$100 million cyber theft from Bangladesh Central Bank

By Cyber SecurityNo Comments

The cyber theft of $100 million from the Bangladesh Central Bank – by way of the New York Federal Reserve – is the largest bank theft to date.

The cyber theft of $100 million from the Bangladesh Central Bank - by way of the New York Federal Reserve - is the largest bank theft to date

On February 5, the New York Fed was allegedly “penetrated” when “hackers” (of supposed Chinese origin) stole $100 million from accounts belonging to the Bangladesh central bank.

The money was then channeled to the Philippines where it was sold on the black market and funneled to “local casinos” (to quote AFP). After the casino laundering, it was sent back to the same black market FX broker who promptly moved it to “overseas accounts within days.”

The whole situation was quite embarrassing for the NY Fed, because what happened is that someone in the Philippines requested $100 million through SWIFT from Bangladesh’s FX reserves, and the Fed complied, without any alarm bells going off at the NY Fed’s middle or back office.

“Some 250 central banks, governments, and other institutions have foreign accounts at the New York Fed, which is near the centre of the global financial system,” Reuters notes. “The accounts hold mostly U.S. Treasuries and agency debt, and requests for funds arrive and are authenticated by a so-called SWIFT network that connects banks.”

As it turns out there is much more to the story, and as Bloomberg reports today now that this incredible story is finally making the mainstream, there is everything from casinos, to money laundering and ultimately a scheme to steal $1 billion from the Bangladeshi central bank.

And yes, it does appear that hackers managed to bypass the Fed’s firewall:

“Even as banks continue to harden their defenses against such sabotage, hackers too have upped their game to breach servers by utilizing both technical skills and rogue elements within the financial institutions,” said Sameer Patil, an associate fellow at Gateway House in Mumbai who specializes in terrorism and national security.

A Bangladesh central bank official who is part of a panel investigating the disappearance of the funds said that a separate transfer of $870 million had been blocked by the Fed, something the Fed refused to comment on. It does not, however, explain why $100 million was released.

Essentially the dispute is about whether the Fed went through the right procedure when it received transfer orders.

Naturally, the Fed’s story is that it did nothing wrong. Bloomberg writes that according to a Fed spokeswoman, instructions to make the payments from the central bank’s account followed protocol and were authenticated by the SWIFT codes system. There were no signs the Fed’s systems were hacked, she said.

The problem is that the counterparty on the other side of the SWIFT order was not who the Fed thought, and what should have set off red lights is that the recipients was not the government of the Philippines but three casinos.

Bangladesh is quite understandably – furious: a local official said the Fed should’ve checked the payment orders with the central bank to ensure they were authentic, even if they used the correct SWIFT codes. The official also said there are plans to take legal action against the Fed to retrieve missing funds.

Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation.

Hackers misspelled “foundation” in the NGO’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction, one of the officials said.

Luckily, the Fed stopped some of the $1 billion in total requested funds. The unusually high number of payment instructions and the transfer requests to private entities – as opposed to other banks – raised suspicions at the Fed, which also alerted the Bangladeshis, the officials said. The details of how the hacking came to light and was stopped before it did more damage have not been previously reported.

The transactions that were stopped totaled $850-$870 million, one of the officials said. At least $80 million made it through without a glitch.

The funds were used to buy casino chips or pay for losses at venues including Bloomberry Resorts Corp.’s Solaire Resort & Casino and Melco Crown Philippines Resort Corp.’s City of Dreams Manila, according to the paper. There was no suggestion in the report the banks or casinos named were complicit with any improper movement of funds.

In other words, the Fed was funding gamblers, only these were located in Philippine casinos, not in the financial district. Ironically, that’s precisely what the Fed does, only it normally operates with gamblers operating out of Manhattan’s financial district.

From: http://www.bloomberg.com/news/articles/2016-03-16/printer-error-set-off-bangladesh-race-to-halt-illicit-transfers

Cyber crime is fastest growing economic crime

By Cyber SecurityNo Comments

Cyber crime is up 20% since 2014 and is the fastest growing economic crime, according to PricewaterhouseCoopers’s (PWC) latest biennial Global Economic Crime Survey.

Cyber crime is up 20% since 2014 and is the fastest growing economic crime, according to PWCThe UK has seen a double digit rise in economic crime against corporates in the past two years, with 55% of organisations affected – up 11% since 2014 and well above the US (38%) and China (28%).

The survey found that 60 % of economic crime in the UK was committed by external perpetrators, up from 56% in 2014. While there was a decline in economic crime perpetrated by employees (31%), there was an 11% increase in fraud committed by senior management to 18%.

“While the prevalence of traditional fraud – such as asset misappropriation – has fallen since 2014, there has been a huge rise in organisations reporting cyber crime, with technology driving almost every other area of economic crime,” said Andrew Gordon, PwC’s global and UK forensics leader.

“Businesses need to minimise the opportunities for economic crime through rigorous fraud risk assessment, supported by a culture based on shared corporate values, robust policies and compliance programmes,” he said.

Some 44% of UK organisations that experienced economic crime in the past two years were affected by cyber incidents, a jump of 20% from 2014 and 12% greater than the global response of 32%.

The rise of cyber crime, the report said, is in stark contrast with some of the traditional forms of economic crime, including asset misappropriation and procurement fraud, which have declined.

Just over half of UK organisations say they expect to be the victim of cyber crime in the next two years, suggesting it will become the UK’s largest economic crime.

Global corporate intelligence leader at PwC Mark Anderson said cyber attackers are now more ambitions than ever.

“Their aim goes beyond targeting financial information to include a company’s ‘crown jewels’ – customer data and intellectual property information, the loss of which can bring down an entire business,” he said.

“The threat of cybercrime is now a board level risk issue, but not enough UK companies treat it that way.”

UK respondents say the greatest concern about a cyber attack is the potential disruption to services, with 31% saying it would have a medium to high impact.

Surprisingly, almost half say that cyber crime would have no effect on their reputation, and almost 60% are not concerned about the potential for theft of intellectual property.

The strong shift towards more senior and experienced employees carrying out corporate fraud in the UK should be of particular concern, the report said, because senior management fraud is often more difficult to detect and prevent, and usually has a much greater effect on an organisation.

While those in middle management remained the most responsible for economic crime (36%), half the instances committed by staff in the UK involved employees over the age of 40, and the number carried out by staff over the age of 50 tripled from 6% to 18%.

The survey found that 45% of internal fraudsters had worked for more than five years in the organisation they defrauded and 21% had more than a decade of service.  In contrast, the number of junior staff carrying out economic crime has fallen since 2014 from 45% to 28%.

While the majority (86%) of UK organisations have formal business ethics and compliance programmes in place, far fewer (63%) back up these rules with regular training and communication.

Financial services companies are set to be the biggest spenders on compliance in the UK in the next two years, while compliance budgets for other industries are under pressure as they face demands to do more with less, according to the survey.

The survey also found that 20% of UK organisations say they have never performed a fraud risk assessment, while 44% do so annually. Some 5% of respondents say they have been asked to pay a bribe in the past 24 months, while 7% feel they lost a business opportunity to a competitor who was willing to pay it.

More than a fifth of frauds were detected through suspicious transaction monitoring, 14% through fraud risk management, 8% through data analytics, 8% through internal audit and 8% through accidental discovery.

UK businesses expect cyber attacks to cost £1.2 million

By Cyber SecurityNo Comments

Half of UK businesses expect to be hit by a cyber attack and that recovery costs will be £1.2 million or more.

Half of UK businesses expect to be hit by a cyber attack and that recovery costs will be £1.2 million or more.This is the highest figure globally, according to the Risk:Value 2016 report by information security and risk management company NTT Com Security.

The report is based on a survey of business decision-makers in the UK, the US, Germany, France, Sweden, Norway and Switzerland.

Although about 50% of UK respondents said information security was vital to their organisation and agreed it was good practice, 20% admitted that poor information security was the single greatest risk to the business, ahead of decreasing profits (12%), competitors taking market share (11%) and on a par with lack of employee skills (21%).

Well over half (57%) agreed that their organisation would suffer a data breach at some point, while only one third disagreed and one in 10 said they did not know.

They expected recovery from a cyber attack to take an average of two months, and they anticipated a 13% drop in revenue, on average, following a breach.

The survey showed that recent high profile data breaches are starting to hit home, with organisations spending 11% of their IT budgets on information security, up from 10% the previous year.

However, nearly a quarter of the UK businesses surveyed revealed that more is spent on human resources than on information security.

Detailing remediation costs following a security breach, the report said respondents indicated that they expected 18% to be spend on legal fees, 18% on fines or compliance costs, 17% on compensation to customers, and 11% on third-party remediation.

Other anticipated costs included PR and communications (14%) and compensation paid to suppliers (12%) and to employees (11%).

According to the report, the vast majority of UK respondents admitted they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%), as well as direct financial loss (41%). More than one-third of decision-makers (34%) expected to resign or expected another senior colleague to resign because of a breach.

The study found that although only 41% of UK organisations have a disaster recovery plan in place and only 40% have a formal security policy, in both cases almost half are in the process of implementing or designing one.

In terms of responsibility for managing a company’s recovery plan, 15% of respondents said the CEO now has responsibility, although it still largely falls to the chief risk officer, chief information officer or chief security officer.

While 77% agreed it is vital that their business is insured for security breaches, only 26% have dedicated cyber security insurance – but 38% are in the process of getting a policy.

One in five UK respondents said they did not know if their organisation had any type of insurance to cover for the financial impact of data loss or an information security breach.

SME’s poor security practices targeted by ransomware

By Cyber SecurityNo Comments

SME’s poor security knowledge and practices are being targeted by ransomware.

SME's poor security knowledge and practices are being targetted by ransomware.It is important not to underestimate the scale of ransomware attacks or to believe that you are safe if you are not a Microsoft user, as the first attacks on Android devices were identified in 2011.

According to one industry report, the number of cyber ransomware attacks increased in 2014 by more than 4,000%, with small to medium sized enterprises (SMEs) being the main target due to poor security practices.

On the technical side, we can have spam, malware and bad URL detection engines or services that can be installed in networks – generally as part of an internet security appliance or firewall – rather than individual boxes installed in front of email servers.

The reason we would want such protection as part of the general internet connection is to provide protection for email, browsing and other internet related operations such as file transfer and remote access.

There are also a number of very good commercial cloud based email spam, malware and URL detection services available. These are well worth a look for smaller enterprises that must consider costs of ownership, support and overall effectiveness.

Even with the best spam, malware and URL detection services, some emails that could form the start of a ransomware attack may get through. These emails contain a URL link that, when clicked, will take the user’s web browser to a website that will attempt to download the ransomware.

These emails could not have been detected as malicious for a number of reasons, such as the URL being too new to have been identified as malicious; the patching or updating of an onsite box being out of date; or the URL pointing to a perfectly legitimate website that has been compromised in preparation for a watering hole attack.

The rise in legitimate websites being compromised for the purposes of executing watering hole attacks as a way of delivering malware – including ransomware – means enterprises need to add malware detection to web browsing activities.

Protecting against a ransomware attack

Having got the technical side sorted according an enterprise’s risk appetite and budget, what else can be done to help protect against a successful ransomware attack?

Staff awareness training and regular follow up initiatives are key. It is important to make staff aware that unexpected emails – even from known sources – are suspicious, particularly those that require a URL link to be activated.

If all else fails and a ransomware attack is successful, then having access to good, well-tested backups with at least one copy that is held off network will be vital in service restoration. Note that the off network backup itself should not be used as is, but copied. The copy should then be used to bring the network back, which will protect the good backup from being compromised.

TalkTalk lost 100,000 customers after cyber attack

By Cyber SecurityNo Comments

TalkTalk has admitted that is has lost 101,000 customers since it’s cyber hacking which saw the personal information of 155,000 people compromised.

TalkTalk has admitted that is has lost 101,000 customers since it's cyber hacking which saw the personal information of 155,000 people compromised.The breach shut down TalkTalk’s sales operation for some time and substantially affected its ability to bring on board new customers and upsell mobile, broadband and TV services, it said.

These sales channels took longer than expected to come back online, with full functionality not being restored to its mobile services sales operation until January 2016.

The inability to sell anything meant that TalkTalk saw fewer net customer adds, which, in addition to the high customer churn, had an impact on the headline figure, it said.

The communications service provider (CSP) disclosed the figures in its latest quarterly trading update, in which CEO Dido Harding said it was encouraging to see the business getting back to normal after a period dominated by the breach.

“Our customers have responded well, with almost half a million choosing to take up our unconditional offer of a free upgrade,” said Harding.

“Both churn and new connections recovered during December and January and independent external research has revealed that customers believe we acted in their best interest.

“In fact, trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.”

TalkTalk estimated the trading impact of the breach at £15m, and said it now looked like the incident would incur exceptional costs of £40-45m, substantially more than it had previously forecast.

These costs include restoring its online capability with fit-for-purpose security measures in place, associated IT costs, incident response and consultancy costs, and free upgrades.

TalkTalk reiterated its confidence in its long-term outlook, and said it saw regulatory opportunities ahead that could support growth in its fixed line and mobile business.
Losing confidence

It is possible that the true number of customers lost was higher than TalkTalk claimed because it was counting net additions in its figures- as such the total loss could be as high as 250,000.

Phishing cyber fraud up 21% reports police fraud unit

By Cyber SecurityNo Comments

Cyber fraud linked to social engineering phishing attacks has increased by 21% in a year according to the City of London Police’s National Fraud Intelligence Bureau (NFIB).

Cyber fraud linked to social engineering phishing attacks has increased by 21% in a year according to the City of London Police’s National Fraud Intelligence Bureau (NFIB)Social engineering phishing is a non technical method of intrusion used by cyber criminals that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.

Typically, the aim is to trick people into malware laden email attachments or to divulge sensitive information that can be used to steal information and credentials to commit fraud.

The harvesting of account and login information is known as phishing and can happen through fake emails, phone calls, texts or social media posts.

Phishing attacks frequently involve piecing together information from various sources- such as social media and intercepted correspondence, to appear convincing and trustworthy.

The most common themes for contacting potential victims are an update to BT account details, an iTunes invoice and a tax refund.

Others themes include Tesco vouchers, Apple ID, accident injury claim, invoices, suspended bank and credit card accounts, and Sky services upgrades.

According to the government backed GetSafeOnline campaign, cyber criminals have become increasingly sophisticated in their attacks, with more than 95,500 phishing scams reported in the 12 months up to October 2015.

Research by GetSafeOnline reveals that 26% of victims of online crime have been scammed by these types of social engineering emails or phone calls.

According to the research, 29% of reported phishing emails contained a potentially malicious link that could infect a victim’s computer with malware, 17% requested a reply and 15% requested personal information.

The research notes that although the number of emails with malicious links is decreasing, requests for money transfers are on the rise.

In response to these findings, GetSafeOnline has launched an advertising campaign to warn of the dangers of social engineering, in partnership with Barclays, NatWest, Royal Bank of Scotland, Lloyds, Halifax, Bank of Scotland, City of London Police, anti-fraud organisation Cifas and Financial Fraud Action UK (FFAUK).

Phishing attacks are the most popular causes of data breaches in the enterprise. Phishing attacks on mobile devices are increasing as adoption of internet connected mobile devices and services grows.

Tony Neate, chief executive of GetSafeOnline, said social engineering is becoming ever more targeted and personal.

“What is worrying, however, is the complex nature of these scams and how they tap perfectly into feelings that make us panic,” he said. “If you get an email purporting to come from someone we trust, such as our bank, about something that is emotive to us all, like money, and then demand that we act urgently, it’s almost like the perfect storm.”

The newly launched advertising campaign aims to encourage people to think twice before they act and not to let panic override common sense.

The campaign highlights the importance of having strong passwords or pass codes to secure devices, and ensuring that all software and apps are up to date.

Research shows that email is the most popular channel for phishing, accounting for 77% of all reported incidents, followed by phone calls, making up 12% of incidents.

Cybercrime and cyber security tops business worries for 2016

By Cyber SecurityNo Comments

Cybercrime and cyber security tops business worries for 2016.

Cybercrime and Cyber security tops business worries for 2016This year, cybersecurity will be the main issue worrying global business, firms say, and it will become more critically important as the internet of things takes off and our world becomes ever more mobile and connected.

Lawyers, accountants, digital agencies, research analysts, telecoms and tech firms all gave the BBC’s Technology of Business their views on what the key tech trends were likely to be in 2016.

Here’s a summary of the Top 10 tech trends affecting business in 2016 that emerged:

  1. Cybercrime and a renewed emphasis on cybersecurity
  2. The internet of things and the development of the hyper connected world
  3. Real time data analytics, not intuition, driving business decisions
  4. New data protection laws forcing firms to rethink compliance strategies
  5. Artificial intelligence and robotics replacing repetitive tasks
  6. Smartphones becoming the primary tool for almost everything
  7. More business applications for virtual and augmented reality tech
  8. Increased personalised and in-store location-based marketing
  9. Drones to be allowed to make deliveries and perform other public tasks
  10. Established businesses to face increased competition from start-ups

Allowing customers’ data to be stolen by hackers is not good for business, firms are finally realising. It damages corporate reputations and erodes the public’s “comfort with sharing their data”, says Rashmi Knowles of cybersecurity company RSA.

But the worrying news is that breaches are inevitable, warns Geoff Smith of Experis, while a shortage of skilled cybersecurity professionals is likely to push up the costs of beefing up defences and dealing with attacks.

On top of this, new European data protection laws coming into effect in 2018 will see a “dramatic increase in fines” for data breaches, says James Mullock of law firm Bird and Bird, forcing firms to reassess their compliance procedures this year. Dedicated Data Protection Officers reporting to the board would be “a sensible measure”, he says.

Ransomware is opening up new income for cybercriminals.

Several security experts are forecasting an increase in ransomware attacks, whereby criminals hack into your system, encrypt your data and then demand a ransom before they decrypt it.

“The ransomware arms race will come to the fore in 2016,” says Hitesh Sheth, chief executive of Vectra Networks. “The threat will take on a new, larger role by concentrating attacks on enterprises, holding critical assets hostage in return for even bigger money.”

Other experts warn that the growth of mobile payments systems will offer new opportunities for hackers, while others think criminals will increasingly target employees, suppliers and contractors as a way of infiltrating corporate systems.

Gadgets and objects wirelessly transmitting sensor data to each other and central computers will accelerate in 2016, many believe, leading to a host of new applications – and a host of new cybersecurity threats.

Internet of Things (IOT) cybersecurity concerns will also loom large in 2016.

This new world of “connected everything”, says Tudor Aw, head of technology sector at consultancy KPMG, “should finally see real momentum in 2016”, from connected cars recording driver behaviour data for insurance purposes, to smart watches and other wearables delivering health data and even initial diagnoses.

And all the data that these connected things generate will be stored, analysed and translated into practical insights using real-time analytics, enabling companies to “move beyond just quickly responding to changing customer needs, to actually anticipating those changes,” says Andy Lawson, managing director at Salesforce UK.

But many warn that greater connectivity means more points of entry for hackers constantly on the look out for weak points in any network.

TalkTalk hack to cost up to £35 million

By Cyber SecurityNo Comments

The cyber attack on TalkTalk could cost it up to £35 million the company has said.

TalkTalk hack to cost up to £35 millionFollowing the hack- which divulged some users’ financial details, all customers of the telecoms group will be offered a free upgrade.

Chief executive Dido Harding said that despite the hack, TalkTalk was “well positioned to deliver strong and sustainable long-term growth”.

The firm expects still full year results to be in line with market expectations.

TalkTalk shares had jumped more than 13% by the close of trade on Thursday- but were still down more than 20% compared with their pre-hack value.

Speaking to the BBC, Ms Harding said: “The estimated one-off costs are between £30 million and £35 million – that’s covering the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that over the last three weeks until yesterday our online sales sites have been down, so there will be lost revenue as a result.”

She added that in recognition of the uncertainty that this had caused customers, they would be offered an upgrade.

A spokesperson said the type of upgrade offered would depend on the kind of package customers already had. For example, customers with TV packages might be offered a sports channel that they did not already have.

Customers who were financially affected directly will be free to leave TalkTalk without financial penalty. They would have to be able to show they had lost money as a result of the hack.

Customers who wish to leave for a different reason – for example, if they feel their data is not secure – would still have to pay a contract termination fee.

However Talk Talk’s offer to it’s customers is very limited

Some of TalkTalk’s millions of customers might have been angry enough to try to terminate their contracts when the telecommunications company first revealed details of a major data security breach last month.

But, with contracts for mobile, fixed line, broadband and television services of up to two years (always worth looking at those few lines at the bottom of the paperwork) customers found they couldn’t leave TalkTalk without incurring hefty costs.

When Dido Harding, the chief executive, first announced that customers would only be able to leave if they could show a “direct impact” on their bank account – a pretty high bar – investors heaved a sigh of relief and TalkTalk’s share price bounced up.

More than 15,600 bank account numbers and sort codes were stolen. Four people have been arrested and bailed in connection with the hack.

Ms Harding told the BBC that it was “too early to tell” what the longer term impact of the breach would be on the business.

Heartbleed attacks US banks

By Cyber SecurityNo Comments

US banks have been the victim of hacking and attacked by the heartbleed cybervirus.

US banks have been the victim of hacking and attacked by the heartbleed cybervirus
In April 2014 the cybersecurity world was shocked by the discovery of Heartbleed- the name given to a vulnerability found in one of the systems we use to securely communicate over the internet.

In this hack – which investigators are calling the largest theft of consumer data from financial institutions ever – the Heartbleed bug was exploited to gain access to “Victim 2”, an as-yet unnamed financial firm headquartered in Boston.

But it’s just one angle to this enormous attack.

The real damage appears to have been done with some social engineering, executed in a way that shows just how difficult it is to defend against determined cybercriminals.

According to investigators, hackers gained access to various networks belonging to JP Morgan and six other financial institutions, scraping personal data they would then use to manipulate stock prices.

The three indicted men – Israelis Gery Shalon and Ziv Orenstein and American Joshua Samuel Aaron – were conducting “security fraud on steroids”, prosecutors say.

Another man, Anthony Murgio, was charged over running an illicit operation trading virtual currency Bitcoin.
Targeted mail

This is how prosecutors say Heartbleed functioned.

The hacking technique often involved using legitimate accounts belonging to Joshua Aaron.

Using this legitimate access, as if Mr Aaron was a normal customer, paved the way for the hackers to gain access to networks and systems containing reams of data about other customers – people who were investing in stocks.

Over the course of several years, they stole personal data on more than 100 million people. The hackers didn’t access bank details. They didn’t need nor want them.

Investigators said the hackers used the personal details to send out information to bosses’ email addresses, promoting certain stocks that hackers had bought cheaply. The price would rise, and the hackers would then sell off their now very valuable shares.

It’s a technique known as “pump and dump”.

The hackers were said to be using a remote server in Egypt to access the network of “Victim 3” – a financial services firm based in Omaha, Nebraska.

The remote server, which covered the accused’s real location, was used to log in to Mr Aaron’s account with Victim 3.

When info-security staff at the firm noticed the odd sign-in location, it locked Mr Aaron’s account. Good security practice.

But, according to the court papers: “Aaron called Victim 3 and, upon being notified that his account had been locked and asked by a customer service representative whether Aaron had been traveling in Egypt in March 2014, Aaron lied to the representative, and claimed that he had been in Egypt.

“In truth and in fact, and as Aaron well knew, Aaron had not been in Egypt and was merely attempting to convince Victim 3 to allow Aaron and his co-conspirators to access Aaron’s account online in furtherance of their efforts to hack into Victim 3.”

For banks – indeed any big company online – there’s a constant balance between making a system as secure as possible, but not locking it down so much that its frustrating for normal customers to use.

But that’s not all these men are accused of doing. According to the court papers, the men were involved in a myriad range of online crime.

As well as the stock manipulation, and running a Bitcoin trading platform to help launder the cash, the men were said to be running illegal online casinos, selling fake antivirus software and – that age old internet scam – offering the purchase of pharmaceuticals.

All of this added up to an alleged haul of £75 million which they kept in bank accounts in Switzerland.