet connection, a bank using this approach should still be able to detect that the customer is connecting from a different computer because the fingerprints won't match.

Also, the process of creating and approving outgoing wire transfers from the county's account could not be completed without two different authorized users signing off on the transaction. In the case of Bullitt County, that checks-and-balances system was designed to be carried out by the county treasurer and a local judge.

Finally, if for whatever reason the bank's system noticed that either account was being used from a PC with an unknown fingerprint, that login attempt would fail, and that user would be prompted to check their e-mail account for a special, one-time passphrase that would need to be re-entered along with the username and password, in order to gain access to the account.

According to the investigator, the attack against Bullitt County's bank account went down like this:

- The attackers somehow got the Zeus Trojan on the county treasurer's PC, and used it to steal the username and password the treasurer needed to access e-mail and the county's bank account.

- The attackers then logged into the county's bank account by tunneling through the treasurer's Internet connection.

- Once logged in, the criminals changed the judge's password, as well as e-mail address tied to the judge's account, so that any future notifications about one-time passphrases would be sent to an e-mail address the attackers controlled.

- They then created several fictitious employees of the county (these were the 25 real-life, co-conspirators hired by the attackers to receive the stolen funds), and created a batch of wire transfers to those individuals to be approved.

- The crooks then logged into the county's bank account using the judge's credentials and a computer outside of the state of Kentucky. When the bank's security system failed to recognize the profile of the PC, the bank sent an e-mail with the challenge passphrase to an e-mail address the attackers controlled.

- The attackers then retrieved the passphrase from the e-mail, and logged in again with the judge's new credentials and the one-time passphrase. Once logged in, the crooks were able to approve the batch of wire transfers.

When asked to comment on this version of events, County Attorney Sholar said he was limited in what he could say, because the FBI had asked him not to discuss details of the case. But he did say that "We know there were initiations and approvals for wire transfers that were both generated and sent to the bank by computers that were physically located outside of the state of Kentucky."

The Role of the Money Mules - Scammed Into Serving

With the help of the cyber crime investigator, I was able to reach two of the 25 so-called "money mules" who were hired to act as intermediaries in this scam. Both were females under the age of 35 who initially were contacted after placing their resumes on Careerbuilder.com. Each received e-mails from a company calling itself Fairlove Delivery Service. Both women agreed to speak with Security Fix on the condition of anonymity.

Both were hired by Fairlove to edit documents for grammar and flow, and promised a pay of $8 for each kilobyte of data they processed (see the initial Careerbuilder scam e-mail here). The documents they were hired to edit often were full of grammatical errors and faulty or missing punctuation. Both money mules said it appeared that whoever wrote the letters was not a native English speaker.

It's not clear whether the cyber scammers first enlisted the mules as text editors in order to test their trustworthiness, or because they really needed their help making their scam letters look more believable. What is clear from looking at copies of the letters they were asked to edit, is that they were editing missives that would be sent to recruit and scam other mules. Have a look at some of those yet-to-be-edited messages sent to our anonymous mules, viewable at this link here.

The first person I spoke with, a 34 year-old woman from Miami, had been editing texts e-mailed to her by Fairlove representatives for a couple of weeks. Shortly after she inquired about when she would be paid for her work, she received an e-mail asking if she'd be interested in a position as a "local agent," for the company. The Fairlove representative who contacted her via e-mail said something about how the company often had trouble getting money to its clients overseas as quickly as they needed it, and desperately needed help speeding up that process (at least they were honest on that claim). A description of the local agent job position, as sent to this woman, is available here.

Last Thursday, she received a deposit of more than $9,900, with instructions to wire all but about $500 (her 5 percent "commission") via Western Union to a bank account in Ukraine. The woman said she began to grow suspicious that "something wasn't right about the whole thing," and only wired $3,000 of the money. After being contacted by Security Fix about the scam, she learned from her bank that her account was frozen. Her bank assured her if she could come in and produce the e-mails showing she'd been caught up in a scam, they might be able to work something out.

The second woman I spoke with, a 27-year-old single mom, also from Florida, was not so lucky. She had more than $9,700 transferred into her checking account from Bullitt County's bank by the fraudsters on Monday. She pulled nearly all of that amount out of her bank almost immediately, wiring nearly $9,200 to the scammers in the Ukraine. Shortly after that, her bank reversed the initial $9,700 deposit at the request of Bullitt County's bank. Her bank now says she is on the hook for that amount: her checking account balance is now almost $9,000 in the red.

Here are a couple of observations and tips so you don't get scammed, however obvious they may be:

- Avoid responding to job offers sent via e-mail. If you use job search Web sites like Monster.com and CareerBuilder.com, at least be aware that criminal gangs use these sites also, to recruit the desperate, unwary, and the greedy.

- If you get in bed with a company that you haven't even researched on Google, expect to regret that decision: A search on Fairlove Delivery Service returns little but page after page of complaints from other job searchers scammed by these criminals.

- Avoid clicking on links in e-mails that you are not expecting, and be particularly wary of any e-mail that warns of dire consequences unless you act or respond immediately. The malware used to infect Bullitt County's computers was part of a huge Zeus/Zbot spam campaign that has been ongoing for the past several weeks now, variously disguised as alerts about greeting cards, package tracking numbers, and security updates from Microsoft.

- The last time I wrote about money mule scams, some readers wrote in to say, in effect: "The mules were stupid: They should have just taken ALL of the money." These readers miss the fundamental point about these scams that the bad guys understand all too well: it's all about the timing. The bank will always recall the deposit. It's just a matter of when.

- Be extremely wary -- nay, run away from -- any transaction in which the other party asks you to convert a revocable transaction into an irrevocable one. Hard cash sent via Western Union, Moneygram and other wire transfer services, is an example of an irrevocable transaction: Once it's done, there's no undoing it. On the other hand, checks can be canceled, and deposits can be reversed.

By Brian Krebs  |  July 2, 2009; 5:14 PM ET
Categories:  Fraud , Safety Tips , Small Business Victims , Web Fraud 2.0  | Tags: $415000, bullitt county kentucky, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Spam Rates Recovering From 3FN Takedown
Next: Microsoft: Attacks on Unpatched Windows Flaw

Comments

If you are online, you will be hacked. I guess Bullitt County knows that now. The real story to understand here is:
1. That US IT remains a good decade behind hackers in the UKR & RU still using DOS level computers as technology tools.
2. MSFT OS is inherently insecure.
3. Smaller is better, not bigger.
4. Even outsiders loath US state governments.

Posted by: Ospatt | July 2, 2009 6:35 PM | Report abuse

I guess we don't know how the attackers somehow got the Zeus Trojan on the county treasurer's PC (presumably the county doesn't want to say and the FBI told them not to discuss details of the case anyway), but I'm curious whether that PC had security software installed, whether it was up to date, which security software can deal with the Zbot (ZeuS bot) Trojan, etc.

Posted by: yrral | July 2, 2009 7:31 PM | Report abuse

Another excellent article Brian. Thanks for the info. One of my thoughts after reading this is that one of the best ways to protect oneself (to a very great extent- although no method could be considered 100% foolproof) is to NEVER do online banking on a Microsoft Windows computer. Given that is is generally quite easy to set up a Windows computer to dual boot to linux (using Ubuntu for example, which automates the dual boot and linux install process), this seems like a relatively easy fix that would prevent ALMOST all such scam/attacks (at least at the present time and the foreseeable near term future). I, and I presume many others, would be grateful if you commented in detail on this approach (and any other which you consider effective) to preventing such problems. Certainly sounds like this approach would have prevented this case given that this scam was dependent on placing rogue software on a Windows computer, and it would not work on any other type of computer (and that typically this type of rogue software is ONLY written to run on Windows computers and ALMOST NEVER to run on a linux computers). I am looking for a highly detailed critique of the pros and cons of this approach (as well as its statistical efficaciousness), not for an opening to revisit the very excessively well worn debate about whether Microsoft is or is not (and when and/or where) a positive or negative actor/influence in the software industry.

Posted by: dfolk1 | July 2, 2009 9:49 PM | Report abuse

The article neglected to mention (maybe it went without saying)- the 'Zeus' keystroke-logging Trojan-horse is a WINDOWS virus. The Bullitt County Treasurer's decision to use a Windows machine was the essential mistake that got the whole ball rolling. Sick of viruses? Try Linux, a better operating system that is actually FREE. Check it out at http://www.ubuntu.com/ .

Posted by: hairguy01 | July 2, 2009 10:26 PM | Report abuse

@hairguy -- have you read the article? 5th paragraph of the story -- the one that talks about zeus -- clearly states this is a windows virus.

According to my source, who asked not to be identified because he's still investigating different sides of this case, the criminals stole the money using a custom variant of a keystroke logging Trojan known as "Zeus" (a.k.a. "Zbot") that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware, the investigator said, is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection.

Posted by: BTKrebs | July 2, 2009 10:49 PM | Report abuse

More terrific reporting from Brian.

Posted by: Dawny_Chambers | July 3, 2009 4:56 AM | Report abuse

Great article!

Another point - all users should be reminded not to leave their computers running overnight. Many users depend on their screen saver to protect their systems while gone for the night - even leaving their favorite programs running. This allows attackers "alone time" on the system.

I would like to see MS add a feature that allows the user to see which programs are utilizing the Internet connection - and how much traffic - similar to the way "Task Manager" shows CPU usage. I often notice Task Manager network traffic and wonder which program is using...

Posted by: Sadler | July 3, 2009 7:32 AM | Report abuse

@Sadler

SysInternals (now a part of Microsoft) has a utility, TcpView, downloadable for free that does show, to some extent, what processes/programs have TCP connections.
You can use the utility to close the connection if you don't think the process is legitimate.

Posted by: TwoCentsWrth | July 3, 2009 10:28 AM | Report abuse

Thx 2cents.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

A good start - now need the % of bandwidth used added...

Posted by: Sadler | July 3, 2009 11:03 AM | Report abuse

The future of "secure" computing will be the read-only operating system. Linux boot CDs are one example of how this can be done, but flash memory would be a whole lot quicker.
Computers will have an incorruptible core operating system, like a BIOS but much larger. Applications and personal settings will be loaded from USB flash drives or other removeable media; the applications will also be read-only. Files created by users will be stored online, or on the media holding their personal settings.

Microsoft needs to get on the stick and build this, or they will never catch up. Windows PE, which already operates on the Vista/Win7 core, would be a great starting point.

Posted by: williehorton | July 3, 2009 12:11 PM | Report abuse

Krebs is the only part of the Washington Post that never disappoints me!

Awesome work Brian!

I am now more motivated to set up that dual-boot system (as "dfolk1" discusses).

Posted by: sw11231 | July 3, 2009 1:13 PM | Report abuse

in June 11, 2009
I got spam with information:
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Work at home Money Manager Assistant
(part-time vacancy; 2000 usd / month):

We value your response back regarding the open vacancy Insurance Company is offering. We're currently seeking motivated and responsible individuals to attend the post of a 'Work at home Money Transfer Assitant'. This remote position itself covers a broad range of directions an individual would have to perform. It's a part time position, which let's you perform your duties directly from your home location. In the nearest future, we're planning to achieve the expansion of our company throughout the United States of America and United Kingdom, providing local offices and departments in the vast areas, where logistic and insurance services are definitely in demand. Until then, we're trying to fill in our personnel with new individuals, which will increase the efficiency of the services we're catering. If you wish to apply or have any questions regarding the position, feel free to contact me back either via e-mail. Hope to hear from you soon.

In order to reduce the corporate overhead, we've implemented the thrift solution of disseminating bases of control over certain regions of the United States of America. It provides a great opportunity for beginners to participate in the standard operations of the future subsidiary departments. Besides the expansion project, the upcoming regional accountants are expected to learn a great deal about different realms of the insurance market mainly through digesting the experience gained from the large scale practical assignments.

1) This is part time work at home position and can easily combine this vacancy with any other work.

2) The fixed salary is 2000 USD a month + 5% instantly from each payment processed by you.

3) You will receive payments (Direct Bank Deposits and wire transfers) from client within United States and send it by instant payment sistem such as Western Union. You will receive 5% of processed amount.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
To tell the truth I've almost swallowed the bait. But they didn't accept me - because my location was not USA. Remember
You cannot get something for nothing

Posted by: nikolasblack | July 3, 2009 4:54 PM | Report abuse

Typical and rather amusing how these articles elicit responses in solely placing blame on the operating system and/or its vendor/creator, and that the solution is to simply switch the operating system.

This is just disingenuous and completely fails to address the role of the operator behind the keyboard!

Posted by: xAdmin | July 3, 2009 7:58 PM | Report abuse

The real story is how US banks are a decade behind the times when it comes to security.

European banks routinely use two-factor authentication using hardware tokens, which would have defeated this and any other keylogging attack. Instead, here in America, banks have made the conscious decision to go with weak security measures, presumably because the cost of implementing strong measures outweighs their current losses.

Meanwhile, bank customers, like Bullitt County, pay the price for the banks' negligence.

Posted by: DupontJay | July 3, 2009 11:45 PM | Report abuse

At the end of the day, the big question is how did the Zeus trojan get onto the county PC.

A typical user in a work environment is only given a limited user account. You need administrator rights to install nearly all of these threats. In addition to regular patching, the sysadmin's next most important security task is to limit who can run as an administrator for daily use (answer: no one, unless you are installing or configuring software that you need for work).

And there's usually a big-name corporate anti-virus utility running in the background. Zeus is likely well-known enough that the usual Mcafee or Symantec AV should have detected it.

Finally, in a work environment, there's usually a filter,e.g. various products from Websense, to keep out known sites that are booby trapped with Zeus and other malicious software.

Did this county have no security in place at all?
Were they still running Internet Explorer 5.5 on Windows 98 SE?

Or as I suspect, the county treasurer and judge, by virtue of their high positions, were granted administrator rights to install all sorts of non-standard software. And like all curious humans, these two folks eventually clicked on something they should not have.

Posted by: taskforceken | July 4, 2009 2:20 AM | Report abuse

Ignore hairguy, people like that don't bother to read the story, they just want to spread their cult.

Any OS that has huge amounts of businesses and network users will get hacked. It's not as much about insecurity as it is about the available booty from going after it. The minute everyone goes over to a non-MS OS, it'll suddenly become riddled with holes. But that won't happen.

Posted by: myfakeid | July 4, 2009 4:17 AM | Report abuse

Let's all switch to Linux.
That way... they'll start writing viruses for Linux.

Posted by: buckdharma | July 4, 2009 5:48 AM | Report abuse

Even if you set up a limited user account and run as that user, can't the hackers simply get in your machine and hack the administrator account and then use it?

Posted by: Tojo1 | July 4, 2009 9:54 AM | Report abuse

You can't buy enough "piece of mind." This is another reason to have another piece of authentication device in place, such as an encryption keyfob or card that recycles a new passcode number every two minutes.

The issue I see here are desperate people, living in desperate times, looking to make a fast buck and someone out in Russia or wherever, is using this as using this weakness to leverage to take advantage of the banking systems that are in place.

I don't think that the people responding to the advertisements are genuinely bad people, just plain, "stuck on stupid" when it comes to information security and the use of computer systems.

Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | July 4, 2009 11:59 AM | Report abuse

@DupontJay,

It's not clear that two-factor authentication (2FA) would even have protected against this. If the hackers had a remote connection into the user's computer, they could have piggybacked on the user's legitimate connection (authenticated with a keyfob) to do their nefarious deeds. The user authenticates themselves, and they slip in the open door right after them.

------------------------------

@All the windows-haters:
It's true that Windows has lots of holes, but hackers can write viruses for Linux just as easily. If a super-user runs an attacker's program, that computer is compromised, no matter what OS is running. The problem (and security vulnerability) is the idiot behind the keyboard.

Posted by: jonsolo11 | July 4, 2009 3:01 PM | Report abuse

Two questions come to mind:

1) How did the bad guys get the judge's bank account credential?
2) How could the bad guys change the judge's email address without triggering an email sent to the judge's old email address letting the judge know his email on file with the bank has been changed to the new one at 'xxxxxxxx@xxxx.xxx" which should have raised suspicion?

Posted by: ietf2000 | July 4, 2009 3:36 PM | Report abuse

A couple of comments:

First, thanks for an important, thorough, and rather scary article.

Second, here's question that may not fall under your jurisdiction, but is nonetheless related and important. In the "good old days" one would open a checking account at a bank, deposit money, write a check, sign the check with a pen, give the check to a third party, an lo, the check would ultimately be debited from ones account, and credited to the third party. The paper check, signature and all, would physically be transferred from the third party's bank to the user's bank, and the cancelled check, bearing the user's written signature, returned to the user/check writer.

No more.

Even if one actually writes a paper check, the paper is typically discarded and the debit performed entirely electronically. There is, as far as I can tell, no verifciation of the signature even possible. Cancelled checks are not returned to the check writer. Sometimes images of the check are available to the user, but often one only sees a cryptic one line debit entry on a bank statement, containing very little useful information.

How hard, I wonder and fear, is it for these electronic transactions to be fraudulently abused, without any action on the part of the account holder?

Posted by: alexofindy | July 4, 2009 5:25 PM | Report abuse

1)Can anyone else verify @Jay Dupont's assertion that this particular scam couldn't have been run against European banks?

2) Hello!!! Seven days fr/ the beginning of the scam until someone @ the bank and/or County noticed $10,000 increments going out the door, unauthorized??? Someone(s) was asleep @ the switch!!

Posted by: featheredge99 | July 5, 2009 2:18 AM | Report abuse

This is not an OS issue, or a dumb user issue. This is an IT issue. Whomever admins the Bullitt County computers and networks dropped the ball on this one. If best practices had been followed regarding pc and network security then this probably wouldn't have happened. I doubt that the IP tunnel was using port 80, so that would imply improper configuration of ACL's on the gateway router.

Was no-one at Bullitt County IT monitoring network traffic logs? Does the county, or a bank in Kentucky, need to provide access to IP domains in the Ukraine? Considering how much malware is coming out of Ukraine, I would be tempted to block the whole country's domains at the firewall. Not to mention a few other countries that look the other way regarding Internet based criminal activities.

Linux is not immune to hacks and server hacks are the most worrisome. A quick web search shows several instances. Fedora and Red Hat servers were compromised on Aug. 22, 2008. SquirrelMail's server was hacked on June 16, 2009. Check out the advisories on LinuxSecurity dot com or the National Vulnerability Database at web.nvd.nist.gov. Take a look at Cyber Security Bulletin SB09-180 at US-CERT. How about CVE-2009-1886 for Samba? There are also some serious php issues.

No OS or network is completely secure. When there's a financial incentive, people will find a way. In the end, it's usually the consumer that ends up assuming all the liability and foots the bill.

Posted by: Hoku1 | July 5, 2009 4:10 PM | Report abuse

WOW BRIAN

This was quite a write up with a number of very interesting comments for sure.

Once again, for whatever it is worth, letters like the one copied verbatim offering 'on line' employment SHOULD BR FORWARDED to
------------------
washington.field@ic.fbi.gov
-------------------

Unlike the original IC referrals of some years ago, one is not automatically transferred to a lengthy fill in form.

NOTHING more is involved that the actual forwarding itself.

Posted by: brucerealtor@gmail.com | July 5, 2009 10:21 PM | Report abuse

Nice Article.

I think a lot of folks started slamming the OS as the culprit to this problem. I don't disagree but small county governments... well are small and going to implement Windows one way or another. When I read this the real flaw or where a lot of this could have stopped was at the banks end. I mean what kind of retard approach to security allowing them to change the password and email at the same time and all that junk about fingerprinting systems and making sure its from the same geographic IP that's just lazy stupid security. I'm not saying it couldn't help but it is not a second or third factor of authentication.

No matter what OS your running there's going to be hacks and if you got a keylogger on there you up a creek without a paddle. The only thing that might save your bacon is a 2nd factor such as a security token.

Paypal got one for 5 bucks... There system isn't very well implemented but hey its an attempt. (Has a 6 digit number that changes every 30 seconds)

Bank of America has a card you can buy for like 20 bucks.

I mean governments or anybody having nearly a half million dollars in an account is an idiot for not implementing multiple layers of authentication.

Posted by: dward__ | July 6, 2009 12:33 PM | Report abuse

I agree completely with the above commentary by dward__ ...

The plain fact is that the large amount of money being held, contrasted with the actual security measures in place, were woefully out of balance. It is like carrying a small amount of auto insurance on a very expensive automobile that is known to be of great interest to auto thieves ... there is so much more that could have been done to provide additional security.

Sorry, techies ... much as you wish it were, the reality is that it is NOT a matter of this OS versus that OS ... this fixit-patch versus that fixit-patch ... etc., etc.

IT ALL BOILED DOWN TO A LACK OF COMMON SENSE ... on the part of the people responsible for safeguarding the money ... as well, of course, as the "mules" so easily conned into helping steal it.

Posted by: db16 | July 6, 2009 1:13 PM | Report abuse

It is ignorant to suggest that online banking shouldn't be done on a Windows OS PC. Millions of people do online banking with Windows based machines - Windows based machines are even used within financial institutions and 3rd party payment processors. There are firewall and anti-virus services to prevent issues like this. Unless this was some zero-day exploit using a new variation of zbot that isn't detected by standard anti-virus applications, standard preventive measures should have sufficed. As others have pointed out, no OS is immune and proper administration of the network and PCs by trained IT personnel should have been sufficient to prevent this (assuming that these are not notebook PCs that were infected while on foreign networks). It would be interesting to know if the computers were notebook PCs that were used out of the office, what version of the OS, what anti-virus, etc. My experience with municipalities is antiquated technology managed by poorly trained personnel and significantly underfunded IT budgets, which is a recipe for disaster.

I was curious as to what level of social engineering took place here, since the two key people needed to authorize the transfers had infected machines from the same hackers. Seems like that was more than just dumb luck for the hackers.

Posted by: trash3 | July 6, 2009 5:37 PM | Report abuse

I'm going to make a guess here but it seems too much had to fall in place. I think that there were SOPs on the server that described the procedure for bank transfers. The crooks used a directory to locate the target individuals. They could then send e-mails from person to person saying check this link out or plant the software on the server.

Posted by: Beacon2 | July 6, 2009 7:32 PM | Report abuse

"Typical and rather amusing how these articles elicit responses in solely placing blame on the operating system and/or its vendor/creator, and that the solution is to simply switch the operating system."

If one bothered to actually read closely, the attack vector is Windows. This break-in would not have been possible without the security holes in Windows that the thieves took advantage of.

Learn more about OS security. In particular check out the SELinux security system built in to Linux which closes off the possibility of hacks like this.

Posted by: frantaylor | July 7, 2009 7:58 PM | Report abuse

An argument is made that Windows is the primary target due to its market share. Let's destroy this argument:

On the server, Linux market share is 50%. As the servers get bigger and bigger, Linux is more and more prevalent. At the very high end, it's almost all Linux.

These machines hold sensitive information for hundreds of thousands, or even millions of users. It's all up for grabs if the system is compromised. The temptation is ENORMOUS: you can break into one Windows machine and steal one person's data, or you can break into one Linux server and steal 100,000 users.

So why do hackers bother with the nickel-and-dime stuff when they could be really making the big score? There is only one answer. It's because the hackers can get into the Windows systems, and they can't get into the Linux ones.

Posted by: frantaylor | July 7, 2009 8:22 PM | Report abuse

I can't believe the people making the decisions to go with Microsoft can't be held criminally liable. Microsoft's software is well known badware. It restricts the rights of users, forwards information about its users to Microsoft (spyware), and is negligent in providing security updates and remotely acceptable default security settings. Not to mention Microsoft has a monoply that should be frowned upon by government and has repeatedly been determined illegal by multiple governments. While a monoply is not illegal in and of itself Microsoft's actions are.

Posted by: jood1 | July 8, 2009 2:28 AM | Report abuse

Ohh- and I almost forgot. I'd second the county switch to Ubuntu or another GNU/Linux distribution. GNU/Linux works- and even if it costs them money to switch it is a solid short to medium term investment that pays off relatively quickly. Most of the people I know using it seemed to switch without any issues - at least not in comparison to those I know who've moved to Vista.

Posted by: jood1 | July 8, 2009 2:30 AM | Report abuse

The IT security was one problem.
The Bank security is another problem.
The people behind the screens were the one big problem.

But you know what could have made this so much easier to deal better would be?

Make the bank accounts revocable transfers only, and only to be transferred to other banks. That way any transfer could be revoked at any time necessary and quickly. And this would not have been s a big problem as it was.

Posted by: ryansa09 | July 8, 2009 2:06 PM | Report abuse

Oh yeah another thing OS is not the thing here. It is mainly the people in charge. Even a Linux system could be compromised if a It inept person was to install some malware as the System Administrator. Ubuntu makes the one user basically a system admin right off the bat. So this distro is just as bad as windows when put to social engineering cracking attempts.

Posted by: ryansa09 | July 8, 2009 2:10 PM | Report abuse

You Linux cultists need to chill out. First, clearly the individual PC's were not properly secured. Not a fault of the OS itself but those managing it. Second, and more alarming, there is something horribly wrong with their entire network security. The article stated that the hackers not only had complete control of the individual PC's but also had admin rights and direct control into the email system (changing the Judge's SMTP address and creating 25 new addresses). Possibly the user directory depending on what email system they use (Exchange and AD for example). There has to be more to this story than what is being told.

Posted by: cfricke | July 9, 2009 1:31 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company